Adobe has patched Flash twice in two weeks now. The reason for this was due to Hacking Team, an Italian company that sells hacking tools to government agencies, getting hacked. Hacking Team, it turns out, knew of at least three unpatched vulnerabilities (also known as “zero-days” or “0days”) in Flash, and exploits for these vulnerabilities were among the things that got breached.
That’s why Adobe is having a bad month.
Continue reading Expect a rough road ahead for Flash
Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Continue reading Worried about the wrong things? It’s always the wrong thing.
Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)
My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.
Continue reading Three things to remember from Verizon’s Data Brach Investigations Report
This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch.
Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.
Continue reading Why Google ratting on Microsoft isn’t all bad
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.
Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”
Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.
Continue reading What is Winshock?
New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.
Continue reading Retracing the Home Depot attackers’ steps
My tips for using Sysinternals’ Du.exe were well received last week, and my former coworker Charlie mentioned a GUI tool called Windirstat that I had completely forgotten about. For the command-line averse, it’s an incredibly useful tool.
But there’s one thing that Du.exe does that makes the CLI worthwhile. It will output to CSV files for further analysis. Here’s the trick.
DU -L 1 -Q -C \\SERVERNAME\C$\ >> servers.csv
Sub in the name of your server for servername. You have to have admin rights on the server to run this, of course.
For even more power, run this in a batch file containing multiple commands to query multiple servers, say, in your runup to Patch Tuesday. Open the file in your favorite spreadsheet, sort on Directory Size, and you can find candidates for cleanup.
Continue reading Revisiting Microsoft/Sysinternals Du, as a batch file
IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.
Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.
I made that transition, largely by accident, so I’ll offer some advice. Continue reading IT jobs shortage? Slide over to security
Some revolutionary advice surfaced this past week–stop patching everything. And while I understand the argument that people need to stop letting the difficulty of patching everything paralyze them and cause them to do nothing–as I’ve seen some organizations do–and I agree that some patches are more critical than others, as someone who once had to prioritize patches, I can assure you that prioritizing the patches was more work than deploying them and recovering from the fallout was. We eventually found it was much less work just to install all the missing patches every month.
And guess what? Nothing bad happened from doing that.
Continue reading I don’t think I agree with the argument against patching everything
I had a couple of discussions this week about compliance, and the traps of plain old check-the-box compliance, and how to get started in it when regulatory compliance suddenly gets sprung on you.
The key is working backwards. Start with the very reason regulatory compliance exists.
Continue reading Getting started in compliance: Start by doing the right thing