security

A treasure trove of training material

Dave Farquhar security , , ,

Need to improve your security skills? Need a refresher course to brush up on some skills you haven’t used in a while? Or are you just looking for some CPEs or CEUs to keep your certification valid?

The United States Department of Defense offers a great deal of security training, much of which is freely available to all comers. Your tax dollars paid for it, so don’t feel bad about using it. Besides, if you use it to improve your networks, then your networks are less likely to become a source of attack on government networks, so they’re happy for you to use most of it.

Here’s a hint: Anything that isn’t viewable by the general public is marked ” *(DoD PKI Cert req’d).” If you don’t see that marking, then it’s free for you to view. Just click the link marked “Launch Training.” Read more

Troubleshooting at all layers of the OSI model

Dave Farquhar security, War Stories , , , , , , , ,

I saw this phrase in a job description last week: Troubleshooting at all layers of the OSI model. That sounds a bit intimidating, right?

Maybe at first. But let’s not overcomplicate it. Once you get past the terminology, it’s a logical way to locate and fix problems. Chances are you already do most of this whether you realize it or not. I was already troubleshooting at at least four of the seven layers when I was working as a part-time desktop support technician in college in 1995.

Read more

Rob O’Hara on phreaking, Tesla coils and modems

Dave Farquhar Retro Computing, security , , , , , , , ,

Rob O’Hara posted a podcast about phreaking today. He explains in layperson’s terms how the phone system was controlled by tones, cites it as an example of security through obscurity, and he talks about his own first-person experience subverting the phone system. He was far from the only one who did that.

Read more

The 1 TB-ish SSD: The Micron M500

Dave Farquhar Hardware, security , , , ,

Anandtech has a review of the Micron M500, which is the first 960 GB SSD to retail for less than $600. Micron had to make some decisions to get that combination of capacity and price, so it’s not truly a no-compromises SSD, but like the article states, it’s a not-quite-a-terabyte capacity at the price that the best 80 GB drive was selling for in 2008. That’s a long way to come in five years. At $599, the price is high, but it’s not out of reach. If you really need that much high-speed capacity, you can probably come up with that sum.

And the drive’s reception has been very good. It’s backordered everywhere I’ve looked. Read more

If you use a Linksys router, you need to drop everything now and upgrade it

Dave Farquhar security , , ,

If you own a Linksys WRT54GL or EA2700 router, both devices have serious security vulnerabilities. Serious enough that the only way to continue using them safely is to load an alternative firmware such as DD-WRT on them. That’s not entirely a bad thing; DD-WRT is more capable, and unlike most consumer-oriented firmware, allows you to disable WPS.

The EA2700, in particular, is so trivially easy to hack it’s laughable–all it takes is entering a predictable URL into a web browser. That’s it.

Read more

The AMI BIOS breach of 2013

Dave Farquhar security , , , , ,

A security professional’s nightmare happened to AMI this week. Tons of confidential data, including the source code for the UEFI BIOS for Intel Ivy Bridge-based systems and an AMI-owned private key for digital signatures, turned up on a wide-open FTP server for all comers to download anonymously. This AMI BIOS breach has numerous implications.

The implications are nearly limitless. To a malware author, this is like finding a hollowed-out book at a garage sale stuffed with $100 bills with a 25-cent price sticker on the front. If you’re a budding security professional, count on being asked in job interviews why you need to protect confidential information. The next time you get that question, here’s a story you can cite.

Read more

Although it’s counterintuitive, AT&T’s new password policy makes sense

Dave Farquhar security , , , ,

AT&T has a new password policy that forbids the use of certain common words in passwords, including some words of a colorful nature.

Yes, it reduces the number of possible passwords, but that isn’t exactly a bad thing.

Read more

We need to fix CISPA, not kill it

Dave Farquhar security , , ,

Here’s a good plan for fixing CISPA. And CISPA needs to be *fixed*, not stopped. We have three alternatives right now:

Secure the Internet
Voluntarily pare back the Internet
Wait for the Internet to fall apart and/or become too dangerous to use anymore

Given the unpleasant side effects of options 2 and 3, option 1 is all that’s left. Otherwise, the Internet will become a weapon of mass destruction. Keeping a hacktivist group or rogue nation from shutting down all gas and electric power in New York City on the coldest day in January is CISPA’s goal. Read more

The ethics of writing nefarious security instructions

Dave Farquhar security , , , , , , ,

This week I posted a link to a video showing how to crack a WPS-enabled wifi network, and this week, Ars Technica wrote a firsthand account of cracking a password list. I’m sure this raises questions of ethics in some people’s minds. To be honest, spreading this kind of information makes me a little uncomfortable too, but I also think it’s necessary.

Read more

The Internet is at war. Please read this if you run a DNS server.

Dave Farquhar security

A Dutch ISP that acts as a spam haven is DDOSing Spamhaus, and they’re using DNS to do it. The attack is using spoofed DNS queries to create, basically, a smurf-like attack. And the sheer volume of traffic is likely to affect the Internet as a whole.

That might explain why my recruiters were complaining that it was taking forever to look up job postings today. (Yes, I can publicly admit that I’m talking to recruiters. That’s another story.)

But basically, if you run a DNS server, you need to check your configuration to keep lowlives from using your DNS as a weapon. Here is a useful page for those of you running BIND, the one of the most popular DNS servers.

This was the most common type of attack in 2012; it looks like some people are trying to up the ante in 2013. We can make it stop, but every sysadmin running a DNS server is going to have to pitch in to help.