unix

Yes, we need to run vulnerability scans inside the firewall

Dave Farquhar security , , , , , , ,

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Read more

How to become an Info Assurance Analyst

Dave Farquhar security , , , , , , , , , , , ,

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Why every breach is different

Dave Farquhar security , , , , , ,

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more

Why we can’t have nice things: The reaction to IBM’s big black and blue quarter

Dave Farquhar Uncategorized , , , , , , , , , ,

IBM announced yesterday that it had a terrible quarter. They missed earnings, the stock plunged, and Warren Buffett lost a billion dollars.

Everyone assumes Warren Buffett is worried, or livid, and selling off the stock like it’s on fire. Read more

CMD.EXE and its shellshock-like qualities

Dave Farquhar security , , , , ,

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.

“What, Cygwin’s bash?” I asked.

“No, in CMD.EXE.”

I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.

Read more

Predicting the future, circa 2003

Dave Farquhar security, Windows , , , , , , ,

In the heat of the moment, I searched my blog this weekend for quotes that could potentially be taken out of context and found something rather prophetic that I wrote in the heat of the moment 11 1/2 years ago:

Keeping up on Microsoft security patches is becoming a full-time job. I don’t know if we can afford a full-time employee who does nothing but read Microsoft security bulletins and regression-test patches to make sure they can be safely deployed. I also don’t know who would want that job.

Who ended up with that job? Me, about a year after I left that gig. It actually turned out I was pretty good at it, once I landed in a shop that realized it needed someone to do that job, and utilized that position as part of an overall IT governance model.

Read more

Bash is worse than heartbleed! Oh noes!

Dave Farquhar security , , , , , , , , , ,

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

How to clean up a Windows server

Dave Farquhar security, Windows , , , , , ,

From time to time, Windows patches will fail to install because a server doesn’t have enough space to install them. Finding the ginormous files are that are hogging all the space on the C drive is really tedious if you do it by clicking around in Windows Explorer, but there’s a better way.

Download the free Sysinternals Du.exe utility and you can find the behemoths in minutes, if not seconds. Read more

Setting up Retropie on the Raspberry Pi

Dave Farquhar Retro Computing , , , , , , , , , , ,

I bought a Raspberry Pi over the weekend intending to turn it into a retro gaming system. I’d rather not have a mess of systems and cartridges out for my kids to tear up and to constantly have to switch around at their whims; a deck-of-cards-sized console with everything loaded on a single SD card seems much more appealing.

I followed Lifehacker’s writeup, which mostly worked. My biggest problem was my controllers. NES and SNES games would freeze seemingly at random, which I later isolated to trying to move to the left. It turned out my Playstation-USB adapter didn’t get along with the Pi at all, and was registering the select and start buttons when I tried to move certain directions, pausing the game.

When I switched to a Retrolink SNES-style pad, the random pausing went away. The precision reminded me of the really cheap aftermarket controllers of yore for the NES and SNES. I concluded my controller, which I bought used, was worn out. Ultimately I ended up switching to a Logitech controller, which worked well. Read more

Computer, how old are you?

Dave Farquhar Windows , , ,

Yesterday I wrote about finding old computers. Here’s how I determine how old a computer is.

There’s a registry key called HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate that stores the system build time in Unix format (the number of seconds since 1 January 1970) and hexadecimal. With a few mad skilz you can make that data human-readable.

Read more