The Forbes Flash hack is a good example of a watering hole attack

You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in.

In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.

Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there.

Read the full post »

How to replace a Lionel transformer’s power cord

When using vintage Lionel transformers, it’s important to make sure the power cord isn’t broken or frayed to avoid the risk of electric shock or starting a fire.

That said, replacing a power cord safely is a lot easier than most people make it sound. It’s possible to do the job safely with simple tools and a few dollars’ worth of parts from the nearest hardware store. Here’s how.

Read the full post »

How to roll your own mini PC and potentially save

I’ve talked at length about HP’s new mini PCs, but there are some alternatives in the DIY space. For example, Asrock offers the D1800B-ITX, which sells for around $53. Going the DIY route, you won’t get a discounted copy of Windows, but you also won’t spend money on RAM and an SSD that you’re going to end up replacing and you can get exactly as much CPU as you want.

Read the full post »

How to convert any ATX or microATX case to silent operation

Now that SSDs and CPUs that consume 10 watts are readily available and inexpensive, it’s possible for almost any mainstream PC to be a silent PC. You can of course buy new cases for silent-PC builds, but if you want to upgrade and save a little money while doing it, you can easily convert a legacy case of almost any age to work silently. If you have an AC adapter from a discarded or disused laptop or LCD monitor, you can do this project for less than $30. Here’s how.

Read the full post »

Accessing the Programs and Features control panel app from the command line

From time to time I have to pull up Programs and Features (formerly known as Add and Remove Programs in obsolete versions of Windows), but I’m not an administrator. Not normally, at least. When I need to do so, I run cmd.exe using my administrative ID–I created a shortcut and pinned it to my Start Menu so I can right-click cmd.exe and select “Run As”–and then, from the command prompt, I type appwiz.cpl. Then I can make all the changes I need to make, without the hazards associated with logging in as an administrator and running everything with admin rights.

How to use the lock in your web browser’s location bar

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Read the full post »

Lenovo’s preinstalled Superfish spyware: A post-mortem

So, if you haven’t heard by now, last year Lenovo experimented with preloading its cheapest laptops with spyware that subverts HTTPS, allowing a third party to inject ads on any web page, and providing a convenient place for an attacker to hide behind while messing with your secure transactions.

By the end of the day yesterday, Lenovo had apologized, sort of, and after several sites had provided removal instructions, Lenovo provided its own. After spending much of the day downplaying the security concerns, by the end of the day they were at least reluctantly acknowledging them.

This was really bad, and I’ll explain why in a second, and I’ll also try to explain why Lenovo did it.

Read the full post »

Initial upgrade reports on the HP Stream and Pavilion Mini

Earlier this year at CES, HP introduced its HP Stream Mini ($180) and Pavilion Mini ($320 and $450) mini-desktops. They’re small, inexpensive, and in the case of the Stream, silent. They turn out to be surprisingly upgradeable as well. Ars Technica has details and benchmarks, but of course I have my own priorities based on their discoveries.

Read the full post »

Yes, we need to run vulnerability scans inside the firewall

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Read the full post »

You’re telling me someone gave a stranger his password?

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

Read the full post »