Skip to content
Home » vulnerability » Page 3

vulnerability

Droidpocalypse? Josh Drake says no.

Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.

Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.

So why do we see so many more Android bugs? Drake had an answer.

Read More »Droidpocalypse? Josh Drake says no.

How to mitigate MS15-078 or future Microsoft font driver vulnerabilities

Microsoft rushed out an out-of-band patch, MS15-078, to deal with active exploits in their font driver yesterday. Since pushing out patches takes time, my boss asked me what we could do to mitigate the issue in the meantime.

The biggest threat, by far, is exploit-bearing fonts being downloaded from web sites. Ideally you only install trusted fonts from trusted sources locally on your workstations, right? If not, I suggest you start that practice as well.

You have a couple of options when it comes to blocking fonts in browsers.

Read More »How to mitigate MS15-078 or future Microsoft font driver vulnerabilities

Google’s migrating corporate apps to the cloud is less crazy than it sounds

Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.

Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.

Read More »Google’s migrating corporate apps to the cloud is less crazy than it sounds

Three things to remember from Verizon’s Data Brach Investigations Report

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)

My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.

Read More »Three things to remember from Verizon’s Data Brach Investigations Report

In defense of Anthem declining the OIG audit

Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it.

There are a few things to keep in mind, the first being that this isn’t driven by law enforcement–it’s a customer requesting an audit.

Read More »In defense of Anthem declining the OIG audit

A watering hole attack example from the real world

You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. Here’s a watering hole attack example from the real world.

In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.

Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there. The attackers jumped to the ad network first. That put them into position to jump onto government and bank networks.

Read More »A watering hole attack example from the real world

Yes, we need to run vulnerability scans inside the firewall

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?

In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.

Read More »Yes, we need to run vulnerability scans inside the firewall

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me.Read More »How to become an Info Assurance Analyst

Anthem, HIPAA, and encryption

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers.

There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used a stolen username and password to get at the data, which, if that’s true, likely would have allowed them to decrypt the data anyway.

Still, I’m seeing calls now for the government to revise HIPAA to require encryption, rather than merely encourage it. And of course there are good and bad things about that as well.

Read More »Anthem, HIPAA, and encryption