security

Linux admins beware, there’s a web server exploit in the wild

Dave Farquhar security ,

No OS is 100% secure if there’s enough desire to get in. There’s a web server exploit targeting Apache, Nginx, and Lighttpd running on Linux–a first of its kind, in at least one regard.

According to this page, if you execute this command:

strings /usr/bin/apache2 | egrep opentty

you’re clean if nothing comes up, and your infected if you see one or more matches. If your system stores its httpd elsewhere, change the first parameter to match.

The trouble with bringing your own software

Dave Farquhar security, Software , , , , , , , , , , , ,

PC Magazine is advocating a bring your own laptop, with your own software approach to business. It likens it to mechanics who bring their own tools.

The trouble is that while mechanical tools in a toolbox operate autonomously and don’t interfere with one another, software residing on a computer does. Read more

Step 1 to landing a security job: Become conversant in security

Dave Farquhar security , , ,

So last week, I wrote about the difficulty of landing a security job and promised to explore it further.

And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more

Somebody just tried to hack me

Dave Farquhar security , , , ,

Caller: “I calling from technical support. We found issue with your PC.”
Me: “What company are you with?”
Caller: “CSA is the name of my company.”
Me: “What’s our business relationship?”
Caller: “We found issue with your PC. Our technicians found your PC is running slow.”
Me: “Do you realize I wrote the book about PC performance? No, really, I wrote a book about it. I guarantee my computer is faster than yours. I also possess multiple security certifications.”
Caller: “Go on.”
Me: “You need to find someone else to social engineer.”

The caller stammered a little bit, tried to assure me it wasn’t a scam and wasn’t going to cost me money, then hung up.
Read more

12 PC tasks you should be doing and aren’t

Dave Farquhar security, Windows

Here’s a jewel from earlier this month from PC World: 12 easy, crucial PC tasks you should be doing and aren’t. They’re mostly related to performance and security. No wonder I like the article.

A couple of the items won’t give the kinds of gains they used to–in this era when everyone thinks they need a 3 TB drive and they’re using less than 1 TB of it, cleaning up unused data isn’t going to do all that much to improve performance. But there’s some benefit to removing unused programs, especially unused programs that run at startup.

Most critically, the article tells how to automate a lot of these tasks. Automating it so that it just happens without you having to think about it is even better than doing it. If you’re not doing these 12 things because the computer is already doing them automatically for you, then that’s OK.

Livingsocial got breached. Change your password, of course

Dave Farquhar security , , , ,

Livingsocial got breached. You need to change your password, if you have a Livingsocial account.

There are two questions worth asking: How do you protect yourself, and how does this happen?

Read more

“They were bored and wished they had a job.”

Dave Farquhar security , , , , , , ,

I was catching up on security podcasts this week, and a brief statement in one of them really grabbed me. The panel was talking about people who steal online gaming accounts, I think. The exact content isn’t terribly important–what’s very important is what this person found in the forums where the people who perform this nefarious activity hang out. What she found was that there was one common sentiment that almost everyone there expressed, frequently.

They were bored, and they wished they had a job.

There was about a 30-second exchange after that, but I don’t think it’s enough. Read more

When your CISSP isn’t enough

Dave Farquhar security , , ,

I had a job interview Monday. I have at least one observation from it–the things on my resume that impress recruiters don’t necessarily impress a good hiring manager. Not on their own, at least.

Let’s do some post-mortem.

Read more

The ACLU has a point about smartphone security

Dave Farquhar Android, security , , , , , , , , , ,

The ACLU complained to the FTC that carriers aren’t patching vulnerable Android phones. They have a point.

Phones are profitable, and the carriers are trying to have it both ways. Read more

Linksys isn’t the only company building insecure routers

Dave Farquhar security , , , , ,

I warned a few days ago about Linksys routers being trivially easy to hack; unfortunately many other popular routers have security vulnerabilities too.

The experts cited in the article have a few recommendations, which I will repeat and elaborate on. Read more