On April 8th 2014 the extended support period for Windows XP and Office 2003 will finally cease. No more security updates, no more paid support, 3rd party support will end, dead.
If you are still running and supporting Windows XP or Office 2003 this is pretty bad news. If your organization has any form of IT Security or Privacy Compliance to deal with (PCI DSS, HIPAA, SOX etc) this is really bad since it could put you out of compliance and facing the threat of fines or worse. To be clear this isn’t a small problem either, Feb 2013 browser stats suggest between 22.59% and 38.99% of PCs were still running Windows XP.
I was skimming /r/sysadmin last week and the top thread was posted by a chap who was close to reaching his limit at work (a few days later he resigned). Unfortunately this is surprisingly common. Throughout the two posts I found a lot of really good advice from people who had been through similar issues. No situation is perfect, but whether you decide to stay or move on, improving your lot is always a good idea. I started putting together some of my own thoughts, and this post is the result.
Install Request Tracker
Since covering an install of Request Tracker 4 on Debian (Part 1/2, 2/2), my most common request has been a guide for Ubuntu. A lot of the material is the same, since Ubuntu is a derivative of Debian.
This guide assumes you are installing a fresh install of Ubuntu 12.04 LTS Server onto a new computer or virtual machine. I have chosen the latest LTS release as it will be supported for far longer than regular releases. These instruction should also work on any version of Ubuntu released after 11.10 (minor changes may be required).
A couple of weeks ago Paul Brislen posted a really good post on the TUANZ blog about PABX security. It seems some criminals had used a local companies phone system to route a huge number of international calls, leaving them with a colossal ($250k!) phone bill. These attacks are increasing common, and I have heard a number of similar stories.
Phone systems increasingly rely upon IP connectivity and often interface with other business processes, putting them in the domain of IT. But even if your PABX is from 1987 (mmm beige) and hasn’t been attacked yet, doesn’t mean it won’t be.
Both Telecom NZ and TelstraClear NZ have some good advice to start with, and you might find your PABX vendor can also give expert advice. Unfortunately many PABX systems are insecure from the factory, and a number of vendors don’t do a great job with security.
In a previous role I ended up managing several PABX systems spread across multiple sites, and learnt a few lessons along the way. Here are a few tips to get you started:
If you live in NZ, or follow the IT Security press, you are probably aware of a security flaw recently discovered on public kiosks at the MSD (Ministry for Social Development). The story has really gained traction, spreading quickly across Twitter and the International press.
In short, it was possible to open sensitive files across the organisation using the Open File dialog in an application, on public kiosks, in Work and Income NZ offices. This sort of problem is as old as network file shares, and trivial to do. For more information I highly recommend reading the original Blog post and the follow-up posts by Keith Ng.
Not all of the facts are available, but it seems there are three good lessons we can all take away from this breach:
Have a quick look around the IT press, and you will notice a number of articles discussing BYOD and the Cloud as being disruptive to the industry. This isn’t exactly a new trend either – it happened with the original PC, Inkjet Printers, PDAs, Laptops and many other new products. They were all revolutionary at the time, and allowed people to work in new ways.
Many people in IT get defensive and even angry about new tech. Someone outside IT will buy a shiny new toy, then try to use it at work. It might work and no one in IT is the wiser, but it often leads to confrontation between the user, their manager, and IT. Do this a few times and you quickly become known as the Department of “NO!”.
There has been a lot of press recently about 6.45 million password hashes from LinkedIn appearing online. A 120MB Zip file showed up last week on a Russian hacking site without any related account information (although the hackers likely have these details). Large volumes of account information being stolen is a common occurrence. eHarmony and Last.fm also both suffered breeches just last week.
It could have killed you
As a SysAdmin I am used to being around potentially dangerous situations like people working with high Voltage/current power feeds, fire suppression systems, heights and dealing with heavy equipment. The cost of a mistake can be serious, and possibly fatal. However, these are all jobs where you need to hire a trained professional to do it.
There are plenty of other hazards to deal with. I have had several computers burst into flames, dodgy wiring (230V has a bite..), and there was the time a Doberman try to attack me on a site visit. There are also the less exciting/entertaining little cuts and bruises, tripping hazards and the ever present stress.
Backups suck (but we need them)
Backups are hard to do, boring, thankless tasks, and often one of the things that gets pushed to the back of the pile. And yet protecting data is probably the most important responsibility for most SysAdmins.
The computer systems we install, maintain, and our users rely upon daily continue to store more and more data. Disasters and accidents will happen, and will lead to you losing some or all of that important data.