Tom Henderson
Author Archives: Tom Henderson
- Home → Author's archive:
Tom Henderson
0
Review: Microsoft Windows Server 2019
Windows Server 2019 includes updates that Microsoft introduced over the past three years as well as many new security, administration, storage and Azure cloud integration features.
0
Review: Microsoft Windows Server 2019
Windows Server 2019 includes updates that Microsoft introduced over the past three years as well as many new security, administration, storage and Azure cloud integration features.
0
The loss of net neutrality: Say goodbye to a free and open internet
Update May 17, 2018 Following the U.S. Senate’s 52-47 vote to reinstate net neutrality rules, U.S. Rep. Mike Doyle (D-Pa.) announced the House of Representatives will attempt to also force a vote on the issue under the Congressional Review Act (CRA).“I have introduced a companion CRA in the House,” Doyle said during a press conference yesterday, “but I’m also going to begin a discharge petition, which we will have open for signature tomorrow morning. And I urge every member who supports a free and open internet to join me and sign this petition, so we can bring this legislation to the floor.”To force a vote in the House, the petition needs 218 signatures. The Democrats hold only 193 seats there, so they need 25 Republicans to switch sides.To read this article in full, please click here
0
REVIEW: Mojo wireless intrusion prevention system
Network managers don't need a primer on the threats that could befall their networks, from man-in-the-middle threats from rogue APs to the global ransomware epidemic. It's a bad situation that shows no signs of improving any time soon. It's not surprising, then, that Wireless Intrusion Prevention Systems are becoming increasingly popular.To read this article in full or to leave a comment, please click here(Insider Story)
0
Intel sold you out
There should be prizes for this. Let’s call them The Oopsies. The most bafflingly easy servers to hijack, turn out to be those running Intel’s Active Management Technology (AMT).People warned me about this, and I pooh-pooh’d it. Please hand me a scraper so that I can wipe the egg off my face. The servers are so wickedly simple to jack that a third-grader can log into them and merrily do essentially root damage.+ Also on Network World: The insecurities list: 10 ways to improve cybersecurity + That the largest server CPU provider on earth doesn’t fall all over itself in sincere apologies (United Airlines gone wrong?) doesn’t surprise me. No one falls on their sword anymore. No one takes product managers out behind the cafeteria and strips the access key fob from the management toy room. It’s all just jolly. Oops. Sorry, folksTo read this article in full or to leave a comment, please click here
0
Intel sold you out
There should be prizes for this. Let’s call them The Oopsies. The most bafflingly easy servers to hijack, turn out to be those running Intel’s Active Management Technology (AMT).People warned me about this, and I pooh-pooh’d it. Please hand me a scraper so that I can wipe the egg off my face. The servers are so wickedly simple to jack that a third-grader can log into them and merrily do essentially root damage.+ Also on Network World: The insecurities list: 10 ways to improve cybersecurity + That the largest server CPU provider on earth doesn’t fall all over itself in sincere apologies (United Airlines gone wrong?) doesn’t surprise me. No one falls on their sword anymore. No one takes product managers out behind the cafeteria and strips the access key fob from the management toy room. It’s all just jolly. Oops. Sorry, folksTo read this article in full or to leave a comment, please click here
0
Security certificates gone wrong
Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are.Sites masquerading as legitimate sites, however, employ sad little tricks, such as “punycode”—URL links embedded in otherwise official-looking phishing emails. These tricks are malicious. There are also sites that should be well-administrated but are not.Then there are sites, important sites, that botch their own security with certificates ostensibly granted by places such as the U.S. Department of Homeland Security (DHS).To read this article in full or to leave a comment, please click here
0
Security certificates gone wrong
Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are.Sites masquerading as legitimate sites, however, employ sad little tricks, such as “punycode”—URL links embedded in otherwise official-looking phishing emails. These tricks are malicious. There are also sites that should be well-administrated but are not.Then there are sites, important sites, that botch their own security with certificates ostensibly granted by places such as the U.S. Department of Homeland Security (DHS).To read this article in full or to leave a comment, please click here
0
Virtual assistants hear everything, so watch what you say. I’m not kidding
The law of unintended consequences is once again rearing it’s ugly head: Google, Apple, Amazon and others now make virtual assitants that respond to commands, and recordings can trigger them.Burger King found out how, via a radio commercial, it could get Google’s attention. It produced an ad designed to trigger Google Home to advertise the Whopper. The ad featured a Burger King employee saying, “OK, Google. What is the Whopper burger?” The Google Home device would then read the Wikipedia definition of a Whopper. The trigger stopped working a few hours after the ad launched.To read this article in full or to leave a comment, please click here
0
Virtual assistants hear everything, so watch what you say. I’m not kidding
The law of unintended consequences is once again rearing it’s ugly head: Google, Apple, Amazon and others now make virtual assitants that respond to commands, and recordings can trigger them.Burger King found out how, via a radio commercial, it could get Google’s attention. It produced an ad designed to trigger Google Home to advertise the Whopper. The ad featured a Burger King employee saying, “OK, Google. What is the Whopper burger?” The Google Home device would then read the Wikipedia definition of a Whopper. The trigger stopped working a few hours after the ad launched.To read this article in full or to leave a comment, please click here
0
The IoT of bricks: Someone is bricking insecure IoT devices
I can’t justify the vigilantism, but someone is bricking vulnerable IoT devices. I ponder the morality of it all. It’s called BrickerBot. It finds IoT devices with dubious security and simply bricks/disables them.Insecure dishwashers, teapots, refrigerators, security cameras—all become part of vast botnets. The botnets can do many things, and we’ve seen them become the armies behind the largest internet attacks in history. How to cleanse these devices has become the crux of many cries, including numerous ones in this space.To read this article in full or to leave a comment, please click here
0
The IoT of bricks: Someone is bricking insecure IoT devices
I can’t justify the vigilantism, but someone is bricking vulnerable IoT devices. I ponder the morality of it all. It’s called BrickerBot. It finds IoT devices with dubious security and simply bricks/disables them.Insecure dishwashers, teapots, refrigerators, security cameras—all become part of vast botnets. The botnets can do many things, and we’ve seen them become the armies behind the largest internet attacks in history. How to cleanse these devices has become the crux of many cries, including numerous ones in this space.To read this article in full or to leave a comment, please click here
0
Linux Mint 18.1: Mostly smooth, but some sharp edges
We’ve been fond of Linux Mint for its ability to present a friendly interface to the average end user, while having a stable foundation of Debian and Ubuntu underneath. In this review, we looked at LinuxMint 18.1, dubbed Serena. We found a solid operating system that can run into problems in edge case scenarios.To read this article in full or to leave a comment, please click here(Insider Story)
0
10 practical privacy tips for the post-privacy internet
ISPs and providers can now sell your data and browser histories. The U.S. Congress sold you out. If you had any browsing dignity, you don’t now. Too bad you couldn’t pay the legislators as much as the data wolves.You should have been doing these things all along, but now it’s time to decide just how much dignity you have. Most of you won’t bother. This isn’t for you. Click away, and go surf.For those remaining, take these privacy tips seriously.1. Educate yourself about cookies and clean them out regularly For some of you, this means a daily cleanout. What you DO NOT clean out (will cause you hassles) are cookies associated with financial institutions. They will put you through a drill when they don’t find the cookie that they like. Scrape them. Every browser has the ability to do this, with Chrome being the most difficult. But we’re not surprised because it’s from Google—the company whose very life depends on knowing information about you.To read this article in full or to leave a comment, please click here
0
10 practical privacy tips for the post-privacy internet
ISPs and providers can now sell your data and browser histories. The U.S. Congress sold you out. If you had any browsing dignity, you don’t now. Too bad you couldn’t pay the legislators as much as the data wolves.You should have been doing these things all along, but now it’s time to decide just how much dignity you have. Most of you won’t bother. This isn’t for you. Click away, and go surf.For those remaining, take these privacy tips seriously.1. Educate yourself about cookies and clean them out regularly For some of you, this means a daily cleanout. What you DO NOT clean out (will cause you hassles) are cookies associated with financial institutions. They will put you through a drill when they don’t find the cookie that they like. Scrape them. Every browser has the ability to do this, with Chrome being the most difficult. But we’re not surprised because it’s from Google—the company whose very life depends on knowing information about you.To read this article in full or to leave a comment, please click here
0
The insecurities list: 10 ways to improve cybersecurity
A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things.After a bit of thought, here’s a list. It’s by NO means comprehensive, and it’s not an organized best practices document. Instead, these are marbles that roll around in my head and bother me a lot.1. Ban and route to null t.co, bit.ly, and other URL shorteners Why? Especially in phishing emails, a user has no idea where the link is going, what’s behind that link, or what kind of benevolent or conversely malicious payload is going to load in the default browser. Sure, your anti-malware or antivirus tool, or even the browser’s own instinct, might prevent a page load that opens a back door into your network. Maybe.To read this article in full or to leave a comment, please click here
0
The insecurities list: 10 ways to improve cybersecurity
A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things.After a bit of thought, here’s a list. It’s by NO means comprehensive, and it’s not an organized best practices document. Instead, these are marbles that roll around in my head and bother me a lot.1. Ban and route to null t.co, bit.ly, and other URL shorteners Why? Especially in phishing emails, a user has no idea where the link is going, what’s behind that link, or what kind of benevolent or conversely malicious payload is going to load in the default browser. Sure, your anti-malware or antivirus tool, or even the browser’s own instinct, might prevent a page load that opens a back door into your network. Maybe.To read this article in full or to leave a comment, please click here
0
Pwn2Own 2017: Your stuff as mincemeat
They came from miles around to carry out a hallowed, decade-long mission: To eat your lunch. The security researchers assembled at the Pwn2Own 2017 hacking competition, sponsored by Trend Micro, and occasionally grouped together, then performed essentially zero-day exploits (at least by the rules, heretofore unknown) on your favorite stuff, such as Windows, MacOS and Linux. Smoldering pits in the screen were left, as teams collected cash prizes and creds. RELATED: How San Diego fights off 500,000 cyberattacks a day For giggles and grins, a Type 2 Hypervisor, VMWare Workstation was also left for shrapnel, one of the first times a hypervisor has been penetrated by a virtual machine in this way. It wasn’t a cascade effect, but rather a shot across the bow. I suspect there are more ways to penetrate a foundational hypervisor, too, but they haven’t been seen in captivity to my knowledge. To read this article in full or to leave a comment, please click here
0
Pwn2Own 2017: Your stuff as mincemeat
They came from miles around to carry out a hallowed, decade-long mission: To eat your lunch. The security researchers assembled at the Pwn2Own 2017 hacking competition, sponsored by Trend Micro, and occasionally grouped together, then performed essentially zero-day exploits (at least by the rules, heretofore unknown) on your favorite stuff, such as Windows, MacOS and Linux. Smoldering pits in the screen were left, as teams collected cash prizes and creds. RELATED: How San Diego fights off 500,000 cyberattacks a day For giggles and grins, a Type 2 Hypervisor, VMWare Workstation was also left for shrapnel, one of the first times a hypervisor has been penetrated by a virtual machine in this way. It wasn’t a cascade effect, but rather a shot across the bow. I suspect there are more ways to penetrate a foundational hypervisor, too, but they haven’t been seen in captivity to my knowledge. To read this article in full or to leave a comment, please click here
0
After the WikiLeaks dump: Do nothing
You heard it here first. Don’t do a damn thing in response to the WikiLeaks dump that you’re not already doing. Don’t sit still, be vigilant, keep your eye on the targets. Because this isn’t news.What? Not news?!?No. Between the three-letter agencies, if they want you, they have you. They’ll find a way. It’s a matter of time. But they’re largely ahead of the ne’er-do-wells. You should expect this.+ Also on Network World: Apple, Cisco, Microsoft and Samsung react to CIA targeting their products + If hardware and device makers gasp that their stuff is crackable, it’s only time to snicker. Nothing is foolproof because 1) fools are so ingenious and 2) with a big enough hammer you can crack anything. Even you. You are not impregnable. It’s a matter of degree—and if you can detect the breach quickly.To read this article in full or to leave a comment, please click here