You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks. Here’s the logic: Since ad servers […]
A commenter asked me last week if I really believe the lock in a web browser means something. I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I […]
I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected. I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not […]
I was doing some scanning with a new vulnerability scanner at work and I found something listening on a lot of servers, described only as Apache and OpenSSL listening on port 2381. The versions varied. Luckily I had another scanner at my disposal that solved the mystery quickly: It’s the HP System Management Homepage, a […]
“Dad!” my sons approached me breathlessly. “Did you know they’re making an Angry Birds Transformers?” “I’m not surprised. They’ll make Angry Birds anything. Angry Birds Do Taxes. Angry Birds This Old House. Angry Birds This Old Car.” And then, for the coup de grâce, I added, “Angry Birds Beavis and Butt-Head.” Do I need to tell […]
Many resources for up and coming go-getter managers tell managers to subvert or go around processes in order to get things done. Let me tell you a story about that strategy backfiring.
IBM announced yesterday that it had a terrible quarter. They missed earnings, the stock plunged, and Warren Buffett lost a billion dollars. Everyone assumes Warren Buffett is worried, or livid, and selling off the stock like it’s on fire.
My name, and my department’s name in general, gets thrown around a lot at work. We have a bit of a reputation as the can’t-do guys. Professionalism dictates I not go into specifics about what kinds of things we reject or disapprove, but if I were to explain them, no security professional would disagree with […]
In my day, I did plenty of hardware maintenance in the field. In fact, the only time one of my bosses ever saw me working, I was swapping out failed memory in a server. “How’d you know it needed to be done?” he asked. “It told me.” That’s why I always loved HP Proliant servers. […]