security

How Shloosl can copy a key from just a photograph

Dave Farquhar security ,

Lifehacker caused a bit of a stir by posting a link to Shloosl, a service that will mail you a copy of your key in exchange for a pair of digital photos of it and $5. Then they claimed the key worked better than a hardware-store copy, which really set some commenters off.

Is it bad security? And how does it work? Read more

Reports of the Droidpocalypse have been greatly exaggerated

Dave Farquhar Android, security , , , ,

I was listening to the excellent Risky Business analysis of the Droidpocalypse  this week, and I’m happy to report that the vulnerability that affects 90% of Android devices ever made, while serious, is vastly overstated. Read more

Getting started in compliance: Start by doing the right thing

Dave Farquhar security ,

I had a couple of discussions this week about compliance, and the traps of plain old check-the-box compliance, and how to get started in it when regulatory compliance suddenly gets sprung on you.

The key is working backwards. Start with the very reason regulatory compliance exists.

Read more

Something that shouldn’t be there

Dave Farquhar Retro Computing, Saving money, security, Toy trains , , , , , ,

I was standing in line to get a number for an estate sale this weekend–they’re what I do–and found myself standing a couple of people behind someone who talks too much.

I think some people talk because they want affirmation, and telling tales of what they’ve found is the way they get it. I’m very careful what I talk about, because I frequently see new people who look for exactly the same thing I look for, and if I just give away the knowledge I’ve spent years learning, it literally costs me money. But that’s not how a lot of people think, so if you keep your ears open, you can hear some good information.

Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

Dave Farquhar security , , , , , , , ,

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more

EMET protects against what your antivirus cannot–and it’s free

Dave Farquhar security , , , , , , , , , ,

A few years ago, Microsoft quietly released a security tool called EMET–the Enhanced Mitigation Experience Toolkit. EMET is now in version 4.0, and it’s probably the best security tool you’ve never heard of. And that’s a real shame.

Modern versions of Windows and modern CPUs include several security-enhancing technologies that aren’t necessarily switched on by default. EMET is a wrapper that forces software to use these technologies, even if they weren’t designed from the get-go to use them. The idea, then, is that if a badly behaving data file tries to exploit a traditional vulnerability in one of these programs, EMET steps in and shuts it down. A real-world example would be if you visit a web page that’s playing a malicious Flash video, or that contains a malicious Acrobat PDF. The malicious data loads, starts to execute, and the minute it misbehaves, EMET slams the browser tab shut. You won’t know right away what happened, but your computer didn’t get infected, either. Read more

Microsoft’s bug bounty is a step in the right direction

Dave Farquhar security, Windows , , , , ,

Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.

I think I know what they’re up to. Read more

What to do about PRISM is unclear as of yet

Dave Farquhar security , , , ,

I haven’t written a lot yet about Mr. Edward Snowden and the NSA PRISM program. I will in time, but want to be careful not to be spreading misinformation, and not to merely be repeating what everyone else says.

There’s been no shortage of advice on encrypting your own data, but there is one pitfall to that. Read more

How to check your Java version

Dave Farquhar security, Windows ,

Sometimes, especially on Windows servers, it’s difficult to check to verify what version of Java you’re running while you’re making your rounds. If you don’t have a scanning tool to check it, here’s how to check your Java version by hand, even if the Java control panel doesn’t show up:

Read more

Give your antivirus software a workout

Dave Farquhar security , ,

Via PC Magazine, I found the AMTSO website, which is designed to test your antivirus software for proper operation. I think this is good for two reasons. One, it gives you a chance to see if antivirus software is operating properly. Two, it gives you a chance to see how your browser and antivirus software behave when something bad is going on. Read more