Author: Dave Farquhar

Yes, we need to run vulnerability scans inside the firewall

Dave Farquhar security , , , , , , ,

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Read more

You’re telling me someone gave a stranger his password?

Dave Farquhar security , , , , , , , ,

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

Read more

We lost a St. Louis original over the weekend

Dave Farquhar Christianity, St. Louis

I don’t think any of this will be in the newspapers, but I hope I’m wrong. Probably the most unusual man I will ever meet died over the weekend. His name was Otis Woodard. He ran a women’s shelter and food pantry in north St. Louis for decades. In many ways, it seems to me he represented everything that was right in the midst of all the things that are so wrong.

Read more

Commodore hardware viruses–yes, they were possible

Dave Farquhar Retro Computing , , , ,
Commodore hardware viruses–yes, they were possible

The conventional wisdom is that computer viruses can wipe out your data, but they can’t do physical damage. The exception to that rule was, of course, Commodore, the king of cheap 1980s computers. Commodore’s earliest computer, the PET, had an infamous “poke of death” (POKE 59458,62) that could damage its video display, but the Commodore 64’s sidekick, the 1541 disk drive, had a couple of little-known vulnerabilities as well. Read more

Tinkering isn’t dead, but it is changing

Dave Farquhar Uncategorized , , , , , , , , , ,

When Radio Shack announced its bankruptcy, I read more fears that the age of tinkering is dead than I read laments for the store.

I follow the logic, because Radio Shack was the only national store chain that ever tried to cater to tinkerers. But I don’t think people abandoning Radio Shack means tinkering is necessarily dead. I have plenty of indications that it’s still very much alive, but it’s also very different from how it used to be.

Read more

How to become an Info Assurance Analyst

Dave Farquhar security , , , , , , , , , , , ,

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Anthem, HIPAA, and encryption

Dave Farquhar security , , , ,

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.

There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.

Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.

Read more

“It was a sophisticated attack.”

Dave Farquhar security , , ,

Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.

Read more

R.I.P. Radio Shack. I’ll miss what you once were.

Dave Farquhar Retail
R.I.P. Radio Shack. I’ll miss what you once were.

I’ve tried several times to write a eulogy for Radio Shack. It’s not easy. The demise has been a foregone conclusion for a very long time, and it’s clear they could have done any number of things differently and survived in some form.

But they didn’t. Let me tell you about the last time I almost went to Radio Shack. Yes, almost.

Read more

Why every breach is different

Dave Farquhar security , , , , , ,

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more