Last week a story broke about a former Fannie Mae IT contractor accused of planting malicious code that would have taken down systems and destroyed data right at the epicenter of today’s global financial crisis. The accused former employee has since surfaced claiming innocence so I prefer not to go into that specific case but rather use it to consider the likelihood that similar crimes could take place in other companies.
Well of course the probability is 100 percent simply because similar crimes HAVE taken place in other companies. It happens all the time at an annual cost of BILLIONS.
IT crimes go grossly under-reported because they are so embarrassing to their victims who convince themselves that saying something will only embolden the bad guys and lead to further losses. In one sense this is true, but in another it creates a false sense of safety. This is one area where we really SHOULD feel vulnerable yet most companies don’t and have lax procedures as a result.
So just in case you are interested in this topic or have some influence in data security, here are my overkill ideas on how to lock things down. It is doubtful that any company or agency would do all these things, but doing at least some of them makes good sense to me.
Many years ago good business practice was to put all critical systems on an internal, isolated network that did not have a path to the Internet. This would prevent someone from the Internet accessing a bank’s ATM network, or a chemical company’s process control system, or a power utility, etc. Recently I’ve been amazed to find how many firms are not doing this anymore and worse, they don’t understand why they should even try.
So here are my recommendations to avoid those nasty logic bombs. Your mileage may vary.
1) Route admin access to all systems through a logging proxy server. Each administrator must be authenticated by the proxy server and their access to systems logged. Keep the logs and check them on a regular basis.
2) All admin personnel will be assigned two user IDs. One will be a normal, non-privileged ID they will use for routine things like email and office applications. The other ID will be privileged and include a special character, maybe a “$.” You can’t check your email or run a business application with this ID. All admin access is done with the special ID. Use of generic root or administrator accounts is not allowed after the system is set up and running.
3) Scripts are run on each server (or domain) to check user IDs. All privileged IDs must have the special character and the right rules. All non-privileged IDs must not have the special character. Logs are checked for login by generic root or admin accounts. All deviations from policy are flagged and investigated. Scripts automatically disable all out-of-policy accounts.
4) After a system is set up, install a script to reset weekly the generic root or admin password. No one is supposed to use this account and no one knows the password. If you need access to the generic system ID, then run a tool that will tell the password of the week. This is a logged event too.
5) All admin access to a system should be logged and recorded in the change control system. If you fixed something or changed something, you need to note it by editing the record of your access (you can’t delete the record, only add to it.). On important systems run a trip-wire tool and post its report in change control too.
6) Privileged IDs must have their passwords changed at least once a month. Longer password expirations are acceptable for non-privileged IDs. There are password rules on content and length. Manage all IDs with LDAP.
7) HR manages user IDs. In the case of a departure or termination, the user’s IDs are disabled. The passwords are changed. Their managers are given access to the IDs and new passwords. All IDs are maintained in a database. When each system is checked, the IDs on it are checked against the HR database. Exceptions are flagged and investigated. When someone leaves the company for any reason, reports are created showing all their system access and changes.
Now would these seven steps stop a determined and talented former employee or contractor? Nah. And that’s the part that’s really distressing, because I am sure we have built into our IT overhead 5-10 percent simply to cover sabotage – a crime we otherwise try never to mention.
Someone will always have unlogged access to the admin proxy logger though…
I’ve always thought systems are needed that require multiple admins to be present for access to be gained. At least then evildoers need collusion/conspiracy to accomplish anything nefarious.
Assuming there is good physical security, of course…
Nice summary, Bob. May I suggest two more?
– Disable any root or admin access to any server via its public IP address, even through your logging proxy server. Such servers should also have an internal IP address, which does accept admin access though the proxy server. This forces the user to VPN into the corporate network before elevating privilege.
– Lock down any third party proprietary data or software that you have licensed. Most organizations only worry about their own data and code, yet they can be held liable if code or data licensed from a third party is disclosed. If a disgruntled ex-employee copies and publicly posts the source code to say, Windows 7, Microsoft will certainly come a-knocking, asking for damages.
Its a little bit scary how easy it is to commit a massive data crime in modern companies. Imagine the consequences of a major attack on a big bank in the current economic climate.
If you want to add something super draconian, consider making high-security systems adminable only through a limited number of certain on-site computers (i.e., they will listen only to certain local IP addresses). Physically isolate those computers. Put keystroke loggers on those computers. And put security cameras watching those computers and your ethernet switches.
Bob just so you know you are not off the deep end. I have setup this scenario in my environment it’s a pain, you get push back from the administrators with the exception of user id management in HR, there is a security dept that has that role and they interact with HR constantly. The solutions can be expensive to get integrated but trust me for forensic analysis later it’s worth the money. Getting management support is tough until it saves their bacon a couple of times. Also you will get the trust argument from the administrators to which I respond “In God we trust all others must be verified.”
This is the equivalent of being forced to pee in a cup or not have the job. I’d rather not have the job under those circumstances.
Either have fun working at non-technical Minimum Wage Career or create your own job where you are the boss and you can dictate how little or how much security is necessary.
I make nearly six figures working for small technology companies that do not have bullcrap such as SOX, drug testing, or these harebrained ideas. Small = accountable = not likely to hire idiots in the first place.
And yet they hired you. ’nuff said.
Re: Point 7:
Putting HR in charge of anything sounds like a recipe for disaster in any of the companies I’ve worked for!
That’s an unfair assumption. It assumes management hires personnel for HR whose motives are not in the company’s best interest and management is incapable of hiring competent personnel to manage HR.
Breakdown in ITsecurity can happen anywhere, even from the top down. Lest we remember last summer’s IT security debacle concerning the City of San Francisco and poor abused Terry Childs? The next growing problem will be companies and government entities locked out of their networks because their security is too good.
[…] I, Cringely » Blog Archive » Access Denied: How to Defend Your Systems from an Inside Job – Cringe… Interesting advice from a security/identity outsider. A lot of his points are covered with solutions in the market today (user provisioning, privilege user management, etc…) Nonetheless, rather refreshing. (tags: identity security dlp cringely) […]
Bob, although the focus of this column is security, I think one of the biggest IT crime against most government agencies are those huge IT contracts that, after years of “development”, 5 to 10X the initial cost estimate, and $billions of additional bonuses paid out via “milestones”, the resulting systems are completely useless and whole projects scrapped. The Feds and state governments “write-off” endless projects like these year after year. Even in the best cases often the final cost is 2-3 times original quote and the system you’re left with only does 1/2 of what you ask for. In building and general contracting this would constitute fraud, but in IT consulting it’s just everyday affair.
In the real world products (like your car or phone, or even a foo-foo commissioned artwork) have to work and deliver. In IT often there only a promise of good design and a prayer that worst case scenarios never come up. People is the weakest link in whatever designs we can think up. The only true measure is by real tests. LIke good editors that can catch bad writing, a 3rd party audit team should review and test the system for real. If the final deliverable does not do as promise, the vendor should not be paid.
RE: Point 6
One word: Two Factor Authentication
Expiring passwords/strong passwords leads to compromising Post-It notes. If LDAP (or any central authentication) is a requirement, two factor is by far the most secure from a technical and social perspective.
Agreed. And one of them should be some kind of 1-time password generator such as the RSA SecurID (https://www.rsa.com/node.aspx?id=1156). You have a key fob that shows a 6 digit number that changes every 60 seconds.
I second the two caftor authentication. Even if you limit access from secure IPs it’s only a matter of time before those are either spoofed or taken over. The only solution there is a 100% separate network, not VLAN’s, physically separate cables which = $$$ which will = no from your CEO. passwords that rotate based on a calculation, i.e. the password “bob” followed by the current temperature in Atlanta GA is easily carcked by passing along the formula. The two factor seems immediately the most manageable and secure aside from a mugging but still incurs cost and risk of incorporating a 3rd party authenticating body/vendor. Hiring good people is always a best practice too. The fat close minded Windows nerds usually are the weakest link.
Absolutely. Every place I’ve ever seen use password expiration or randomly generated passwords has fallen to the post-it note hole. It’s so insecure it’s pathetic. As soon as they have to write it down to remember it you’re done.
Add me to the list of two-factor authentication too. It doesn’t even have to be a particularly good second factor; the six-digit generator key fob used by PayPal is more than good enough, and those things are cheap and easy to understand.
Anyway, Bob, many of the mechanisms you talk about are in routine use in the financial industries. As with most such things it looks to me like a lot of it is more buzzword security, but at least they are big on logging so there is lots of forensics.
Still, the basic problem is that someone, somewhere has to be able to make system-level modifications in order to keep the systems running. That being the case, such a person is going to be able to really muck up the works no matter what you do; procedures may make it easier to figure out who did it (although it’s been my experience that there is usually little doubt right from the get-go) but there’s really not much you can do to make it especially difficult. In the end game scenario your disaster recovery plan must take the possibility of your production systems getting totally roached — by a pathological administrator, a lightning strike, whatever — into account.
jim frost
jimf@frostbytes.com
Two factor auth is not a silver bullet.
Yeah, it’s not a bad idea, but it has some pretty severe limitations, particularly in large organizations. Have you ever had a C-level executive lose her smart card while on a trip to Bangkok? Too bad, you can’t log into the network until you receive your new card via FedEx? One of those will unravel your entire security mechanism 🙂
Not to mention the fact that managing two-factor auth tokens is an administrative burden in and of itself. Mind you, I’m not saying it doesn’t solve some problems, but it is certainly not a simple answer to a complex problem.
This installment of your podcast was of interest to an extremely narrow group of listeners: people who run the IT department of financial institutions. How many of those do you suppose listen to your podcast, compared to those who don’t really have any use for these suggestions?
Sorry to be blunt, and I know I don’t pay anything for your words. Just disappointed to get the latest installment of a podcast I look forward to, only to find it so narrowly targeted at some elite audience of financial computing managers.
>>This installment of your podcast was of interest to an extremely narrow group of
>>listeners: people who run the IT department of financial institutions.
Lots, even most, companies have data security needs whether they recognise it or not. Retailers have credit card info to steal, any company with a lot of employees has a lot of HR data that can be used in identity theft, any company that buys lots of materials has account info that can be manipulated in good old embezzlement schemes, and the list goes on. I saw one estimate of the final bill for the 2007 TJ Maxx credit card leak at over $350m (after they’d only set aside $118m to cover related expenses). That’s an absurdly large number to drag out when most businesses are small, but small businesses are more vulnerable than multi-billion dollar corporations. When a former employee leaks a customer list to a competitor or when a real estate agent’s records are pillaged and the customers’ identities are sold how long does it take to rebuild that business, that trust from customers? Lots of times it never happens and the doors are closed.
This isn’t about huge banks and James Bond so much as giving some thought to how vulnerable you are to these things and taking sensible steps to avoid trouble. Administrative proxy servers might not be called for, but when was the last time you changed the admin password on the receptionist’s PC? Do you know where all your backup tapes are? You are backing things up, right? If you’re using wireless with default settings others could be on your network. Lots of stuff to think of even in a very small office. Bob’s just worried about you, so even if you think it’s not relevant humor him and consider the larger issues.
Since any system is vulnerable to attack by the very insiders who set it up, and security measures are expensive and inconvenient, perhaps the money is better spent making systems resilient instead. Increased backup frequencies, increased redundancy, backup systems that are kept unplugged and “cold” until needed, etc. Hardware is cheap.
To balance out “I Cringed”, I appreciated the heavy-on-the-technical article.
Up to a certain size of organization, it is really sad if top-level management does not know its employees well enough and have enough trust with them to forego these practises. Like Smug Bastard says, I would rather not work for such a company, at least not as a system administrator.
Mostly it is a good idea, and even for small companies, having developers admin their own boxes is a waste of time. There has to be a sensible way to minimize this. I worked at a place where every developer got a stock box and was then responsible for all customizations. Lots of us spent too much time getting the system “right”.
You didn’t mention the use of Group roles.
Don’t grant permissions based on a single user account, but add the user account to a Group which has access permissions to perform a specific role. Only grant access to Groups that the person/administrator needs to have to perform their job. Log changes to Group memberships and audit memberships regularly. It is good practice to name these Groups according to their role.
This technique is very useful for managing temporary role changes, such as is required when making a project live.
It is more common for people to change roles internally than for people to leave an organisation. Although in the present climate…
Mostly sounds alright. Apart from 7.
There should be no circumstance where any user needs to access another users accounts either while they are employed or after! Aside from the obvious privacy issues with potentially having access to the ex-employees personal emails and data (since almost all companies allow limited personal use of email, phones etc) processes should be in place to ensure that data that may be required by more than one user is stored somewhere where all the necessary employees can access it.
Doesn’t seem particularly unusual or draconian at all.
Point 4 is not good though. It should be impossible to ‘find’ a password – should be using trapdoor encryption.
Special tool to reset and tell you password of the week is better.
If you want access to free and GOOD guidelines for security setups on a wide range of products, than frankly all you have to do is look to Uncle Sam.
NSA publishes security guides for a plethora of devices, OSs, etc. online at:
https://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml
NIST publishes all of the FIPS standards as well as several cryptologic tests at:
http://csrc.nist.gov/
They publish additional guides to the NSA ones above at:
http://csrc.nist.gov/itsec/
and at
http://csrc.nist.gov/groups/SMA/fisma/controls.html
If you wanna go old school like the Department of Defense, then you can get additional guidance from the Defense Information Systems Agency and their STIG’s at:
http://iase.disa.mil/stigs/stig/index.html
And lastly, if you want to know if your vendor takes security seriously, then they should be on or working to get on the Common Criteria list at:
https://www.commoncriteriaportal.org/
It is interesting to see how some admin are resistant to good security practices. I am sorry this is serious stuff and you need to respect it. I like Bob’s ideas. It is not unlike doing business at my bank. When I walk in to door I am on camera. If I come in wearing a hood, the police will be called before I even reach the counter. And, oh by the way, customers do not have access to the banks security tapes or teller’s computer id’s. Good security deters many from doing something wrong. If you are an admin and KNOW things are being monitored, know you can’t delete logs, and know others are managing account id’s; then most people will be less likely to tempt fate. If you choose to circumvent security — then chances are better you will be caught.
There are serious laws and serious liabilities involved in the mismanagement of data. Companies have a strong incentive to protect their data. If you don’t like the idea of respecting good security practices and pee into that cup, then you need to do some soul searching. Would you want to be treated by a doctor who did not take his/her job seriously?
Lets look at the Fannie Mae story for a minute. According to the reports they did not disable the employees user id for several hours. It is believed he had enough time to create some back door accounts then a few hours later use them to plant the destructive scripts. If you have sensitive data and applications, you really need to be able to disable an employees computer ID’s within minutes — before they even leave the building! You need to be sure all the computer ID’s on your systems are legitimate ones. One minute after a fired worker leaves, you should be able to find out every system they’ve been working on and you should check those systems.
The proxy server Bob suggested provides an excellent control point. It provides that second login authentication. If it is the ONLY way to get admin access to a system, cutting off a user-id is a very good way to control access. A proxy server is like a firewall. You have great control over the routing and ports used.
I implemented a system similar to Bob’s. The scripts were only a few dozen lines. The trick was to make sure they were installed with the server. We found we needed a more consistent way to install servers. So we created a two person procedure. The first would follow a set of instructions to install the server. The second would double check the work of the first.
Something else bothers me about data theft problems. Why does anyone need access to the whole database of account records? With a little application security design one could limit access to only a few account records per agent per hour. No one should be able to copy the whole database! Conversely if anyone or anything is accessing large parts of the database, there should be alerts.
If you design security INTO your operations, then there is very little extra cost or hassle. The real cost is when you don’t have security and have to deal with the audits and problems. Think about how much it cost Fannie Mae to examine and repair 1000’s of servers. Imagine the cost if they didn’t find the destructive scripts! I wonder if their backup and recovery processes would have been up to the challenge.
[…] Access Denied: How to Defend Your Systems from an Inside Job – Cringely on technology – […]
And yet you miss the completely obvious – the systems outside of the control of the normal admins.
Even at big companies where the admins (and help desk) are referred to as the “Network Nazi’s” and access to the network is strongly limited, projects still buy their own servers that make their way onto the corporate network legitimately, and those same ones even legitimately get rebuilt from time to time by their local, project assigned administrator – who may not necessarily be part of the companies admin group or help desk personnel. And it can very easily happen that an administrator leaves without informing the next new one (even if they have the opportunity) of all they need to know about the system or company policies pertaining to the system. Even supposing the system was part of your proposed plan to start with, if the system got rebuilt (hard drive wiped, different OS, etc.) per the project’s requirements – it might not make it back into the system – especially if a fresh admin is not in-the-loop.
My point is that even in the most secure environments, systems come on-line and go-offline due to people outside the system administration. Some environments are better controlled than others, but until you can say 100% for sure that no system can get on your network without administrative approval, then you won’t be able to 100% secure it from malicious ex-employees.
Of course, you also have to balance the needs of the work force too – is it really worth your company’s time to secure the network that much? Yes, there’s a risk and its one that the management needs to make.
Although I find the article interesting and a decent place to begin a conversation I find it lacking in two areas.
1. It ignores the changes made in recent years moving more and more organizations to web based applications to manage their data.
2. It makes the classic mistake of assuming that one can prevent entry, and therefore you build hard on the outside and soft in the middle.
Rule #1 people will get in. Gonna happen. Accept it. Now once you take that mind set, you move into a totally different ballgame. One where you work on controlling use vs controlling entry. The problem with controlling entry is that once they do get in they are uncontrolled and can go hog wild. If however you control use you know in advance what they can and will do and how to mitigate it’s dilatory affects.
Finally a side note. One can tell by the methodology you suggest that you are primarily assuming Windows systems.
I used to work with process control systems primarily in the power industry and they did separate the network and systems fairly well; even so before I left contracting in that field, they were about to launch even tighter restrictions by implementing additional firewalls and DMZs between each network because there was some security risks when systems crossed networks.
My current employer does perform #4 – it’s part of the startup scripts…
I’d hate to see HR attempt to manage user IDs – they have issues just submitting forms in a timely manner much less manage users!
Completely agree that nothing would stop a former employee; especially someone highly technical and even moreso the person(s) who designed the infrastructure even if they didn’t build it with backdoors specifically to get back in.
I once worked with a large financial services provider (billions of dollars of transactions daily) and certain trusted members of our team had access to a script that allowed direct-to-database rewrites of individual security and transaction data, which could be valued up to the tens or hundreds of millions of dollars. To my knowledge (these were pre-IP systems) this was completely untraceable. It was used for the occasional instances when people from the trading floor made a “typo” type mistake with real implications to the flow of funds, and needed to fix it NOW – about once every three months or so. The entire IT team (thirty or so) IT management (five or so) and our business users (thirty or so) knew about this tool, but it had never been found in a security audit because everyone wanted it around as a critical/surgical option to fix “big problems”, and conspired to keep it secret.
In retrospect, Ye Gods.
It seems to me that most of what you’re suggesting in terms of regular vs. admin access is more or less baked-in to Ubuntu and its sudo model. But your final paragraph is telling:
Since you’re conceding that what you’ve listed only makes it harder for key people to cover their tracks when they act in a malicious fashion, let’s talk about what it takes to really secure systems:
1. No code promoted to production without multiple simultaneous key turns (think: nuclear missiles in an Air Force silo), so that no one person can install potentially problematic code.
2. No code promoted without review by a randomly selected peer. That peer group probably has to be n > 3. All changes need to have an auditable record trail; that trail is published internally to an even larger group of IT specialists who are encouraged to spend up to 10% of their time informally reviewing other changes.
3. There will be an outside audit by a randomly rotating firm (IBM, EDS, Accenture, whatever). They’ll check all record trails plus select some handful of complete projects to thoroughly review. The annual audit will happen at randomly selected intervals of less than one year.
#1 prevents the employee who is walking out the door from making an unauthorized change
#2 attempts to prevent two people from cooperating to subvert the company’s systems (randomly selecting the reviewer from a group of at least 3 ensures that the nefarious employee would have to be collaborating with all of those people)
#3 provides structure to strengthen #2 and hopefully prevent more than two people from cooperating on a long term basis
Why don’t companies enact this kind of protection?
Currently, in reality, you’ve got one guy doing the work of two in most shops.
This proposes to have four people doing the work of two (the redundancy of having someone double check each person’s work). Plus, paying six figures per year to outside auditors.
Now, most people in IT are rigorously honest. Yes, everyone has stories or has heard stories of people who aren’t. But most of the people I have worked with in my career have impeccable scruples.
That’s at least partly because of the nature of IT work– there is a strong sense of right and wrong (if not, you can’t do your job because you’re installing bad solutions), fairness, and accuracy. The same personality that is good at IT tends to have black and white views of morals, too.
CEOs are looking at the fact that these crimes are rare because of the ethics of IT people and the additional cost– a factor of more than 4!– and making what economists would call a rational economic decision that they’d rather suck it up and swallow the occasional bomb then secure their systems up front.
system administrators could do evil.
so, build a system that observes the administrators of the system.
sadly, that system will need an administator too.
so, build a system that observes the administrators of the system that observes the administrators of the system.
(repeat ad infinitum)
case closed.
At a Fortune 100 company we follow most of these processes already. Isolated critical servers with distinct ethernet admin network. Full logging, etc. Two factor authentication. Etc., etc.
However, we added one thing you didn’t mention. We restricted all access to production data to IT staff. There is no IT staff member, neither programmer, nor sysadmin who has access to production data. The only people who have access to production data are those who use it in the course of their jobs on a daily basis. Those users are under extremely high monitoring and auditing processes. Access to these systems are run like a casino, everyone is watching everyone else. We frequently terminate and in some cases refer to law enforcement employees who attempt to commit fraud, etc. Most of the employees who have access to this critical data also have Series 6 & 7 licensing so they get reported to the SEC as well.
When an IT staff member needs to access a critical production server, database, etc. They need to request a special admin account. This account is generated on the fly with a temporary password. The user logs in and is then forced to create their own strong password that meets very strict requirements. Then the account is designed to expire within a short time period such as 2-4-8 hours depending on the need. Unless the admin user asks for a time extension, the account will cease to function. All work performed using this special account is logged and tracked in the change control systems. You cannot even request such an id without having a change control ticket. Of course, there are emergency change control tickets and ways to escalate a time extension. Most of these special accounts are tied to an automated change control approved script that will modify data. Or they are used to push a code change from QA to Production and then to test via a final checkout. The team that manages these critical admin accounts are available 24/7 in an operations center. Most of the process is automated and therefore controlled. Their phones are recorded and audited on a regular basis. They are trained to watch for social engineering attempts and they have to validate a callers identity using 5 points of identification.
Unfortunately, we all know there can be vulnerabilities in any system no matter how secure. We pay to have professional security experts attempt to hack our systems on a regular basis. This tests our trip wire systems, logging, auditing, reporting, etc. We also run security audits of all production ready programming code, looking for buffer overflow and other potential vulnerabilities. We also have a special investigations department staffed by retired investigators (formerly FBI, Police Detectives, Military Investigators, etc.).
We are very concerned about protecting our clients data and have taken extreme measures to protect that data. Even then, we don’t relax our efforts we stay diligent and ready to expect the unexpected.
The first step in security really needs to be risk assessment. You need to look at your applications and data on a case by case basis and ask the basic question — if something happened to it, what are the consequences? If one of those rogue departmental servers was compromised — usually it would be an inconvenience to the department, but not to the business. If you are running a chemical plant and some compromises your process control — that is real bad and could cause fatalities. If you are managing financial records and someone steals them — that is real bad. If there are serious consequences, then you must implement good security systems. If you don’t you could face both criminal and civil trials. Employees of your company can be heavily fined and serve prison time.
It has been my experience most security experts don’t due business risk assessments. They usually come armed with best practices and try to impose them on everyone and everything. If you do the assessments, then DESIGN the security system, then you can have your cake and eat it too. Sadly most firms don’t take security too seriously until something bad happens, then the company either goes out of business or security over-reacts.
This is like workplace safety. You can either be aware of the need to keep the workplace safe and correct problems as they are found. Or you can ignore it until someone gets hurt. Zero data security is asking for trouble. There are basic practices that should be done and doing so will prevent a lot of problems.
Yes.
Always start with a risk assessment. If the company is worth hundreds of thousands of dollars, and your security mechanism requires you to hire someone who makes $110K a year plus benefits, you’re doing it wrong.
Casino and Poker both are Games where you need Luck without this you not will win any Cent.
Now, most people in IT are rigorously honest. Yes, everyone has stories or has heard stories of people who aren’t. But most of the people I have worked with in my career have impeccable scruples. cheap VPS
I accept you and yes it surely seeing help number of people.
great thanks man…
I apologize I can’t add to it as I have no experience with real estate, but can you help me as you appear just like a wealth of knowledge. My own room mates and I are looking for a residence to lease. We have resided with each other for a couple of years but want to move now. We looked at a very pleasant location recently but we have been told that our credit scores are not good enough to rent the property . The realtor offered to manually modify out credit ratings so as to rent the property . I think like this is going to get me into certain problems in the long haul.
Great post. Thanks for the info
good (article|information) thanks
This is a slick blogging platform. What is it called?
This article is amazing, I’m gonna put this in my bookmarks before I lose the url I don’t think I’ll ever find my way back again otherwise!
This article is amazing, I’m gonna put this in my bookmarks before I lose the url I don’t think I’ll ever find my way
Get genuine windows 7 key and experience the most out of your Windows 7 Operating System. Don’t go for pirated as it may completely harm your computer and cause problems in the near future.
I realy liked this innovative angle that you have on the topic. I wasnt thinking on this at the time I begun searching for tips. Your ideas were totally easy to get. Im glad to find that there’s an person here that gets it on the spot what its is talking about.
GREAT BLOG! You are one of the best writers I’ve seen in a long long time. I hope you keep writing because people like you inspire me!
GREAT BLOG! You are one of the best writers I’ve seen in a long long time. I hope you keep writing because people like you inspire me!
Great stuff you have here, we were going to mention this to a great friend of mine
[…] Access Denied: How to Defend Your Systems from an Inside Job, par Robert Cringely Tweet Informatique ← Hivernisation Le retour → Comments are closed. /* */ Flux RSS Calendrier […]
Can anyone help me out? It will be much appreciated.
Hello, this weekend is good designed for me, as this occasion i am
reading this wonderful informative paragraph here at my
house.