security

Windows XP gets its first forever-day

Dave Farquhar security, Windows ,

This week Microsoft disclosed a critical 0-day flaw in Internet Explorer. Microsoft is considering an out-of-band patch, but regardless of when the patch gets released, no Windows XP patch will be coming, except for the companies and governments who are paying a large fee for end-of-life support.

This was about 20 days later than some people estimated, but now it’s happened. The mitigation is to run EMET. But in the long term, getting to a new version of Windows is the only viable option. You can do this on the cheap if you need to.

While we’re talking about browsers, Chrome has the most CVEs associated with it, making it numerically the least secure of the browsers, but they have the fastest time to patch, by far, so the numbers are very deceiving. So using Chrome isn’t a bad choice, especially on XP where Internet Explorer is out of date and forever EOL.

IT security vs. the construction industry

Dave Farquhar security , , ,

On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.

Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.

But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.

Read more

Five malware myths

Dave Farquhar security , , , ,

I found a story called Five Malware Myths and take no issue with anything it says. Run antivirus, whitelist your program directories, run EMET, and you’re reasonably protected but not invincible. But nobody is as invincible as the majority of people seem to think they are.

Let’s take them one by one.

Read more

Password advice in the wake of Heartbleed

Dave Farquhar security , , ,

I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful.

Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to verify) facts. Things like what house you lived in in 2001 and what you paid for it. Better yet, your favorite baseball card and what you paid for it. Or maybe the address and phone number of your favorite long-gone pizza or BBQ joint. Think along those lines.

T206Wagner$0.50 was a reasonably good password before I published it here (you paid 50 cents for one at a garage sale! Right?) only because it contains an unverifiable fact. I guarantee T206Wagner$1M (the value of the most valuable baseball card in existence) is in all the password lists these days.

This isn’t especially great advice, but it’s something that there’s half a chance people will be willing to follow, and it pretty much forces passwords to have a nice mix of character types and to be at least 12-16 characters long. I don’t think it forces enough non-alphanumeric characters, or a wide enough variety of them, but left to choice most people won’t put any of them in. It would become lousy advice if very many people chose to follow it, but I know few will, and most people will continue to use the weakest passwords a site allows, so it’s adequate for a while.

The most important thing is to make it personal. What I paid for favorite baseball cards is easy for me to remember. If you never collected baseball cards, think of something along those lines that’s easy for you to remember, with a spin that’s hard for someone else, computer or otherwise, to guess.

Passwords you need to change in Heartbleed’s wake

Dave Farquhar security , ,

Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit.

Timing is critical. If a site upgrades to a new version after you change your password, you have to change your password again. That’s why some experts are saying to wait, and others are saying change right now.

Here’s a list of sites that are affected or potentially affected. My recommendation: Change any passwords for any sites on this list listed as affected. Hint: Yahoo, Google, and Facebook are on the list. If at any point in the near future you get e-mail from them saying you need to change your password, change it again.

To clarify: Changing your password right now won’t hurt, but it might not be enough either. To be safe, you may end up changing some passwords twice, so be ready for it.

Another clarification: If you’re using 2-factor authentication, don’t bother changing the password. An attacker has to catch the password after it’s been sent, but if you’re using 2-factor, you’re not sending the password (you’re sending other stuff–and that stuff changes to prevent replay attacks), so you’re good.

How I turned a junker PC into a trap for scammers

Dave Farquhar scams, security , , , , , , , ,

As my regulars will be aware, for the past few weeks I’ve been getting lots of phone calls from “Peggy” from “Computer Maintenance Department.” What I’ve found during these phone calls is that debating with them does no good, and saying that your computer is crazy fast gets them to hang up on you, but they’ll call back again in a few days anyway.

Last week, I had lunch with a group of future coworkers–I’ll be joining them once my background check results come in–and I mentioned these phone calls. The guy sitting across the table from me said he wants their malware, so he can reverse-engineer it. So I said I would cooperate the next time I got a phone call. Read more

Cheap, simple application whitelisting

Dave Farquhar security, Windows

Application whitelisting is an effective security tool, but a pain to implement and administer. Here’s a very simple tool for it, that works on home versions of Windows as well as pro versions. It’s very simple and possible to defeat, but, arguably, it’s about 90% effective, putting it on par with antivirus and giving you coverage that antivirus will miss. It makes a good companion for antivirus and EMET.

Even grade D+ whitelisting is much better than no whitelisting.

Training hackers in schools

Dave Farquhar security

I found this piece advocating teaching kids to be hackers. That’s hackers in a probing, discovering sense, rather than the trouble-causing, nefarious sense.

I found myself agreeing and disagreeing with this article at the same time. Not every hacker is a bad guy. And hacking is a mindset. But not everyone has the right mindset. Read more

Troubleshooting machines that won’t update from WSUS or SCCM

Dave Farquhar security, Windows , ,

In my younger days, I administered WSUS on a small (300 servers or so) network. Every once in a while, I ran into an issue where a server just didn’t want to talk to WSUS. These days, some companies prefer to push patches with SCCM but it uses the same mechanism to push patches.

Apparently my old problem still happens from time to time. So I did some research to come up with a solution. This mechanism is still largely a black box, but it’s a lot better documented now than it was in my day. Here’s what I came up with for troubleshooting WSUS or SCCM. Read more

The time bomb in your older computer

Dave Farquhar Hardware, security , ,

I was listening to an interview between Paul Asadorian (of Pauldotcom fame) and Cigital CTO and software security expert Gary McGraw. They discussed how the target of attacks moved from Microsoft to Adobe and now that Adobe is showing signs of getting its act together, it’s going somewhere else.

“If I were Nvidia,” McGraw said, “I’d be thinking a lot about software security. Fortunately they are.”

Nvidia does sound like a juicy target. Read more