The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.
Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.
Continue reading Microsoft looks back at MS08-067
Last week, I heard a webcast in which the presenter repeated some advice from 2004: Patch things like your financial systems first, and your workstations last.
Workstations need to be first. Continue reading Don’t patch your workstations last
I’ve talked before about the infamous Jeep hack, but there’s more to learn from it than just that cars are vulnerable. The way Charlie Miller and Chris Valasek hacked the Jeep has implications for any computer network.
Continue reading What you can learn about corporate networks from the Jeep hack
IT jobs aren’t as easy to come by as they were 20 years ago, but there’s one subset of the field that I don’t see slowing down any time soon. Unfortunately it’s a poorly understood one.
But if you spent any significant time in the 1980s or early 1990s abusing commercial software, especially Commodore and Apple and Atari and Radio Shack software, I’m looking at you. Even if you don’t know it, you’re uniquely qualified to be a web app pentester.
Continue reading Looking for a career change? Consider web app pentesting
If you need gigabit ports for your home server or router project and you’re short on available expansion slots, I have just the thing. Home sysadmins have known for a while that you can get cheap PCI-X Intel NICs and run them in PCI mode, but you may not know that you can find the very same thing by searching Ebay for HP 7170 and it’s usually cheaper. It’s not rare to find them for $7, shipped.
Continue reading Need a good, cheap dual gigabit NIC? I have just the thing.
What seems like a million years ago, when Sony Pictures got breached, some pundits were predicting that was the end of the company. I always thought that was hyperbole, but I have to admit I never went to the extreme of saying breaches are nearly harmless, which seems to be the current popular thinking.
Indeed, a financial analyst went on the Down the Security Rabbit Hole podcast and said breaches are an investment opportunity. Just buy the dip.
Continue reading Data breaches don’t cost anything–so here’s why they matter
I got a point-blank question in the comments earlier this week: Did Hillary Clinton’s home-made mail server put national secrets at risk of being hacked by our enemies?
Depending on the enemies, maybe marginally. But not enough that any security professional that I know of is worried about it. Here’s why.
Continue reading Hillary, hackers, threats, and national security
Much has been made of Hillary Clinton’s use of her own mail server, running out of her home. It didn’t change my opinion of her, and I don’t think it changed anyone else’s either–it just reinforces what everyone has thought of her since the early 1990s. Then, Ars Technica came forward with the bizarre case of Scott Gration, an ambassador who ran his own shadow IT shop out of a bathroom stall in Nairobi.
The money quote from Ars: “In other words, Gration was the end user from hell for an understaffed IT team.” And it concluded with, “[A]s with Clinton, Gration was the boss—and the boss got what the boss wanted.”
Indeed. And it doesn’t just happen in the government.
Continue reading The State Department is just one of many examples of IT gone rogue
You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in.
In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.
Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there.
Continue reading The Forbes Flash hack is a good example of a watering hole attack
A commenter asked me last week if I really believe the lock in a web browser means something.
I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.
So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.
Continue reading How to use the lock in your web browser’s location bar