security

“It was a sophisticated attack.”

Dave Farquhar security , , ,

Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.

Read more

Why every breach is different

Dave Farquhar security , , , , , ,

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more

Port 2381: What it is and how to manage it

Dave Farquhar security , , , , ,

I was doing some scanning with a new vulnerability scanner at work. It found something listening on a lot of servers, described only as Apache and OpenSSL listening on TCP port 2381. The versions varied.

Luckily I also had Qualys at my disposal, and scanning with Qualys solved the mystery for me quickly. It turned out to be the HP System Management Homepage, a remote administration/diagnostic tool that, as the title says, lets you manage HP server hardware. It runs on Windows, Linux, and HP-UX. Read more

1984 called. It wants its surveillance back.

Dave Farquhar security , , , ,

So, the reaction to my story about my coworker’s 10-year-old going all Scooby Doo on the guy who had the nerve to steal his dad’s car was definitely mixed. Most people, of course, lauded the 10-year-old’s detective work. Others pointed out the dark side.

And there is a dark side.

Read more

Don’t wait for Service Pack 1

Dave Farquhar security, Windows , , , ,

I was on a conference call discussing the Microsoft product lifecycle with several coworkers and our Microsoft-assigned support engineers when someone asked if a server version of Windows 10 was going to come out.

The Microsoft rep said no comment. Then I chimed in.

“We need to assume they will release a server version, probably about six months after the desktop version, and we need to start testing and preparing to deploy it when it comes out,” I said.

“Shouldn’t we wait for Service Pack 1?”

I went in for the kill. Read more

Age of a vulnerability is not an indicator of future risk

Dave Farquhar security

I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet.

He’s right. It’s at least 19 years old. But that’s merely interesting, not important.

What’s important is what’s possible now that people know how to look for it and how to exploit it. Read more

Mariott doesn’t have the right to jam wi-fi

Dave Farquhar security ,

Mariott wants to jam wi-fi signals. They claim it’s for security reasons, but really it’s so they can gouge guests by charging them for wi-fi instead of using wi-fi hotspots. The security claims are pure bunk.

The truth is that hotel wi-fi networks are generally horrendously insecure, so it’s really better to avoid using them if you can.

Read more

Why Google ratting on Microsoft isn’t all bad

Dave Farquhar security , , ,

This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch.

Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.

Read more

The Sony breach and why every company should be worried

Dave Farquhar security

To me, the Sony breach is noteworthy not just because of its magnitude, but because it doesn’t appear to be driven by profit, unlike the other big breaches in recent memory. Instead, it’s a return of vigilante hacktivism, and entertainment companies are particularly vulnerable because, the Washington Post argues, all movies have an element of politics in them.

That’s a problem for U.S. companies in an interconnected world, because much of the world doesn’t value free speech as the United States does. The plot of the movie “Red Dawn” was changed–China, not North Korea, was the original aggressor–to avoid offending the Chinese government, for example. Search Google for “movies that offended foreign governments” sometime. It’s amazing how many you’ll find.

Read more

Don’t use personal information as your wifi network name

Dave Farquhar security , ,

This weekend Lifehacker advised against using things like your name and address as your wifi network name or SSID–if you’re targeted for attack, it makes you that much easier to find when your wifi name is your name or address.

When I set up a wifi network, I usually set the name to the time of day. That way the network name ends up just being a meaningless, useless number, with no clues as to who owns it, or who the broadband provider is. Clever names draw attention, and you don’t want to draw attention.

Let’s talk about two other common security measures that you probably shouldn’t do.

Read more