Tag Archives: internet explorer

The outbound firewall controversy

So, do you need an outbound firewall? Two people say no.

I agree but I disagree. I like the idea behind an outbound firewall, but in practice, I find they don’t work. The human element makes them fail. Whenever a computer asks for permission to do something, people generally fall into two camps: People who say yes all the time, and people who say no all the time. With the people who say yes all the time, the malware gets to do whatever it wanted anyway, so the firewall fails to do its job. With the people who say no all the time (Why does Internet Explorer want to connect to the Internet?), nothing works.

Ultimately, the argument against them is that if you don’t trust a piece of software to connect to the Internet, you shouldn’t have that software on your computer at all. I agree completely with that argument. Only install trusted software that you get from trusted sources, learn how to check the MD5 or SHA1 signatures to ensure the software is what it says it is, and then and only then install it.

A firewall is one of the most basic of security tools. You need one to protect yourself against basic threats. Not having one is negligent. But trying to turn that firewall into something other than a basic tool–something it’s not–generally isn’t going to get you very far. A firewall with training wheels on it isn’t a substitute for security awareness.

And here’s the thing. The Windows built-in firewall does block certain outbound connections, mostly on antiquated ports that are generally used for malware more frequently than for legitimate purposes anymore. It just doesn’t jump up and down and tell you that it’s doing it. It just quietly does its job, which is exactly what you want your firewall to do.

How I accidentally found a way to mess with “Peggy”

“Peggy” from “Computer Support Department” just won’t give up. He called me again at about 8 PM this evening. This time, I played along. I had a thrift-store junker PC for him to infect with his malware. The only problem was, the hard drive wasn’t connected and neither was the power cord. So I quickly hooked all that up, booted up, and then played along.

“I want you to click on Internet Explorer.”


“What do you see?”

“Page cannot be found.”

Thus I learned that Peggy isn’t very good at troubleshooting network issues. Continue reading How I accidentally found a way to mess with “Peggy”

A treasure trove of training material

Need to improve your security skills? Need a refresher course to brush up on some skills you haven’t used in a while? Or are you just looking for some CPEs or CEUs to keep your certification valid?

The United States Department of Defense offers a great deal of security training, much of which is freely available to all comers. Your tax dollars paid for it, so don’t feel bad about using it. Besides, if you use it to improve your networks, then your networks are less likely to become a source of attack on government networks, so they’re happy for you to use most of it.

Here’s a hint: Anything that isn’t viewable by the general public is marked ” *(DoD PKI Cert req’d).” If you don’t see that marking, then it’s free for you to view. Just click the link marked “Launch Training.” Continue reading A treasure trove of training material

And the most security-riddled program of 2012 was….

Secunia released its annual vulnerability review, a study of the 50 most vulnerable pieces of software in 2012. It was a fairly tight-three way race at the top, and the distance between #3 and #4 was huge.

I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.

So now that I’m killing you with suspense….
Continue reading And the most security-riddled program of 2012 was….

Internet Explorer 10 is out for Windows 7

Microsoft finally released IE10 for Windows 7 after a long development cycle. Conspiracy theorists think it had something to do with Windows 8 sales. Whatever the reason was, it’s out.

Allegedly, you can slipstream it using these official instructions. I’ll give it a whirl the next time I have to install Windows 7. If you want to slipstream all the other updates, here’s how. You can skip the IE9 part if you slipstream IE10.

The lines between white hat/gray hat/black hat hacking and moral laws

Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?

The first question is easier than the second. So I’ll tackle that one first. Continue reading The lines between white hat/gray hat/black hat hacking and moral laws

What I did since I (temporarily) need Java

I’ve been seeing the same question over and over in my search logs lately: Is Java safe to run in 2013?

Generally speaking, the answer is no.
I have little choice but to run Java right now, though. I’m studying for a certification exam, and the best quiz program that I know of is written in Java. Its user interface is in Polish, a language I don’t speak, but that bothers me less than it being written in Java. Google Translate can help me with the Polish, but it can’t make Java safe. That’s up to me.

So here’s what I did.
Continue reading What I did since I (temporarily) need Java

Java is patched now, but still not very safe

Rapid7’s Chief Security Officer, HD Moore, estimated it will take two years for Oracle to fix all of the current issues with Java, not counting anything new that happens in that timeframe.

Futhermore, Kaspersky states that 50% of cyberattacks in 2012 utilized a Java exploit. Among those is the newly discovered Red October.

Think for a minute. Antivirus software is anywhere from 75 to 90% effective. Assuming the worst, that means the simple process of removing Java from your computer does 2/3 as much good as running antivirus software. Of course, you shouldn’t do one or the other; you should do both.

If you have a legitimate need for Java in your web browser, such as commercial intranet applications built with Java, enable Java in one and only one browser, then use that browser solely for accessing those Java-powered web sites.

But the best thing to do is just get rid of Java. And if you have something that uses Java, find something else to use.

It took Microsoft about two weeks to fix a critical vulnerability in Internet Explorer. It took Oracle five months. I never thought I’d say this, but Oracle needs to be more like Microsoft.

Yeah, you can quote me on that if you want.

But until Oracle gets religion on security like Microsoft did around 2002, we really have two choices: Avoid Oracle products whenever practical, or keep getting hacked. I’d rather you not choose the latter option.

Do as we say, not as we did: Microsoft and standards

Microsoft is sniveling that mobile web sites are written with Webkit browsers in mind, because Webkit has 90% market share on tablets and phones.

For those who are over 30, the irony is nauseating. Continue reading Do as we say, not as we did: Microsoft and standards