Why every breach is different

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more

Port 2381: What it is and how to manage it

I was doing some scanning with a new vulnerability scanner at work. It found something listening on a lot of servers, described only as Apache and OpenSSL listening on TCP port 2381. The versions varied.

Luckily I also had Qualys at my disposal, and scanning with Qualys solved the mystery for me quickly. It turned out to be the HP System Management Homepage, a remote administration/diagnostic tool that, as the title says, lets you manage HP server hardware. It runs on Windows, Linux, and HP-UX. Read more

Age of a vulnerability is not an indicator of future risk

I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet.

He’s right. It’s at least 19 years old. But that’s merely interesting, not important.

What’s important is what’s possible now that people know how to look for it and how to exploit it. Read more

Why Google ratting on Microsoft isn’t all bad

This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch.

Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.

Read more

What is Winshock?

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Read more

This should go without saying: Upgrade your WordPress!

Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.

If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done. Read more

Retracing the Home Depot attackers’ steps

New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.

Read more

How to succeed as an IT contractor

I met a young IT contractor a little while back. His talent was sky high. So was his potential. And his rawness. It’s not my place to go into great detail about that rawness, but one thing I noticed about him was that he had a very self-defeating attitude about him. It shouldn’t have been hard for him to succeed as an IT contractor, but he was his own worst enemy.

Several times he started a statement with, “If I don’t get fired,” or something to that effect.

It occurs to me that perhaps my experience as a contractor would be helpful.

Read more

CMD.EXE and its shellshock-like qualities

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.

“What, Cygwin’s bash?” I asked.

“No, in CMD.EXE.”

I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.

Read more

The Legions of Doom come after a server

I’ve been after this guy to patch his server for a few weeks. He keeps getting sidetracked, which is understandable, but there are ways to deal with that.

Last week, we started getting close to getting it done. On Friday, the plan was together and it was almost ready to go. All we needed was to get final approval on the plan, get a change control in place, and then the work would be scheduled and we’d have a commitment and a set date where the work would be done. And that would end the sidetracks.

Then, on Monday, someone asked me if he was out of the office. He hadn’t said anything about going on vacation, but, indeed, he had an out-of-office autoreply set. Among other things, it said that super heroes need vacations too, and if the Legions of Doom are attacking, to contact this other guy. Read more