security Archives

Home » security » Page 35

What is Winshock?

Dave Farquhar security, Windows December 3, 2014December 2, 2014antivirus, code execution, excel, IBM, ips, Patch Tuesday, SSL, symantec, TLS, vulnerability, windows 7, windows 8, windows 9x, windows nt, Windows Server, Windows XP

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.

dfarq.homeip.net

Veracrypt is a Truecrypt alternative if you’re looking for one

Dave Farquhar security November 26, 2014July 14, 2017TrueCrypt

I’ve written about Truecrypt before. If you need cross-platform full-disk crypto, here’s an alternative I found recently. Veracrypt is based on Truecrypt, but since you can’t fork it without a name change, it has a different name.

I haven’t messed with it yet myself–yet–but if you need this, you probably already know it. And, for the record, I don’t believe there was any conspiracy against Truecrypt.

Dave Farquhar

dfarq.homeip.net

This should go without saying: Upgrade your WordPress!

Dave Farquhar security November 25, 2014November 24, 2014vulnerability

Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.

If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done. Read more

Dave Farquhar

dfarq.homeip.net

More encryption = more safety

Dave Farquhar security November 24, 2014November 23, 2014cisco, NSA, SSL, TLS

Mozilla, Akamai, Cisco, the EFF, and Identrust are teaming up for Let’s Encrypt, an effort to make SSL encryption free and easy.

This is important, because it means mundane stuff will get encrypted. When SSL/TLS traffic are no longer flagged as special, security will increase. Read more

Dave Farquhar

dfarq.homeip.net

How to protect executives traveling to hostile countries

Dave Farquhar security November 13, 2014November 10, 2014phenom, podcast, tp link, VOIP

Slashdot ran a story about executives being targets in high-end hotels in the Far East. I didn’t realize this was a new phenomenon; perhaps I just assumed it’s been going on all along.

At any rate, it’s possible to protect against it.

Dave Farquhar

dfarq.homeip.net

Got tech support scammed? Worry about your credit card, not your computer

Dave Farquhar scams, security November 12, 2014August 5, 2017AMMYY, classmate

A college classmate contacted me a week or two ago. A relative of hers got scammed, and she wanted to know what to do.

“Get the charges reversed on the credit card,” was my simple response.

“What about cleaning up the computer?” she asked.

That’s the easy part. Read more

Dave Farquhar

dfarq.homeip.net

Retracing the Home Depot attackers’ steps

Dave Farquhar security November 7, 2014November 6, 2014breach, home depot, malware, Patch Tuesday, Privilege escalation, vulnerability

New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.

Dave Farquhar

dfarq.homeip.net

FTDI needs to be charged under the Computer Fraud and Abuse Act

Dave Farquhar security October 29, 2014October 28, 2014amd, Fraud, intel, prison, trojan horse

FTDI is a company that makes computer chips for USB peripherals. Their chips are frequently cloned, which is an issue they have a right to deal with. But they have to be careful.

Breaking suspected cloned chips that consumers bought in good faith is the wrong answer. If I did that, it would be called hacking, and I would be sitting in jail right now, and probably would be facing a quarter-century in prison. Read more

Dave Farquhar

dfarq.homeip.net

How to rebuild a PC in a hurry

Dave Farquhar security, Windows October 28, 2014October 18, 2014antivirus, building a pc, CIO, thumb drive

Sometimes rebuilding a PC is faster than trying to fix it, and if you’re dealing with a virus infection, it’s better to rebuild than try to clean. It’s impossible to know if the system is 100% clean after infection–unless you rebuild.

If you’re the family CIO, here’s how you can go about rebuilding a Windows PC in a hurry.

Dave Farquhar

dfarq.homeip.net

Resources for securing WordPress

Dave Farquhar security October 22, 2014October 11, 2014

WordPress is the most popular blogging platform, and as one who’s tried virtually all of them you’ve heard of and a bunch you haven’t, I’ll also argue it’s the best.

From a security point of view, it has issues. That goes with being popular. But there are resources that can help, as well as general principles to keep in mind. Read more

Dave Farquhar

dfarq.homeip.net