The Silicon Underground

Home » Page 254

Yes, we need to run vulnerability scans inside the firewall

Dave Farquhar security February 18, 2015February 15, 2015AIX, firewall, malware, old windows, unix, vulnerability, windows 2000, windows nt

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

You’re telling me someone gave a stranger his password?

Dave Farquhar security February 17, 2015January 23, 2022Adobe Acrobat, Adobe Reader, antivirus, breach, hp, IBM, LinkedIn, malware, passwords

I was talking breaches last week when a very high-up joined the conversation in mid-stream.

“Start over, Dave.”

“OK. I’m talking about breaches.”

“I know what you’re talking about,” he said, knowingly and very clearly interested.

We lost a St. Louis original over the weekend

Dave Farquhar Christianity, St. Louis February 16, 2015February 15, 2015

I don’t think any of this will be in the newspapers, but I hope I’m wrong. Probably the most unusual man I will ever meet died over the weekend. His name was Otis Woodard. He ran a women’s shelter and food pantry in north St. Louis for decades. In many ways, it seems to me he represented everything that was right in the midst of all the things that are so wrong.

Commodore hardware viruses–yes, they were possible

Dave Farquhar Retro Computing February 13, 2015June 3, 20241541, 1980s, 6502, commodore, commodore 64

The conventional wisdom is that computer viruses can wipe out your data, but they can’t do physical damage. The exception to that rule was, of course, Commodore, the king of cheap 1980s computers. Commodore’s earliest computer, the PET, had an infamous “poke of death” (POKE 59458,62) that could damage its video display, but the Commodore 64’s sidekick, the 1541 disk drive, had a couple of little-known vulnerabilities as well. Read more

Tinkering isn’t dead, but it is changing

Dave Farquhar Uncategorized February 12, 2015December 4, 20181980s, apple, apple ii, capacitor, capacitors, IBM, pi, radio shack, raspberry, Raspberry Pi, tinkerer

When Radio Shack announced its bankruptcy, I read more fears that the age of tinkering is dead than I read laments for the store.

I follow the logic, because Radio Shack was the only national store chain that ever tried to cater to tinkerers. But I don’t think people abandoning Radio Shack means tinkering is necessarily dead. I have plenty of indications that it’s still very much alive, but it’s also very different from how it used to be.

How to become an Info Assurance Analyst

Dave Farquhar security February 11, 2015November 30, 2016CERT, certifications, CISO, cissp, cissp exam, excel, Information Assurance, information security, Liquid Matrix, podcast, trolls, unix, vulnerability

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Anthem, HIPAA, and encryption

Dave Farquhar security February 10, 2015February 9, 2015breach, insurance companies, pentium ii, vulnerability, Wall Street Journal

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.

There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.

Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.

“It was a sophisticated attack.”

Dave Farquhar security February 9, 2015February 6, 20151980s, antivirus, breach, command prompt

Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.

R.I.P. Radio Shack. I’ll miss what you once were.

Dave Farquhar Retail February 7, 2015February 5, 2025

I’ve tried several times to write a eulogy for Radio Shack. It’s not easy. The demise has been a foregone conclusion for a very long time, and it’s clear they could have done any number of things differently and survived in some form.

But they didn’t. Let me tell you about the last time I almost went to Radio Shack. Yes, almost.

Why every breach is different

Dave Farquhar security February 6, 2015February 5, 2015Adobe Acrobat, Adobe Flash, breach, Microsoft Office, unix, vulnerability, windows nt

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.