security

The clear and present danger lurking at the edge of your home network

Dave Farquhar DD-WRT, Hardware, security, Servers and Networking

In 2003, Dan Geer called the combination of Microsoft’s market dominance and the flimsy security of its products a threat to national security.

Today, he’s calling the security holes in consumer routers a threat to critical infrastructure.

These two things are related in more ways than being utterances from the same person. These routers were designed to protect flimsy PCs from the horrors lurking on the Internet. In 2003, they were arguably adequate. But since 2003, Microsoft operating systems have improved dramatically from a security standpoint while routers have stood still. Many of them are still running on the same outdated Linux kernels and userspaces, just on newer, faster hardware. These routers are now less secure than the computers they are supposed to protect. This isn’t a knock on Linux; Linux has improved in the last 11 years too, but router makers generally haven’t incorporated those improvements. So these routers are easy to attack, easy to use to build botnets, and the user will never be the wiser since they keep the devices until they break. The only good news here is that many of them break after a year or two, and that’s supposed to be bad news.

Sadly, these problems are all solvable.

Read more

USB malware: What you need to know

Dave Farquhar security , , , , , , , , ,

Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!

Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet. Read more

Microsoft releases EMET 5

Dave Farquhar security, Software ,

Late last week Microsoft released a new version of EMET. I’ve written about EMET before and I still recommend it. EMET 5.0 adds a couple of new mitigations, tries to be harder to bypass, and offers improved compatibility, so there’s little reason not to upgrade.

EMET does more than anything else I can think of to protect you from the many things that get past your antivirus software and firewall’s defenses, and it’s free. I can’t think of any good reason not to run it. Of course, the people not running it at all stand to benefit the most from it, but if you’re already running EMET 4.1, upgrading to get better protection is worthwhile, too.

Throwback Thursday isn’t for the Java Runtime Environment

Dave Farquhar security ,

The Java Runtime Environment is one of the nastiest pieces of software ever foisted upon mankind. It’s difficult to secure when people have the will, and few people have the will to even try. So nasty ancient versions of the JRE live forever.

That’s not to say I’ve completely given up on the Quixotic quest to get rid of it. Earlier this week, I exhorted, “Can we please not use the JRE that Ada Lovelace wrote for Charles Babbage?”

That stopped everyone dead in their tracks with a laugh. “That’s good.”

Hopefully they think it’s a good idea too. Because with all the hacks they would have had to do to get Lovelace’s JRE running on a Von Neumann architecture machine, there’s no way the thing can be stable, let alone secure.

How to stop the 30% of ex-employees who want to access company data

Dave Farquhar security

I read on Linkedin this week that up to one-third of former employees are still accessing company data–after their last day.

I wish I could say I was surprised. But I remember on my last day at one former employer, I turned in my badge, mentioned that I still had some paperwork to fill out and asked if I could have a couple of hours before my accounts would be de-activated. The guy laughed, and I won’t say how long he estimated my accounts would still be good. It was too long. Read more

I don’t want my light bulbs on the Internet

Dave Farquhar security , ,

I heard this week that the first vulnerability in smart light bulbs has been discovered–they can leak your wifi password.

I suppose I can take comfort in the cost of the bulbs–they cost $129, which means not a lot of people will have them, in a world where people complain about paying $5 for an LED bulb. Then again, for $129, I think it’s reasonable to expect a little bit of security. This isn’t a $15 router with a $2 profit margin. To its credit, the manufacturer immediately issued a patch to fix the vulnerability.

The problem with devices like these with security vulnerabilities is that they will be around a very long time. Read more

Listen to this if you think a router makes you invincible

Dave Farquhar security , , , ,

One myth that I hear over and over is that having a router on your Internet connection makes you invisible, and makes you somehow invincible. I even heard someone say recently that if you have a router/firewall, you don’t need to run antivirus software.

Security researcher HD Moore appeared last week on Risky Business and he talked about ways that entire classes of routers can be compromised. Give it a listen. Read more

Rick Broida thinks he doesn’t use antivirus software

Dave Farquhar security , , , ,

C’mon. You knew I’d get around to writing a response to Rick Broida’s claim that he doesn’t use antivirus software.

Actually, he’s not nuts. But he’s also mistaken if he thinks he doesn’t use antivirus software. His editorial is kind of like saying, “I don’t use a web browser. I use Internet Explorer.”

Although he’s mistaken that he doesn’t use antivirus software, and not all of his advice is spot-on, you can do a lot worse than follow his advice.

Read more

How to measure the effectiveness of a security program

Dave Farquhar security , ,

On a recent episode of Down the Rabbit Hole, Rafal Los and James Jardine asked CISO-turned-CIO Joe Riesberg how he measures the effectiveness of a security program. He came up with five things, which are pretty much how we measure our effectiveness where I work too. That’s a pretty good indicator. Read more

How to do one-off patches without an Internet connection

Dave Farquhar security, Windows

If you need to patch a small quantity of Windows servers or desktop PCs and don’t want to download four gigabytes of updates, or, worse yet, can’t download updates, WSUS Offline Update is your buddy. Don’t let its name fool you–it doesn’t require a Microsoft WSUS server in order to operate. But if you have a local WSUS server, you can point it at that to download updates, which is faster than downloading from Microsoft.

It’s a script that can download all existing updates for a given operating system, and then, you can run it off a network drive or removable media on individual systems to install missing patches and service packs. It’s a reliable way to quickly patch a small number of systems. I’ve had to use it a few times in my career and it’s worked well for me.

Patching hundreds of systems with it isn’t something I recommend–if you have a lot of machines, you need to stand up an enterprise patching solution–but this tool definitely has its uses, especially in small environments, or even for one-offs in large environments.

I can think of another good use for it: If you have a development network that doesn’t have an Internet connection, this will let you download and apply updates to it so your development network matches production, which is critical for a properly-working environment.

In the bad old days I used to use batch files to apply updates. This is better, because it will apply only the missing updates, and it does a reasonably good job of applying the updates in the proper order. Using batch files, sometimes I would have to run the file, reboot, and repeat a half dozen times to end up with a clean system, which didn’t make the security team happy. When I started using the predecessor to this tool, my security team and boss were a lot happier.