security

Cross site scripting explained

Dave Farquhar security ,

In many security job interviews, the interviewer will ask about cross-site scripting, also known as XSS. Most descriptions of it are overly complex, however. The best description of it that I’ve ever heard is just five words long: Code execution in the browser. That’s cross site scripting explained as succinctly as possible.

That succinctly sums up the problem: You don’t want someone to be able to inject their code into your site.

Read more

Fixing white screens in WordPress

Dave Farquhar security, Wordpress , , ,

I got the white screen of death last week, but it was odd—it only happened if I tried to edit posts that were in draft or scheduled status. Already-published content would edit fine. Here’s my experience fixing white screens in WordPress.

Clearing my cache helped temporarily, but the problem would come back as soon as I saved a post. I ended up doing two other things as well, and then the problem went away. I emptied my spam, which also greatly sped up the site, and I also deleted a mobile plugin that I was no longer using but was disabled. Disabled plugins can still affect behavior sometimes. Read more

All-in-One WP Security and Firewall plugin can be spectacular, but be careful

Dave Farquhar security, Wordpress , , ,

Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.

The lesson, as with many security tools, is to proceed with caution.

Read more

Browser extensions are the new adware, and sometimes comes with surprises

Dave Farquhar security ,

I sometimes show my age by making jokes about Bonsai Buddy and Gator and Hotbar, but ads injected in browsers are a problem that’s coming back. And sometimes these ads come with malicious payloads, installing unwelcome software on your computer to maintain persistence.

Problems like this are the reason I tend not to load my browsers down with lots of extensions. Sometimes the functionality is cool, but I’ve always found ways to get what I need done with a stock browser, and then I have a better idea of what I’ve gotten myself into. I’m beholden enough to the agendas of Microsoft, Mozilla, or Google as it is; I don’t need third parties injecting their agendas into the mix, especially when they may be malicious.

And besides that, a lot of extensions tend to be very memory- or CPU-hungry. I have enough memory on most of my machines that I can dedicate 2 GB of RAM to a web browser, but I’m not sure why I should have to.

The fewer extensions you load onto your web browsers, the safer you’ll be, and in the long term, I’d wager the happier you’ll be as well.

How hard-coding your DNS can improve your security

Dave Farquhar security , , , , ,

I’ve long recommended hard-coding your DNS settings as a performance and reliability enhancement–here’s my guide for that–but it turns out it can be a security enhancement too.

Botnets targetting routers aren’t new at all, but there’s a particularly nasty one named Moose running around right now. Among other things, it changes routers’ DNS settings to point to rogue DNS servers that allow the attackers to steal your social media credentials, furthering the bot. Read more

SSDs, factory resets, and why you probably need encryption

Dave Farquhar Hardware, security ,

After the story came out about factory resets not adequately clearing flash memory in phones and tablets, one of my college buddies asked me if a similar problem exists in SSDs.

Depending on the SSD, it definitely can.

Read more

Why shouldn’t corporations just let software auto update?

Dave Farquhar security

I’ve been hearing the same new idea at work for about 10 years. The idea is pretty straightforward: Since my home PC updates itself whenever it wants and I don’t have problems, why don’t we do the same thing at work so we won’t need expensive update deployment tools?

There are generally two problems with that.

Read more

Google’s migrating corporate apps to the cloud is less crazy than it sounds

Dave Farquhar security , , , ,

Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.

Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.

Read more

SSDs, data loss, electricity, and hype

Dave Farquhar Hardware, security , , , , ,

I’m not particularly worried about this, but under the very worst case scenario, certain solid-state disks can theoretically lose data in a week or two if they’re left without power. But that doesn’t instill panic and get clicks when you say it like that.

But you knew I was going to write about it. Let me tell you why I’m not worried.

Read more

Identify bad guys through writing style

Dave Farquhar security, Writing , , , , , ,

This month’s Social Engineer podcast discussed a tactic to identify bad guys through writing style, something the hosts expressed surprise was possible.

This won’t be news to anyone who minored in English or Communications or Journalism. A lot of factors go into style—where we grew up, where our parents are from, what we read growing up, our life experience, and it really is like a fingerprint. Fitzgerald’s Gatsby called everyone “Old Sport,” and we all have something like that, it’s just usually more subtle. I’ll say, “taste this,” when my wife or mother in law will say “taste of this.” That’s a regional thing. I pick up on that because I’m interested in language. A really good linguist can pick up on a lot more than that, and machine learning can potentially pick up on still more.

If you recall, it was the Unabomber’s long manifesto that brought down Ted Kaczynski.  Other forensics proved it, but the investigation began with his brother’s observation that the manifesto “sounded like Ted.”

Read more