security

End of the innocence for Mac security

Dave Farquhar Macintosh, security , , , , , , , , , , , , , , , , , ,

Antivirus vendor Kapersky has identified a new trojan horse targetting Macintoshes.  It spreads a botnet based somewhere in China via an infected Microsoft Word document, typically sent as an e-mail attachment.

The spin is that if you don’t use Word on your Mac, you’re safe. That’s true–this week. But going forward, it’s going to take more than that. Read more

Securing wi-fi isn’t about price gouging

Dave Farquhar security , , , , , , , , ,

The so-called wi-fi golden era is over, and apparently being glad about it makes me an absolutist.

But John C. Dvorak is wrong. This isn’t about making people pay for Internet access. It’s pure security. Toilets and drinking fountains are free because the majority of people don’t abuse them. The Internet can’t be wide open and free like a public restroom because when it was totally wide open and free in the 1990s, too many people abused it. Read more

Don’t give prospective employers your Facebook password

Dave Farquhar security ,

I’ve read multiple stories this week about potential employers demanding that interviewees hand over their Facebook passwords during the job interview so they can snoop around.

There’s no good reason for this.
Read more

There’s a 61% chance the Adobe software you run at work is out of date

Dave Farquhar security , , , , , ,

I read this week that 61% of Adobe Reader installations in workplaces is out of date.

That’s very bad. Very, very bad. Because Adobe Reader is trivially easy to exploit, and there’s more sensitive information to steal on corporate PCs than there is on home PCs.

Read more

Apply your monthly patches just as soon as you can

Dave Farquhar security, Windows , , , , , ,

There are only six patches in this month’s edition of Patch Tuesday, and only one of them is critical, but it’s a big one.

The critical patch fixes a flaw in Remote Desktop Protocol, something typically only present in the business-oriented flavors of Windows. But if you don’t know whether you’re affected, it behooves you to let Windows update whatever it wants to update. Read more

Unix-to-Windows copies with PSCP

Dave Farquhar Linux, security, Windows , , , , ,

I’ve been moving files between Linux servers, and to and from Windows boxes, as part of my server migration. I started to write about how I’ve been doing it, but it seemed oddly familiar.

Yep, I’ve written about SCP and its Windows port, PSCP, before. Do this long enough and you find yourself repeating yourself.

Read more

The old days of viruses

Dave Farquhar security, Viruses , , , , , , , , , , , , , , , ,

Blogging pioneer John Dominik, inspired by my Michelangelo memories, wrote about his memories of viruses later in the decade. So now I’ll take inspiration of him and share my memories of some of those viruses. I searched my archives, and at the time it was going on, I didn’t write a lot. I was tired and angry, as you can tell from the terse posts I did write.

Read more

Remembering Michelangelo

Dave Farquhar security , , , , , , , ,

Yesterday was the 20th anniversary of the Michelangelo virus. If you don’t remember, on March 6, 1992, Michelangelo was programmed to overwrite the first 100 sectors of a hard drive–not quite as destructive as formatting a drive, but to the average user, the effect is the same. It was a huge scare–John McAfee predicted five million computers would be affected–but largely was a non-event.

Those of you studying for security certifications would do well to remember that Michelangelo is a prime example of a virus and a logic bomb. Viruses replicate; logic bombs do something when an event triggers. Malware doesn’t always fit neatly into specific categories–crossovers are common.
Read more

Don’t use Password1 as your password

Dave Farquhar security ,

CNN reported yesterday that Password1 is the most common password in business environments. It’s the simplest password that meets common “complexity” requirements. It illustrates the problem with complexity requirements–a password can meet those requirements while still being extremely predictable.

As such, those passwords can be easy to guess, and they cast doubt on the entire idea of complexity.

Read more

A cloud computing-related Security+ question

Dave Farquhar security , , , ,

Someone tossed a Security+ study question my way this week. This is an example of Security+ trying to be CISSP Lite, but it’s still a valid question–probably for either test, and for SSCP and CISM too.

A small not-for-profit organization needs to invest in a new expensive database. There is no budget for additional servers or personnel. Which of the following solutions would allow it to save money by avoiding hiring additional personnel and minimize the footprint in their current datacenter?

A. Linux
B. Software as a Service (SaaS)
C. Infrastructure as a Service (IaaS)
D. Platform as a Service (PaaS)

Let’s take it one at a time.

Read more