vulnerability Archives

Droidpocalypse? Josh Drake says no.

Dave Farquhar Android, security August 1, 2015July 31, 2015android, apple, demonstration, IOS, os x, podcast, samsung, vulnerability, Windows XP

Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.

Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.

So why do we see so many more Android bugs? Drake had an answer.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.

dfarq.homeip.net

How to mitigate MS15-078 or future Microsoft font driver vulnerabilities

Dave Farquhar security July 21, 2015December 6, 2015chrome, firefox, journalism, Proxy server, SUBSYSTEM, vector, vulnerability, Whitelist

Microsoft rushed out an out-of-band patch, MS15-078, to deal with active exploits in their font driver yesterday. Since pushing out patches takes time, my boss asked me what we could do to mitigate the issue in the meantime.

The biggest threat, by far, is exploit-bearing fonts being downloaded from web sites. Ideally you only install trusted fonts from trusted sources locally on your workstations, right? If not, I suggest you start that practice as well.

You have a couple of options when it comes to blocking fonts in browsers.

Dave Farquhar

dfarq.homeip.net

Google’s migrating corporate apps to the cloud is less crazy than it sounds

Dave Farquhar security May 14, 2015January 23, 2022command prompt, excel, firewall, mainframe, vulnerability

Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.

Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.

Dave Farquhar

dfarq.homeip.net

Three things to remember from Verizon’s Data Brach Investigations Report

Dave Farquhar security April 20, 2015April 18, 2015breach, CISO, Data breach, Exploitation, Mandiant, Patch Tuesday, verizon, vulnerability

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)

My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.

Dave Farquhar

dfarq.homeip.net

In defense of Anthem declining the OIG audit

Dave Farquhar security March 17, 2015March 15, 2015breach, vulnerability

Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it.

There are a few things to keep in mind, the first being that this isn’t driven by law enforcement–it’s a customer requesting an audit.

Dave Farquhar

dfarq.homeip.net

Dave Farquhar, lunch ninja

Dave Farquhar Humor/Satire, Personal, War Stories March 11, 2015December 5, 2015BBQ, dave farquhar, Kansas Citian, Kansas City, kansas city royals, vulnerability

My boss doesn’t think I’m human. His proof: He asks anyone who knows me if he or she has ever seen me eat. No one has.

They’ve seen evidence of me eating. But actually taking a bite? No. Not even the time we went out for BBQ.

Dave Farquhar

dfarq.homeip.net

A watering hole attack example from the real world

Dave Farquhar security March 2, 2015August 2, 2017firewall, malware, vulnerability

You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. Here’s a watering hole attack example from the real world.

In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.

Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there. The attackers jumped to the ad network first. That put them into position to jump onto government and bank networks.

Dave Farquhar

dfarq.homeip.net

Yes, we need to run vulnerability scans inside the firewall

Dave Farquhar security February 18, 2015February 15, 2015AIX, firewall, malware, old windows, unix, vulnerability, windows 2000, windows nt

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Dave Farquhar

dfarq.homeip.net

How to become an Info Assurance Analyst

Dave Farquhar security February 11, 2015November 30, 2016CERT, certifications, CISO, cissp, cissp exam, excel, Information Assurance, information security, Liquid Matrix, podcast, trolls, unix, vulnerability

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Dave Farquhar

dfarq.homeip.net

Anthem, HIPAA, and encryption

Dave Farquhar security February 10, 2015February 9, 2015breach, insurance companies, pentium ii, vulnerability, Wall Street Journal

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.

There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.

Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.

Dave Farquhar

dfarq.homeip.net