Thursday, 16 April 2020

Staying Safe online

18:34 Posted by G No comments
I was writing some simple advice for a work article about staying safe online, so I thought I'd publish it here.  There's nothing new or revolutionary here, but I've pulled together the links into one article :

Step 1: Make sure your personal accounts are well secured.  We strongly advise you to make sure you have 2 factor authentication )something you know - typically a password, and something you have - typically a text or an app on your phone) for you email and social media accounts, here’s how to do this for the most well-known services :

[last logged in will show you which devices and approximately where (geographically) you are logged in]

Google  :
Last logged in & Setup 2FA : https://myaccount.google.com/security

Facebook :
Last logged in & Setup 2FA : https://www.facebook.com/settings?tab=security

Twitter :

Instagram : 

LinkedIn:
Last logged in & Setup 2FA : https://www.linkedin.com/psettings/sessions


Step 2: Be aware of attachments, especially Office formats (Word, Excel, PowerPoint) but also ones you don’t recognise (these may include .LNK, .SYM type files) which can also infect a machine.  If you do open an attachment, and it asks you to ‘enable content’ (see screengrab) DON’T CLICK ON IT, it’s almost certainly malicious:
Emotet Macro Malware

Tuesday, 7 April 2020

Troubleshooting and fixing a Hotpoint RL78P Larder Fridge

17:37 Posted by G No comments
Maybe not the most gripping of subjects, but when it's your beer fridge, it becomes very serious...

In these COVID-19 times, Google and YouTube are your friends.  This is a larder fridge that the girlfriend (now wife) and I bought nearly 20 year ago, and it's served is well ever since then, with nothing going wrong through two children and two house moves.

Now relegated to the basement and with sole purpose of keeping wine and beer cold (is there a worthier calling for a fridge), about a week ago, I came to get a beer, to be greeted by the light being on, but the beer wasn't cold.

At least the light being on was somewhat of a positive, there was at least electricity coming into the fridge.  Having found the model number (open the door and look under the top sill), I couldn't find any specific help for this model or even the instructions.

Reverting to the generic Hotpoint advice, the first two tips were broken thermostat, or condenser.  As the condenser is not user servicable or cheap to replace I set about trying to check if the thermostat was faulty.

I found this video on Espares on replacing a thermostat :


It looks pretty simple, but there a catch on this fridge, in the video the thermocouple (long thin wire) isn't attached to anything.  ON the RL78P it is screwed to the back of the freezing panel, so this needs to be disconnected before you can remove the thermostat.

Here's another Espares video showing how to test a thermostat with a multimeter



I had to do test it a couple of times, as sometimes it appeared to be fine others not, but as it was either try replacing it (£40) or get a new fridge (£200) it seemed worth a shot.  So after not being able to order from Espares (I had a problem with their payment gateway, which was a shame as I'd rather have given them my money as their advice had helped me troubleshoot the problem) I had to revert to the Hotpoint spares site, where the part was actually cheaper.

A couple of days later the new one arrived :


I also found someone (dreeks55) had written some decent instructions on replacing the thermostat on this model, which I have slightly amended as below :


  1. PARAMOUNT - SWITCH FRIDGE OFF AND UNPLUG IT FROM THE MAINS!!! 
  2. Decant everything plus the shelves - you will need the room. 
  3. On the right hand side just above midpoint is a lozenge-shaped housing which contains lamp/thermostat and lamp switch. 
  4. To gain access to the thermostat, locate the cleverly hidden fixing screw - there's a small grey prise-out disc just to the right of the control knob. 
  5. Unscrew that and the housing should release when you draw it back - gently! There are locating tabs on the housing which slide into slots in the lining. 
  6. Remove the Thermostat dial, and unscrew the retaining nut from the thermostat spindle and release . 
  7. Now take a photo of the wiring connectors on both the thermo and the lamp switch. Disconnect all leads to these components (no need to touch the actual lamp connectors). You WILL need this diagram when re-connecting new thermo. They are marked with numbers, on mine it was 3 and 4
  8. Old thermostat still connected (white metal cable is the thermocouple)
  9. Now unscrew the 3 retaining screws on the freezing panel at the back of the fridge - be VERY CAREFUL when you pull it forward and to the left to give you access to the thermocouple end. The thick pipe attached to the panel contains the coolant fluid. The pipe is flexible enough to withstand moderate movement. 
  10. There should be two screws and a plastic fillet securing the thermocouple to the panel. 
  11. Unscrew the screws (remembering to keep the screws in a container - easily lost under the fridge!!). 
  12. The new thermocouple can be bent into a U just like the defective one. Fit the new thermostat by reversing the removal instructions. 
  13. Good luck - patience is a virtue
New thermostat during fitting, you can see I've not reattached the new thermocouple yet

It was quite straightforward, only the bending of the freezing panel and pipe causes raised nerves, as if I'd broken that not only would there be coolant everywhere, but it would have been game over.  It seemed quite sturdy and I had to move it a couple of times, but all went well.  Probably took about an hour to diagnose, and half an hour to refit the new thermostat, but best of all I've saved £150 and now have cold beer again !

hope this helps

Friday, 5 April 2019

Mysteries of Apple Bluetooth accesories

17:45 Posted by G No comments
I've now moved fully onto Office 365, so have converted purely to Mac world, and just occasionally dip into Citrix for a few enterprise apps.

So I'm not starting to see some idiosyncrasies between 365 on Mac and PC, most of which are well documented, but it is quite annoying to come across these messages from the 365 Mac dev team


Anyway the point of this post was I've been having trouble with a wireless mighty mouse and apple wireless keyboard working together with my 2018 MacBook Pro.  I was having what I thought was interference between the bluetooth accessories. But having done some searching I found out two things I didn't know. This manifested in the mouse moving in a very jerky fashion and the keyboard being unresponsive and then typing some keys multiple times.

Firstly like WiFi you can see advanced Bluetooth details by holding Shift and Option while clicking the bluetooth icon in the menu bar.  This will show advanced options show more details as well as the debug options. (for WiFi it's just option and click WiFi)

Secondly which I think is the root of the problem I was having is this tip :

" With some time and experimentation, I have learned the problem is triggered when I wake the computer from sleep mode using the keyboard.  It appears the keyboard wakes up repeating the keypress.  The only way to stop this is to power off the keyboard and power it on again.

The work around is to wake up the computer using either the trackpad or mouse.  Don't touch the keyboard!"

thanks to WheelMcCoy on the Apple forums for the tip - https://discussions.apple.com/thread/7555728

Finally this was happening on OSX 10.13 (High Sierra) but I've just upgraded to 10.14 (Mojave) and haven't seen the problem so far. 

Friday, 14 September 2018

Listen to this man

11:57 Posted by G No comments

Bit of a grand title I know...

I was lucky enough to hear Professor Ed Hess talk at an LEF (Leading Edge Forum) event a couple of years ago.  He talked about lots of things I've never really thought hard about, but immediately made perfect sense to me.

At the time he had just published his book called Learn or Die, which is well worth a read.  It talks about developing a learning mindset, and about being much more open to other peoples ideas, concepts such as 'I am not my ideas', 'my mental models are not reality' (aka I know I have biases).  He also talked a lot about make up of team, and how much diversity of thought positively impacts a team's performance.

I still follow the LEF guys ( twitter feed ) and also Ed Hess (Twitter Feed) and saw that Prof. Hess was speaking at the LEF study tour.

There's an LEF article (Link) called 'Rethinking Human Excellence with Ed Hess' which is worth a read, but if you've got 10 minutes watch the video below


He talks about how the operational models we developed in the industrial revolution (operational excellence, low failure rates, efficiency, command and control etc.) are not suitable for the smart machine age of software running everything/AI/ML.  He believes that :

Operational excellence will be taken over by technology and will become table stakes

his view is that we will need to change our approach and focus on what humans does better than machines.

You cannot command and control human beings to be innovative

You cannot command and control human being to be emotionally intelligent

I think he talks a lot of sense about how we need to change as leaders, being better versions of ourselves, continually learning, hiring for mindset and behaviours and this will be absolutely crucial in the years to come.

Some of this thinking is very similar to some of the thinking another I read a while ago  General Stanley McChrystal's Team of Teams, which also proposes changing the structure of organisation away from command and control to teams of teams - I wrote a bit about this here


Tuesday, 23 January 2018

Fresh Sophos home for Mac install via TeamViewer Gotcha

17:17 Posted by G No comments
After much pulling of hair, and thinking what am I missing, it turns out that Apple have changed permissions on remote installs in OSX 10.13 (High Sierra) of some software that install kexts .

Anyway I'm sure as anyone who happens to have IT in their job title knows, one becomes the default tech support for all our family.  This is exacerbated by Christmas 'could you just have a quick look at...'

Anyway I was checking the father-in-laws Mac, and to save time I was using Teamviewer so I could do it from the comfort of my own home.  All was going well, I downloaded Sophos home for Mac, and got to the final stage of the install, and needed to 'apply' a setting in system preferences.

I could see it via team viewer, but whatever I tried I couldn't click it !

After many different approaches, like most men I finally reverted to RTFM and found the following on the Sophos website - https://community.sophos.com/kb/en-us/127413

Here's the text from the advisory:

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.
Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.
  1. After installing Sophos Anti-Virus got to Security & Preferences in the Apple System Preferences window.
  2. Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.
Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation.  This step is not needed again on a reinstall. Kernel extensions already installed during an upgrade from MacOS 10.12 are automatically authorized.
So after a quick call to the father-in-law and him pressing 'Apply' locally at the appropriate moment, all is good.  Hope this saves you some time and heartache fellow family IT support !

Patching cadence becomes a thing

16:05 Posted by G No comments
I recently wrote on the Hiscox London Market Blog (with the help of the excellent Simon Challis) about the Meltdown / Spectre vulnerabilities in CPU's (article is here). Two immediate things, firstly it shouldn't be a popularity contest for which bugs have the nicest logo and website and secondly most of my thoughts are reflections of Kevin Beaumont, who I think is one of the most incisive commentators on IT security (and suitably irreverent at the same time).

image from Corax website

So what's the big deal ? Well nothing really. These vulnerabilities have the potential to be a really big deal, but at the moment, they're just not. That doesn't by any mean you should rest easy, and certainly after careful testing you should apply (if safe to do so) all the relevant patches.

What interests me most is how this is changing patching from a boring but necessary (and often neglected) back office task into something that the board, and soon investors will be taking notice of. The race is on currently, can enterprises patch before malware authors come up with a remote way to exploit these newly discovered vulnerabilities.

What makes this even more interesting is the fact that it's now easier to watch this battle from the sidelines. A new industry has sprung up to measure cyber risks.

Both the pure risk scoring players such as Bitsight and FICO, but also a new breed of insurance startups premised on cyber risk scoring and aggregation, such as Cyence (recently acquired by GuideWire), CyberCube (recently spun off by Symantec) and Corax.

How long before the board asks for their own risk score, or during M&A discussions a company's risk score is one element that is considered before financial investment ?

If you're interested in learning more about Cyber insurance, here's a link to a BBC article in which I'm quoted here

Friday, 13 October 2017

Office DDE – How a zero day exploit evolves

12:28 Posted by G No comments
I’ve been following Kevin Beaumont on Twitter for a while, he’s a security architect from Liverpool, and quite a regular blogger.

On Tuesday lunchtime I read a tweet from him :

Having read the article at Sensepost, they have discovered a way to run code (what is called in IT security nerd circles as ‘RCE – Remote Code Execution’) in Office documents without the use of Macros.  Macros are a traditional way of getting malware to run, but companies often block macros, and some anti-virus services are configured to remove them, so not a reliable way to get malware on your victim’s machine.  Using this DDE feature is a newer and easier way to potentially deliver malware.

Clearly this is a big deal.  Reading the full post from Sensepost, they have reported it to Microsoft and Microsoft have said this is expected behaviour and therefore they won’t be patching it.  This means that customers are vulnerable to this attack vector and will have to find another way to protect themselves.

The main point of this article is to illustrate how quickly things move and this threat evolves.  From the Sensepost article no anti-virus spotted this as a suspicious file.

Beaumont then goes on to test this himself, being able to create a word document that will start the calculator program from it, and showing that none of the malware protection running on his machine detect this exploit. This is now 6pm on Tuesday the 10th of October

By 7.30 that evening, one of the AV vendors has started to identify this type of file as malicious.

By 1am, Beaumont has discovered a word document that uses the DDE vulnerability to start Internet Explorer and open a website where the malicious code is stored.  What’s more interesting is that the site where the malware is stored is a US Government website (now shut down)

Then by 8am on the 11th, here’s a copy of the email which has the DDE Vulnerability embedded in it.

Finally at 5pm on Wednesday, there’s a write-up from Talos (part of Cisco) about the whole malware chain

What’s also interesting is that the hackers use DNS to exfiltrate data, which is quite an esoteric way of doing it, but most companies won’t spot it as DNS is a perfectly legitimate service to have running.


If you managed to follow this to the end, this is clearly a very sophisticated hacking attempt, here’s the core elements of campaign :
1. Use of DDE exploit, which is not commonly known, and won’t be patched by Microsoft
2. Lack of Anti-virus firms picking up this attack vector
3. Use of legit sounding emails (Purporting to be from the SEC relating to EDGAR (company filing system in the US)
4. Malware is downloaded from a legit US Government website

This all goes to show how sophisticated attackers are, and how important it is to stay vigilant

In subsequent blog post Beaumont goes on the make the point that Microsoft will have to do something about this, as it is so difficult to protect against.  His suggestion which makes good sense to me is to disable DDE by default, and enable it via a registry key.