I read Microsoft’s site to a “Microsoft” scammer

“Daniel” from “Microsoft” called me the other day. The number looked halfway legit so I picked up. He out and out claimed to be from Microsoft and said he was getting alerts from my computer. His voice sounded familiar–I think I’d talked to him before.

“Which computer?” I asked.

“Your Microsoft computer,” he said.

Read more

Catch up on Microsoft patching fast

Last week, Microsoft quietly released its convenience update pack for Windows 7, 8.1., and Server 2008R2. This is a great opportunity to catch up on Microsoft patching, as it incorporates all of Microsoft’s OS-level updates from the release of Service Pack 1 to April 2016.

Here’s how to use this to clear your corporation’s backlog of Microsoft patches. No, I haven’t seen your corporate network, but I’ll bet you have one.

Read more

Simple tips to prevent ransomware

Last week at work, I noticed some odd events in an event log, and when I investigated them, I found they were part of a failed ransomware attack. This got me thinking about how to prevent ransomware at home.

Ransomware, if you aren’t familiar, is an attack that encrypts your data and demands a ransom, usually around $300, in bitcoins, and you get a short deadline until it destroys your files. More often than not, paying the ransom is the only way to get the files back, so it’s much better to prevent it.

Read more

I got hacked. I did it to teach you a lesson, and I’m sure you believe it.

The other day, this showed up in my e-mail:

A file change was detected on your system for site URL http://dfarq.homeip.net. Scan was generated on Tuesday, November 3rd, 2015 at 5:25 am

A summary of the scan results is shown below:

The following files were removed from your host:

/var/www/wordpress/wp-content/cache/supercache/dfarq.homeip.net/wordpress/index.html (modified on: 2015-11-03 03:23:52)
======================================

The following files were changed on your host:

/var/www/wp-content/themes/twentyfourteen/functions.php (modified on: 2015-08-19 22:24:04)
/var/www/wp-content/themes/twentyfourteen/header.php (modified on: 2015-08-19 22:24:04)
======================================

Login to your site to view the scan details.

I didn’t make those changes. Fortunately fixing it when changes appear in functions.php and header.php that you didn’t make is pretty easy.

Read more

The problem with ditching Flash and Java

Last week Adobe issued an out-of-band Flash patch, and once again Brian Krebs urged people to ditch Flash, noting that he’s done so and hasn’t missed it.

We decided to try ditching Flash at work a few months ago, but it didn’t go quite so smoothly for us. I thought I’d share my experience.

Read more

If you use Truecrypt, migrate to Veracrypt

I’m playing catch-up with this one, but if you’ve been relying on the quasi-open source Truecrypt encryption solution, you need to migrate to Veracrypt as quickly as possible.

For some reason, it doesn’t seem to be common knowledge that Veracrypt is derived from Truecrypt and is, for all intents and purposes, the successor to Truecrypt.

Read more

Flash vs Shockwave

Bad things happen when security pros like me start asking our infrastructure brethren to patch Flash. We get better security, but the Flash upgrade fails enough of the time to cause extra workload, and it can be confusing. One of the problems is the question of Flash vs Shockwave.

Consequently, I see more Flash-related helpdesk tickets than I ever saw, even when I was doing desktop support long ago. Adobe doesn’t make it any easier by calling the plugin “Shockwave Flash.”

Read more

Microsoft looks back at MS08-067

The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.

Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.

Read more

Why Johnny can’t patch

I’ve spent nearly 2/3 of my career dealing with Microsoft patches at one level or another, so when it comes to excuses, I think I’ve probably heard them all.

This diary entry from the Internet Storm Center has good answers to the most common objections. I think a two-day patch cycle may be overly aggressive, and I know it drives infrastructure folks nuts when CISOs read stuff like this and then say, “Patch my stuff in two days like this guy,” but most organizations can take his advice, and even if they slow it down to 30 days instead of two, they’ll still be in a better place than they are today.