1. Manage Legacy Protocols
Remediation: Disable the use of LLMNR, NBNS, and WPAD protocols in group policy.
2. Disable LM, NTLMv1
Remediation: Disable LM hashing, and, unfortunately require a password reset for all your accounts if it was enabled.
3. Common Password Use
Remediation: User education, increase default password length requirement from 8 to 12+, and add simple password brute-forcing as part of your vulnerability management program to check for weak or known passwords.
4. Enforce SMB Signing for Servers and Workstations
Remediation: Force SMB signing for all domain joined computers.
5. No LAPS
Remediation: Deploy LAPS, which rotates and stores the local administrator password in the domain controller.
6. Anonymous Enumeration Allowed
Remediation: Disable anonymous enumeration of SAM accounts and shares.
7. Remove Stored Passwords in Group Policy Preferences (GPP)
Remediation: Review your group policy preferences and ensure no passwords are used or stored.
8. Default User/Pass In Use
Remediation: Know what you have deployed on the network, and verify that no system is setup to use its default credentials.
9. Not Using MFA for Remote Access, or to Sensitive Networks
Remediation: Deploy multi-factor authentication at minimum for all remote access solutions and all cases where a security boundary is being crossed.
10. Non-Segmented Legacy Hardware & Software
Remediation: If you’ve seen “Silence of the Lambs”, think Hannibal Lecter in his cell, in a strait jacket… wearing a mask.
HT: Critical Informatics
Some interesting data in the Statistics section on the U.S. Courts website. Neat to view different states and their wiretap costs, quantities and type (narcotics, homocide, gambling)
I’m disappointed to see no one has created an app on Data.Gov with the above data. I couldn’t find anything from the US Courts on data.gov (i.e. bankruptcy). Who has free cycles!?
Check out some of the US Visa questions (Don’t ask….I’m marrying a Ukrainian bride)….does anyone answer Yes to these?
Click the image below…
AboutTheData.com just publicly launched this week. It’s brought to you by Acxiom, one of the web’s advertising heavy hitters. After verifying your identity the site allows you to view all of the marketing data they’ve collected about you (demographics, family, loans, auto/home, employment, education etc). They’re also very nice —- they let you update the information in case it’s not accurate! I found my dox to be lacking — not surprising as I don’t believe I’m any of Acxiom’s target demographics.
More from NYTimes here
That’s great, so AT&T isn’t getting enough revenue from our cellular subscription fees — they also have found new ways to generate revenue by undermining our privacy. Of course it’s not just AT&T, but all big (and smart?) companies.
It sounds like AT&T is now selling cell tower/node registration information to third parties. Kevin Mitnick was tracked using cell tower triangulation. This same concept can be bundled as a service and sold to retailers i.e. What time of day/week are the most 25-35year old males in a 1 mile vicinity of our storefront? Maybe we’ll have a scantily clad woman stand on the street to lure these men into the store.
For example, we might provide reports to retailers about the number of wireless devices in or near their store locations by time of day and day of week, together with the device users’ collective information like ages and gender.
The second program sounds like using location data coupled with advertisements. If your cell phone is frequently showing up near airports or hotels you’ll get travel focused ad’s.
Provisions regarding use of eBay’s mobile applications. To cover the growing popularity and use of eBay’s mobile applications and to provide for possible new ways we may display the terms and conditions applicable to them in the future, we added references to these applications throughout.
Updates relating to eBay’s contacts with members. We updated provisions of the User Agreement to provide further clarity regarding the purposes for and circumstances under which eBay or its service providers may contact members using autodialed or prerecorded voice message calls and/or text messages and the circumstances under which eBay may share members’ contact information with members of the eBay corporate family or other parties.
Updates to the Buyer Protection provision. We updated the provision to reflect our ability to remove funds from a seller’s PayPal account in a currency other than the currency of the transaction at issue where the seller does not have sufficient funds available in the transaction currency.
All in all, eBay and its corporate family (PayPal, StumbleUpon, StubHub) have fair policies. You wouldn’t expect a large company with as many users to get away with substandard user protections for long.