Open-source licenses, the CISSP, and the real world

You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.

And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.

Read more

The upside of the brave new Windows Server GUI-less world

So the server version of Windows 8 is losing the GUI.  And some people aren’t happy about it.

Let’s talk about upside.
Read more

Making this WPS vulnerability even worse

If the vulnerability in WPS that I linked and talked about this week wasn’t bad enough, some of the commenters at the always excellent Hackaday found something terrible.

Many vendors use a predictable number as the WPS PIN, and don’t even bother to make it unique on a router-by-router basis. So much for it taking a couple of hours to get into a network. Since some vendors set the PIN to something like 123456789 or 123456780 (how clever), the vulnerability may not even be necessary to get in. Just try some of the known numbers, and chances are you can be on somebody’s network in a matter of minutes.

Read more

This is why you disable stuff you don’t think you need

This is going to sound like gloating, so I’m going to apologize for that right up front. A few weeks ago, I recommended you keep WPS disabled except for brief intervals for convenience. I had no specific reason in mind. Just in case. Just in case, you know, a vulnerability in WPS got discovered.

Well, one got discovered.

Read more

Balancing safety and versatility

John C Dvorak has a very simple solution to the HP printing problem. Lock down the firmware so it’s not upgradeable. And while we’re at it, do the same thing to routers and other equipment.

This solves the problem of loading rogue firmware on the devices, but there are several problems with such a draconian approach.
Read more

How I secured my new wireless router

For the first time ever, I actually have a wireless router that can cover my whole house. I’ve been interested in wireless security for a long time, but haven’t actually had to do much with it because I wasn’t running any wireless networks at home.

I spent a few minutes securing my network after I got it up and running. I talked at rather long length about that in the past, but on a really practical level, here’s what I did in a mere 10 minutes that will make a big difference.

Read more

Don’t use software firewalls: Good advice or bad?

A common piece of good-meaning advice you’ll hear is that you should never use software firewalls. But is that good advice, or bad?

On the surface, it’s good advice. It’s much better to use the firewall built into a cable/DSL router. But the software firewall built into Windows XP, Vista, 7, and (presumably) 8 makes for a good second line of defense, so I don’t recommend disabling it.

I’ll explain further.

Read more

Happy Patch Tuesday, September 2011

Microsoft has five updates and Adobe has two for us on this fine Patch Tuesday, in addition to a patch Mozilla pushed out for Firefox last week.

Don’t get too complacent if you run something other than Windows. If you run Microsoft Office on a Mac, or Adobe Reader or Acrobat on a Mac, or Adobe Reader on Unix or Linux, you’re vulnerable. The vulnerabilities in those affected products are more serious than the vulnerabilities for Windows. So keep that in mind. Don’t be smug about security. It’ll bite you.

Read more

Webserver Wednesday

Yesterday must have been Webserver Wednesdsay, because two things happened. A new version of Apache was released, and a new tool for testing the vulnerability of webservers to denial of service (DoS) was released.

Read more

A more likely use of the Medtronic exploit

Yesterday morning, as I completed the long journey from my parking spot to my office, another more likely use of the security vulnerability in Medtronic insulin pumps occurred to me. Yes, the risks involving insulin are very real. And yes, a determined attacker could use this vulnerability to take a Medtronic owner’s life. But those chances are slim.

But nothing says this vulnerability has to be used to do mortal harm. An attacker could use it just for exploitation. And there’s enough difference that some people wouldn’t have a problem with crossing that line.
Read more