security

What to do with old Qualys zero-day vulnerabilities

Dave Farquhar security
What to do with old Qualys zero-day vulnerabilities

When you work with Qualys long enough, it’s inevitable that you’ll eventually find them: Zero-day vulnerabilities in software that’s several years old, with no patch available. There’s no easy answer about what to do with them, but here’s some advice for old Qualys zero-day vulnerabilities.

Zero-day vulnerabilities by definition have no vendor-supplied patch. Typically a vendor issues a patch a few days or weeks after a zero-day comes out, but there are a few zero-days from the 2007 timeframe that never got patches released, and those vulnerabilities require another type of mitigation.

Read more

Search by MAC address in Qualys

Dave Farquhar security
Search by MAC address in Qualys

Qualys Assetview is the vendor-preferred way to search in Qualys. Admittedly, its Elasticsearch interface is slick. But Assetview doesn’t usually let you search by MAC address even though the field exists. So here’s how to search by MAC address in Qualys using other functionality in the tool.

Qualys Asset Search has the ability to search based on the presence of a QID and its results. So you can search on QID 43007 containing the results of the MAC address you want. If Qualys finds a match, it pulls up the machine you are looking for.

Read more

Stop phone calls from political parties if you don’t want them

Dave Farquhar security
Stop phone calls from political parties if you don’t want them

Any time Congress makes it illegal to robocall you, they exempt political calls. That makes it hard to stop unwanted political calls and it pretty much means your phone is going to ring off the hook in the runup to the election. But you can still get peace regardless. Here’s how to stop phone calls from political parties if you don’t want them.

Most robocall services or apps block political robocalls along with all the others. Many of them work with landlines and cell phones. If you have a landline phone that doesn’t work with robocall services, you can still use a device to block the calls.

Read more

How bad is MS08-067?

Dave Farquhar security
How bad is MS08-067?

If you’ve worked in security, or worked with security professionals, chances are you’ve heard about MS08-067. If the discussion was between security and another department, chances are it was a heated discussion. Just how bad is MS08-067? Are the security professionals exaggerating?

MS08-067, a Microsoft patch released on October 23, 2008, fixed the last really reliable remote code execution bug in Windows operating systems. All Windows NT-based operating systems prior to Windows 7 and Windows 2008R2 were susceptible to this vulnerability out of the box. It was an out-of-band release.

Read more

What is an Out of Band Network?

Dave Farquhar security
What is an Out of Band Network?

I had a discussion with a client last week that brought up the topic of out of band networks. Out of band networks are a good security measure for reducing risk. But what is an out of band network, and what can it do for you?

An out of band network is a separate network, separate from your main network that carries production data. It is a good practice to put management interfaces such as IPMI on an out of band network and require separate authentication to access the network. This allows you to provide access to necessary functionality while reducing the chances of people misusing or abusing it.

Read more

Can you listen to cell phone calls with a scanner?

Dave Farquhar security
Can you listen to cell phone calls with a scanner?

Can you listen to cell phone calls with a scanner? Can someone listen to your cell phone calls with a scanner? Depending on who you are, I have good news and bad news.

It’s always been possible to listen to analog cell phone calls with a cheap police scanner. But modern cell phones, including smartphones, are digital and encrypted, so listening to them requires costlier equipment like a Stingray device, limiting cell phone snooping to government agencies and others with huge budgets.

Read more

Patch management best practices

Dave Farquhar security
Patch management best practices

If you’re looking for the least popular people in any given company, the people who push patches probably rank high on that list. I pushed patches for a living for nearly a decade, so I know. I was good at it though. Let’s talk about patch management best practices.

Read more

Merge CSV files with header in Windows, OS X and Linux

Dave Farquhar security
Merge CSV files with header in Windows, OS X and Linux

I do a lot of work with CSV files, sometimes very large CSV files, for a living. And sometimes it’s not practical, or possible, to do what I need to do entirely in Excel. Merging files is an example. So here’s how to merge CSV files on various platforms from a command line so you can get it done quickly and efficiently.

Read more

Nessus false positives

Dave Farquhar security
Nessus false positives

Dealing with false positives is a fact of life for a vulnerability analyst. So here are some tips for investigating and dealing with Nessus false positives from a system administrator turned vulnerability analyst. Read more

How secure is Chrome?

Dave Farquhar security
How secure is Chrome?

How secure is Chrome? While IT professionals may be divided on it, most security professionals I know prefer and recommend it. There are a number of good reasons for that.

Read more