security

Mozilla goes sane with the corporate ESR version of Firefox

Dave Farquhar security, Software

In what can only be a wise move, Mozilla decided to release an ESR version of Firefox, which will be replaced once a year and patched in the meantime. A six-week cycle is perhaps manageable for home users, but it’s downright lunacy for corporate environments. It’s hard enough to test and deploy pure security fixes in 4-6 weeks, let alone test something that introduces entirely new features and deploy it.

I’m not sure that corporations and Mozilla want each other all that much, but they need each other. It’s a cheap way for a corporation to improve its security posture, as long as testing, deploying, and keeping it up to date isn’t a full-time job for someone.

Why computerized information systems frequently fail to meet the needs of users

Dave Farquhar security , ,

Let’s take a look at another CISSP-type question today, because I think it has broad implications for more than just CISSPs.

Here’s the question.

Which of the following best explains why computerized information systems frequently fail to meet the needs of users?
A)Inadequate QA (quality assurance) tools
B)Constantly changing user needs
C)Not enough project management.
D)Inadequate user participation in defining system requirements

Read more

Message digests for forensic purposes

Dave Farquhar security

I found a question in my studies whose answer I didn’t like. So I’ll repeat the question and the choices, and state what I think the answer should be and why I think that way. Any experts out there who might be reading can feel free to chime in.

Which of the following is a potential problem when creating a message digest for forensic purposes?

A. It’s an extremely slow process
B. The message digest is almost as long as the data
C. The last access time of the file is changed
D. One-way hashing technology invalidates message digest processing Read more

Making this WPS vulnerability even worse

Dave Farquhar security , ,

If the vulnerability in WPS that I linked and talked about this week wasn’t bad enough, some of the commenters at the always excellent Hackaday found something terrible.

Many vendors use a predictable number as the WPS PIN, and don’t even bother to make it unique on a router-by-router basis. So much for it taking a couple of hours to get into a network. Since some vendors set the PIN to something like 123456789 or 123456780 (how clever), the vulnerability may not even be necessary to get in. Just try some of the known numbers, and chances are you can be on somebody’s network in a matter of minutes.

Read more

Is that file safe?

Dave Farquhar security , ,

So you’ve downloaded this great new piece of free software, but you’re not sure if it’s safe to install. Your antivirus software says it’s not infected, so you can assume it’s safe, right?

Not so fast. Nothing detects everything. Using multiple virus scanners dramatically decreases the chances of something getting through.

Read more

My buddy Halon-2402

Dave Farquhar security ,
My buddy Halon-2402

Halon-2402 and I have met. Some years ago, I saw an old sign in a computer room. The sign had to be old, because smoking in offices has been banned since the 1980s, and the sign appeared to be hand-lettered in colored permanent marker. It read something like this:

No smoking is allowed. Smoke in this room will cause the release of an expensive gas (Halon) and require its replacement. Absolutely no smoking is allowed!

The sign omitted one relatively significant detail. Not only is (was) Halon-2402 expensive, it will also kill you!

Read more

This is why you disable stuff you don’t think you need

Dave Farquhar security , ,

This is going to sound like gloating, so I’m going to apologize for that right up front. A few weeks ago, I recommended you keep WPS disabled except for brief intervals for convenience. I had no specific reason in mind. Just in case. Just in case, you know, a vulnerability in WPS got discovered.

Well, one got discovered.

Read more

Is Anonymous trying to get a CEO jailed or fined?

Dave Farquhar security ,

The hacking group Anonymous hacked security contractor Stratfor, stealing its customer list including names, addresses, and credit card numbers, which they then used to go on a charity shopping spree.

My former boss’ wife asked him on Facebook what these guys want. And that brought a CISSP question to mind.

Read more

I need a hair dryer, some nail polish, and two clothespins

Dave Farquhar security , ,
I need a hair dryer, some nail polish, and two clothespins

At least it looked like a clean break.

I commonly run errands mid-evening because strapping my two kids into seat belts is a good way to keep them from tripping over their own shadows and hurting themselves. So we did that one night, and when we got home, my wife logged onto Facebook, where a picture of my sister’s USB flash drive greeted her. It was in pieces.

“Have her call me,” I said.

Read more

Balancing safety and versatility

Dave Farquhar security , , , , , , , , , , , ,

John C Dvorak has a very simple solution to the HP printing problem. Lock down the firmware so it’s not upgradeable. And while we’re at it, do the same thing to routers and other equipment.

This solves the problem of loading rogue firmware on the devices, but there are several problems with such a draconian approach.
Read more