security

How to patch less

Dave Farquhar security, Windows , , , , , , , ,

One of my former supervisors now works for a security vendor. He told me the other day that someone asked him, “Does your company have anything so I don’t have to patch anymore?”

The answer, of course, is that there’s nothing that gets you out of ever having to patch anymore. To some degree you can mitigate, but there’s no longer any such thing as a completely friendly network. The reasoning that you’re behind a firewall doesn’t work anymore. On corporate networks, there’s always something hostile roaming around behind the firewall, and you have to protect against it. If you’re on a home network with just a computer and a router, your computer and router attack each other from time to time. That’s the hostile world we live in right now. Patching is one of the fundamental things you have to do to keep those attacks from being successful.

That said, there are things you can do to patch less. Read more

And in a story that should surprise no one, Target’s attack was unsophisticated

Dave Farquhar security , , , ,

I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.

My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.

Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.

Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win. Read more

The bitcoin-train connection

Dave Farquhar model railroading, security ,

Ever since Bitcoin came into prominence, there’s been a great deal of speculation about the shadowy creator, Satoshi Nakamoto. Newsweek thinks they found him: A semi-retired engineer who dislikes banks and the government and the fees and difficulty associated with importing model train parts from England and Japan.

Well, if you’re going to invent a cryptocurrency, what better thing to spend it on than model train parts? Read more

Microsoft is offering some help in migrating off XP

Dave Farquhar security, Windows , , ,

Since there is no direct upgrade path from Windows XP to Windows 8.1 or even Windows 8, Microsoft has reacted to criticism by licensing a cut-down version of PC Mover and offering it to latter-day XP upgraders for free. It will only migrate three applications for you, but for most people, that’s probably enough.

The good news is that this version of PC Mover works with Windows 7 as well, so if you want to take the strategy of migrating people to $99 off-lease PCs running Windows 7, it will still help.

The linked article above criticized Microsoft for not developing its own migration tool, but that seems a bit harsh. I’ve used PC Mover before, and found it to be a very capable tool. I’d be surprised if Microsoft actually could do much better. And Microsoft has a history of licensing third-party tools anyway: Every disk defragmenter Microsoft has ever shipped was a cut-down version of something written by other companies.

Of course it’s best to rebuild machines from scratch–it will perform much faster that way–but when there’s a must-have program on an old PC and the installation media is long gone, PC Mover is about the only way to recover it and move it on. Most people probably don’t have much more than three programs in that category.

Why you need to guard your Backup Exec servers

Dave Farquhar security , , ,

If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s a problem.

A security problem, that is. The quality of Backup Exec as a product hasn’t been my problem since 2005. The problem I have with it now is that Backup Exec stores its passwords in a database. The passwords are encrypted, but it’s possible to decrypt the backup copy, if you’re determined enough.

Read more

Some security short-takes I never got around to posting

Dave Farquhar security

Here’s some stuff I’ve found in recent weeks that I never got around to posting, so I’ll just round it all up briefly. Read more

More about Pfsense, the alternative to the crappy consumer router

Dave Farquhar security , , , , , , , , , , , , , , ,

I spent some time over the weekend playing with Pfsense, and I can’t say much about it other than it does what it says. I didn’t throw a ton of hardware at it–the best motherboard I have laying around is a late P4-era Celeron board, and the best network card I could find was, believe it or not, an ancient Netgear 10/100 card with the late, lamented DEC Tulip chipset on it. Great card for its time, but, yeah, nice 100-megabit throughput, hipster.

If you actually configure your routers rather than just plugging them in, you can do this. Plug in a couple of network cards, plug in a hard drive that you don’t mind getting overwritten, download Pfsense, write the image file to a USB stick, boot off the USB stick, and follow the prompts. Then, to add wireless, plug in a well-supported card like a TP-Link and follow the howto. Read more

Consumer routers are the security vulnerability of the year, so far

Dave Farquhar security, Servers and Networking , , , , , , ,

Today I found an article in PC World that gives a somber assessment of the state of consumer routers, like the device that probably sits between you and the Internet.

I’m glad this is getting attention. There’s a lot more to it than what’s in the PC World article, but I’ve droned enough about what’s bad about consumer routers. It’s bad now, and it’s going to get worse before it gets better. Kudos to PC World for providing a bit of an action plan.

What if you want to go beyond what PC World is talking about? I’m glad both of you asked. Read more

How to downgrade a Log Logic universal collector

Dave Farquhar security, Servers and Networking ,

If you’ve ever upgraded a LogLogic universal collector and had it fail to work, it’s very disconcerting to see the error message when you try to reinstall the previous version: Downgrades aren’t supported. But there is a solution if you need to downgrade a Log Logic universal collector. Read more

Why it’s a good idea to schedule your router to reboot

Dave Farquhar security ,
Why it’s a good idea to schedule your router to reboot

Many routers, notably Belkins, have a feature in them to schedule an automatic reboot periodically, usually once a week. Frequently this “feature” is there as a workaround, because something about the router’s software gets unreliable if it’s been running longer than a week. So it’s a kludge, but it keeps the thing working without a lot of effort, so the feature is there.

The respectably rock-solid DD-WRT also has the ability to schedule a reboot built in. I don’t know if it’s there to make life easier for developers, or if it’s there to deal with second-rate hardware, or if there was a time when it was necessary and they just never took the feature back out. Regardless, it’s there, though many DD-WRT stalwarts brag about never needing it because their router’s uptime is more than six years.

It’s fun to get into uptime contests, but it’s poor security. If you have a router, it’s a good idea to be rebooting it every so often, so you might as well turn on that feature, even if it costs you some pride. Read more