security

Defusing in person

Dave Farquhar security , ,

My name, and my department’s name in general, gets thrown around a lot at work. We have a bit of a reputation as the can’t-do guys.

Professionalism dictates I not go into specifics about what kinds of things we reject or disapprove, but if I were to explain them, no security professional would disagree with me.

The other side of the argument, of course, is that the system still does its job the way it’s supposed to do and the system cost a lot of money. Here’s a story of a tense situation and how we were able to come to an understanding. Read more

CMD.EXE and its shellshock-like qualities

Dave Farquhar security , , , , ,

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.

“What, Cygwin’s bash?” I asked.

“No, in CMD.EXE.”

I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.

Read more

The Legions of Doom come after a server

Dave Farquhar security, War Stories

I’ve been after this guy to patch his server for a few weeks. He keeps getting sidetracked, which is understandable, but there are ways to deal with that.

Last week, we started getting close to getting it done. On Friday, the plan was together and it was almost ready to go. All we needed was to get final approval on the plan, get a change control in place, and then the work would be scheduled and we’d have a commitment and a set date where the work would be done. And that would end the sidetracks.

Then, on Monday, someone asked me if he was out of the office. He hadn’t said anything about going on vacation, but, indeed, he had an out-of-office autoreply set. Among other things, it said that super heroes need vacations too, and if the Legions of Doom are attacking, to contact this other guy. Read more

Why use a CMS like WordPress?

Dave Farquhar security

I had a discussion at work the other day after some WordPress plugin vulnerabilities came up. “Why not use Dreamweaver?” my coworker asked.

For a site that changes a lot like a blog, you need a content management system with a database backend. Otherwise the site gets unmanageable in a matter of months, if you’re updating it with any regularity. Read more

Predicting the future, circa 2003

Dave Farquhar security, Windows , , , , , , ,

In the heat of the moment, I searched my blog this weekend for quotes that could potentially be taken out of context and found something rather prophetic that I wrote in the heat of the moment 11 1/2 years ago:

Keeping up on Microsoft security patches is becoming a full-time job. I don’t know if we can afford a full-time employee who does nothing but read Microsoft security bulletins and regression-test patches to make sure they can be safely deployed. I also don’t know who would want that job.

Who ended up with that job? Me, about a year after I left that gig. It actually turned out I was pretty good at it, once I landed in a shop that realized it needed someone to do that job, and utilized that position as part of an overall IT governance model.

Read more

Bash is worse than heartbleed! Oh noes!

Dave Farquhar security , , , , , , , , , ,

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

Don’t like paying for software? There’s an answer but old software isn’t it.

Dave Farquhar Linux, security, Windows , , ,

Corporations are in business to make money. That’s the premise of the classic business book The Goal, and the point of The Goal is that a lot of companies forget that.

That also means they’re not exactly happy to spend money unless there’s an obvious reason why spending that money is going to help them make more money. So that’s why you see 30-year-old minicomputers in data centers. That old system is still making the company money and with no clear financial benefit to replacing it, most businesses are perfectly happy to run the machine until the minute before it will no longer power up anymore.

That’s what makes quitting Windows XP so difficult for businesses. At this point, Windows XP and that 30-year-old minicomputer are both about as sexy as a Plymouth Volare station wagon. But they get the job done, and they’re much better than what they replaced, so the business leaders are content to just keep right on using what’s already paid for. Read more

More Home Depot details emerge

Dave Farquhar security , , , , , , , , , , , , , ,

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target.  Read more

Revisiting Microsoft/Sysinternals Du as a batch file

Dave Farquhar security, Windows , , ,

My tips for using Sysinternals’ Du.exe were well received last week, and my former coworker Charlie mentioned a GUI tool called Windirstat that I had completely forgotten about. For the command-line averse, it’s an incredibly useful tool.

But there’s one thing that Du.exe does that makes the CLI worthwhile. It will output to CSV files for further analysis. Here’s the trick.

DU -L 1 -Q -C \\SERVERNAME\C$\ >> servers.csv

Sub in the name of your server for servername. You have to have admin rights on the server to run this, of course.

For even more power, run this in a batch file containing multiple commands to query multiple servers, say, in your runup to Patch Tuesday. Open the file in your favorite spreadsheet, sort on Directory Size, and you can find candidates for cleanup.

Read more

Home Depot: A security pro’s dilemma

Dave Farquhar security , , ,

I was listening to podcasts about the Home Depot breach, and something occurred to me.

Home Depot isn’t talking much about the breach. And it’s driving security pros nuts.

But the general public takes silence as a sign that everything’s going great. So their silence is winning the PR battle in the court that matters, which is public opinion at large. Read more