security

Microsoft looks back at MS08-067

Dave Farquhar security , , , , ,

The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.

Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.

Read more

Disrupting online crime by attacking profit margins

Dave Farquhar security

The question of why people hack is a common one, but increasingly, it’s to fuel a vast, immensely profitable underground economy. Google researchers suggest the best way to slow or stop it is to undermine that economy, rather than the conventional methods which try to make hacking harder.

Read more

The difference between a vulnerability scanner and a SIEM

Dave Farquhar security , , , ,

I heard an interesting question the other day: What’s the difference between a vulnerability scanner and a SIEM? Qualys and Nessus are examples of vulnerability scanners. Arcsight and Splunk are examples of SIEMs.

To a security practitioner, the tools couldn’t be much more different, but not everyone is a security practitioner.

On a basic, fundamental level, a vulnerability scanner deals in what’s missing in the environment and what could happen as a result of those things that are missing. A SIEM deals in what actually has happened and is happening.

Read more

A few more WordPress security tips

Dave Farquhar security , ,

There’s some nasty WordPress malware (Link removed in retaliation for Conde Nast’s 11/3/2025 layoffs. Sorry not sorry.) circulating right now. I haven’t fallen victim to that one, but I caught the very early stages of infection myself all too recently. WordPress itself was just updated to close some vulnerabilities, but the biggest problem is the plugins. Unfortunately, the plugins are the main reason to run WordPress.

At my day job, I’ve had the pleasure of working with a very security-conscious webmaster for the last couple of months, and he and I talk about WordPress security frequently and look into what we, or anyone for that matter, can do to make the best of the situation. Here’s what he and I have found in the last week or so.

Read more

New password advice from GCHQ

Dave Farquhar security , , ,
New password advice from GCHQ

The GCHQ is the British equivalent of the NSA. They recently published a new document containing the GCHQ’s new password advice in light of the things we’ve learned in the last few years. It’s worthwhile reading, whether you’re a sysadmin or a web developer or just an end user who wants to stay secure online.

Some of the advice may be surprising.

Read more

Windows 7 spies on you like Windows 10 now

Dave Farquhar security, Windows , ,

This is a few days old now but needs to be addressed–a lot of people were planning on staying on Windows 7 because they don’t like Windows 10’s new privacy settings, but unless you uninstall some stealthy updates, Windows 7 spies on you too.

Microsoft used to call this “scroogling,” and launched a massive PR campaign against Google, but now they’re doing exactly the things they blasted Google for doing, only they’re collecting money to do it.

So basically Microsoft is trying to have it both ways now–charge for the OS, but treat the consumer as a product. Windows 7, of course, was a paid upgrade, and Windows 10 is only free under special circumstances–businesses and OEMs still pay for it.

To make Windows 7 and 8 stop scroogling you, uninstall KB3068708,  KB3075249, and KB3080149, all of which have the word “telemetry” in their description.

The workstation events you want to be logging in Splunk

Dave Farquhar security , , , , ,

Every once in a while the NSA or another government agency releases a whitepaper with a lot of really good security advice. This paper on spotting adversaries with Windows event logs is a fantastic example. It’s vendor-neutral, just talking about Windows logs and how to set up event forwarding, so you can use the advice with any log aggregation system or SEIM. I just happen to use and recommend Splunk. But whatever you use, these are the workstation events you want to be logging.

I want to call your attention to a couple of items in the paper. Most breaches begin on workstations, and this paper has the cure.

Read more

Security flaws in security tools are all too common

Dave Farquhar security , , , , ,

Fireeye runs a bunch of its processes as root, a practice that’s been a no-no since the late 1990s, and they’re more interested in litigation than they are in working with the guy who discovered it.

The attitude is all too common.

Read more

Involving security in your top-secret projects

Dave Farquhar security

This past summer I toured a large company’s “innovation center,” where they try new, risky things. “We don’t involve the legal or IT security departments in this stuff,” the tour guide said.

I wish I was surprised. And while I’m sure the tour guide thinks he isn’t missing much, it could be a missed opportunity.

Read more

Your company’s juiciest Linkedin targets

Dave Farquhar security ,

People who’ve moved onward and upward within the company, bridging multiple departments are great attack targets because they probably have more permissions than someone who’s stayed in a single role.

In non-security speak, let’s talk about someone who moves from Accounting to HR. The right way to handle it is to grant access to all of the HR data and systems, and cut off all of the person’s access to accounting data and systems.

In practice, that rarely happens. In previous roles, I’ve often ended up with access to more than one group of systems after being moved around, so I’ve not only seen it, I’ve experienced it firsthand.

The bad guys know this. So they’re going to scour Linkedin for people who have multiple entries on their profiles for the same company, knowing they probably still have both feet in both worlds. People like that are going to get more phishing e-mails than average, because then they’ll have access to twice as much stuff. That means if an attacker manages to get onto their system, they’ll have access to twice as much stuff.

This gets overlooked a lot, but HR and security need to have a very good working relationship to keep these kinds of situations from happening. Employees who stay with an organization and move onward and upward within it are very rare these days, and those employees deserve every bit of the extra protection they need.

Career advisers say to make sure you show all of your upward movement within the same company on your resume and on your Linkedin profile. I know not everyone does this, but jobs are difficult enough to get that we have to assume people are looking for that edge. As security professionals, our job is to understand this reality and make sure it doesn’t mean extra exposure.