All posts tagged vulnerability

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. The field desperately needs more of us, so I’m happy to share with you how to become […]

Anthem, HIPAA, and encryption

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database┬ácontaining tens of millions of health records that were stolen by sophisticated hackers. There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted.┬áThere are other unconfirmed reports that say the attackers used […]

Why every breach is different

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected. I appreciate the┬ádesire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not […]

Why a non-web server has Apache and OpenSSL on port 2381

I was doing some scanning with a new vulnerability scanner at work and I found something listening on a lot of servers, described only as Apache and OpenSSL listening on port 2381. The versions varied. Luckily I had another scanner at my disposal that solved the mystery quickly: It’s the HP System Management Homepage, a […]

Age of a vulnerability is not an indicator of future risk

I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet. He’s right. It’s at least 19 years old. But that’s merely interesting, not important. What’s important […]

Why Google ratting on Microsoft isn’t all bad

This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch. Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.

This should go without saying: Upgrade your WordPress!

Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability. If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done.

Retracing the Home Depot attackers’ steps

New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.

How to succeed as an IT contractor

I met a young IT contractor a little while back. His talent was sky high, and his potential was matched only by his rawness. It’s not my place to go into great detail about that rawness, but one thing I noticed about him was that he had a very self-defeating attitude about him. Several times […]

CMD.EXE and its shellshock-like qualities

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day. “What, Cygwin’s bash?” I asked. “No, in CMD.EXE.” I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those […]