security Archives

Home » security » Page 33

The State Department is just one of many examples of IT gone rogue

Dave Farquhar security March 10, 2015November 3, 20251990s, Ars Technica, emachine, firewall, State Department, Windows Server

Much has been made of Hillary Clinton’s use of her own mail server, running out of her home. It didn’t change my opinion of her, and I don’t think it changed anyone else’s either–it just reinforces what everyone has thought of her since the early 1990s. Then, Ars Technica came forward with the bizarre case of Scott Gration, an ambassador who ran his own shadow IT shop out of a bathroom stall in Nairobi.

The money quote from Ars: “In other words, Gration was the end user from hell for an understaffed IT team.” And it concluded with, “[A]s with Clinton, Gration was the boss—and the boss got what the boss wanted.”

Indeed. And it doesn’t just happen in the government.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.

dfarq.homeip.net

Lenovo is penitent, but its customers aren’t out of the woods yet

Dave Farquhar security March 9, 2015March 8, 2015antimalware, antivirus, Bing, lenovo, malware, spyware, Windows 10, windows 8

After having an incredibly bad week last month, Lenovo started saying the right things, and perhaps doing some of the right things too. But some laptops with the Superfish malware preinstalled on them are still in the supply chain, which means some people are unwittingly buying them.

This isn’t terribly surprising. But there are a couple of things you can do about it, and they’re things worth doing anyway.

Dave Farquhar

dfarq.homeip.net

Why I don’t scan networks with my own credentials

Dave Farquhar security, War Stories March 3, 2015March 3, 2015password requirements

I scan the network I’m paid and sworn to protect on a nearly daily basis. I experienced a problem with the account I use for that, and I tested by scanning a small quantity of machines (my own and my cubicle neighbor’s) with my own account to make sure the problem was the account, not the tool.

Fixing the account has become a problem–my boss’ problem now–but when I told him about it, I said I could scan the network with my personal admin account, but didn’t want to. One reason has to do with liability and HR. The other, believe it or not, is technical.

Dave Farquhar

dfarq.homeip.net

A watering hole attack example from the real world

Dave Farquhar security March 2, 2015November 3, 2025firewall, malware, vulnerability

You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. Here’s a watering hole attack example from the real world.

In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.

Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there. The attackers jumped to the ad network first. That put them into position to jump onto government and bank networks.

Dave Farquhar

dfarq.homeip.net

How to use the lock in your web browser’s location bar

Dave Farquhar security February 23, 2015May 31, 20151990s, AES, chrome, cissp, demonstration, lenovo, Missouri, SSL, TLS, yahoo

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Dave Farquhar

dfarq.homeip.net

Lenovo’s preinstalled Superfish spyware: A post-mortem

Dave Farquhar security February 20, 2015November 3, 2025CISO, lenovo, Packard Bell, PR, spyware, unix

So, if you haven’t heard by now, last year Lenovo experimented with preloading its cheapest laptops with spyware that subverts HTTPS, allowing a third party to inject ads on any web page, and providing a convenient place for an attacker to hide behind while messing with your secure transactions.

By the end of the day yesterday, Lenovo had apologized, sort of, and after several sites had provided removal instructions, Lenovo provided its own. After spending much of the day downplaying the security concerns, by the end of the day they were at least reluctantly acknowledging them.

This was really bad, and I’ll explain why in a second, and I’ll also try to explain why Lenovo did it.

Dave Farquhar

dfarq.homeip.net

Yes, we need to run vulnerability scans inside the firewall

Dave Farquhar security February 18, 2015February 15, 2015AIX, firewall, malware, old windows, unix, vulnerability, windows 2000, windows nt

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Dave Farquhar

dfarq.homeip.net

You’re telling me someone gave a stranger his password?

Dave Farquhar security February 17, 2015January 23, 2022Adobe Acrobat, Adobe Reader, antivirus, breach, hp, IBM, LinkedIn, malware, passwords

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

Dave Farquhar

dfarq.homeip.net

How to become an Info Assurance Analyst

Dave Farquhar security February 11, 2015November 30, 2016CERT, certifications, CISO, cissp, cissp exam, excel, Information Assurance, information security, Liquid Matrix, podcast, trolls, unix, vulnerability

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Dave Farquhar

dfarq.homeip.net

Anthem, HIPAA, and encryption

Dave Farquhar security February 10, 2015February 9, 2015breach, insurance companies, pentium ii, vulnerability, Wall Street Journal

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.

There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.

Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.

Dave Farquhar

dfarq.homeip.net