vulnerability

Bash is worse than heartbleed! Oh noes!

Dave Farquhar security , , , , , , , , , ,

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

More Home Depot details emerge

Dave Farquhar security , , , , , , , , , , , , , ,

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target.  Read more

MS14-045 isn’t a reason to stop patching

Dave Farquhar security

Last week, Microsoft issued a patch to address a kernel vulnerability in Windows. Then, three days later, they pulled it due to the patch causing blue screens of death and endless reboot loops. Not good.

Predictably, some people are asking whether they should apply security patches.

Of course I say yes. Here’s why, and more importantly, how. Read more

USB malware: What you need to know

Dave Farquhar security , , , , , , , , ,

Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!

Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet. Read more

I don’t want my light bulbs on the Internet

Dave Farquhar security , ,

I heard this week that the first vulnerability in smart light bulbs has been discovered–they can leak your wifi password.

I suppose I can take comfort in the cost of the bulbs–they cost $129, which means not a lot of people will have them, in a world where people complain about paying $5 for an LED bulb. Then again, for $129, I think it’s reasonable to expect a little bit of security. This isn’t a $15 router with a $2 profit margin. To its credit, the manufacturer immediately issued a patch to fix the vulnerability.

The problem with devices like these with security vulnerabilities is that they will be around a very long time. Read more

The Tampa Post on “Windows Service Center” scams

Dave Farquhar scams , ,

The Tampa Post’s technology Q&A columnist received a letter this weekend (toward the bottom of the link) about Windows tech support scammers. From the article:

The people performing the hoax sound remarkably professional and officious.

Depending on what you say to them, results vary a lot. When they call me, they’re anything but professional. Especially lately. They seem to be OK when they don’t think they’re talking to a computer professional. Mention that you do this for a living, that you have an advanced certification, or that you wrote a book, and they turn vicious fast. Read more

The browser tradeoff

Dave Farquhar security, Software , ,

I probably ought to know better than the venture into the topic of web browsers by now, but since I stepped into it Friday, I guess there’s no point in staying in the shallow end.

The problem with web browsers is that they all require you to trade one thing for another, and if anything, that’s more true today than it ever has been before. Read more

Microsoft was wrong whether it patched XP this time or let it burn

Dave Farquhar security, Windows , , , , ,

Years ago I heard a joke that reminds me of the situation Microsoft found itself in last week with its latest IE vulnerability:

If a man is alone in a forest, and there’s no woman there to hear him, is he still wrong?

I was as shocked as anyone when Microsoft released just one last Internet Explorer patch for Windows XP on May 1. I can argue either side of the issue, but I don’t think I can argue either side convincingly enough to get a simple 50.1% majority of people to agree with me, because I’m not sure I can argue either side of the issue convincingly enough that Iwould agree with myself.

I think it’s important that 26% of all web traffic is still coming from Windows XP today, nearly three weeks after it went end of life. That likely played into the decision. Microsoft was in a no-win situation here, and they had to decide whether they wanted to lose 1-0 or 24-1. So I don’t think it matters all that much, but here are the pros and cons of each side, as I see them. Read more

The publicity around security is a good thing

Dave Farquhar security , , , , , , ,

On one of the podcasts I listen to, two of the hosts questioned whether the publicity around recent security vulnerabilities are a good thing.

As a security professional who once studied journalism, I think it’s a very good thing, and it’s going to get better. I liken it to the rise of computer virus awareness. Read more

Passwords you need to change in Heartbleed’s wake

Dave Farquhar security , ,

Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit.

Timing is critical. If a site upgrades to a new version after you change your password, you have to change your password again. That’s why some experts are saying to wait, and others are saying change right now.

Here’s a list of sites that are affected or potentially affected. My recommendation: Change any passwords for any sites on this list listed as affected. Hint: Yahoo, Google, and Facebook are on the list. If at any point in the near future you get e-mail from them saying you need to change your password, change it again.

To clarify: Changing your password right now won’t hurt, but it might not be enough either. To be safe, you may end up changing some passwords twice, so be ready for it.

Another clarification: If you’re using 2-factor authentication, don’t bother changing the password. An attacker has to catch the password after it’s been sent, but if you’re using 2-factor, you’re not sending the password (you’re sending other stuff–and that stuff changes to prevent replay attacks), so you’re good.