Tom Henderson
Author Archives: Tom Henderson
- Home → Author's archive:
Tom Henderson
0
Looking to 2017: It’s not just enterprise security
IoT, rotten home AP firmware, freaking Wi-Fi cameras: They’re all eating your lunch. Here’s an Advanced Persistent Threat notice: EVERYTHING AROUND YOU can give you a miserable day. It’s now entirely myopic, and hence irresponsible, to think there is such a topic as enterprise security because sadly video cams in Macedonia can give your hosting environment a DDoS headache. Poor TLS handshakes crack browsers open like an egg. Your router vendor had all of the hardening of a “fairy tap.” Remember those when you were a kid? A fairy tap was a gentle touch, designed to invade your space but do no damage. Now the damage is pOwn1ng your infrastructure. Or you business partner’s infrastructure. To read this article in full or to leave a comment, please click here
0
Looking to 2017: It’s not just enterprise security
IoT, rotten home AP firmware, freaking Wi-Fi cameras: They’re all eating your lunch. Here’s an Advanced Persistent Threat notice: EVERYTHING AROUND YOU can give you a miserable day. It’s now entirely myopic, and hence irresponsible, to think there is such a topic as enterprise security because sadly video cams in Macedonia can give your hosting environment a DDoS headache. Poor TLS handshakes crack browsers open like an egg. Your router vendor had all of the hardening of a “fairy tap.” Remember those when you were a kid? A fairy tap was a gentle touch, designed to invade your space but do no damage. Now the damage is pOwn1ng your infrastructure. Or you business partner’s infrastructure. To read this article in full or to leave a comment, please click here
0
2016: A systems security disaster
This will likely make you angry. It made me livid. It’s a report, 34 pages long, from the Identity Theft Resource Center of the known systems breaches just this year. Read it and rage. It does not include the San Francisco Metro Transit Authority (SFMTA) hack from Thanksgiving weekend, where the SFMTA had to let passengers go free through the gates. To read this article in full or to leave a comment, please click here
0
2016: A systems security disaster
This will likely make you angry. It made me livid. It’s a report, 34 pages long, from the Identity Theft Resource Center of the known systems breaches just this year. Read it and rage. It does not include the San Francisco Metro Transit Authority (SFMTA) hack from Thanksgiving weekend, where the SFMTA had to let passengers go free through the gates. To read this article in full or to leave a comment, please click here
0
10 reasons to divorce the cloud
For some companies, using cloud services isn’t what they hoped or expected it to be. Reason’s like these might be enough to make them leave. 1. Your costs went out of the control. This can be significant. Prices go up and go down. A new product gets introduced that might be more financially attractive—but only if you started from that point and not if you include the added cost of migration (documentation, security and other audit) not to mention re-budgeting and rate of return over the lifecycle of the data flows. 2. Security was tougher than you thought. You were probably smart and already had extensive key control, but perhaps your cloud vendor wanted it done their way. Asset control, the cost of embedding security control planes and audit infrastructure that duplicates data center standards created a duopoly of security infrastructure—perhaps both equal but not the same—adding to costs of control, training, documentation, audit and more. To read this article in full or to leave a comment, please click here
0
Your security mirages
Yes, I was hit last week. Forensics are in progress. I got doxxed, too.It has made me realize that most of systems security is an illusion. Here are my favorite alternate realities:1. Everything is safe behind the firewall.Ever heard of UBFWI—as in User’s Been Fooling With It? While IPD/IPS and firewall networked-technology has improved so vastly, there’s nothing like a user with an infected laptop to bring in a lulu.2. Obscure operating systems never get hit. Hackers only go for the gold with Windows.Here, let me laugh out loud and roll on the floor. Mine was an obscure server version on an obscure branch of an obscure BSD limb. Listen to the sound of lunch getting eaten: mine. Chomp, chomp, burp.To read this article in full or to leave a comment, please click here
0
Your security mirages
Yes, I was hit last week. Forensics are in progress. I got doxxed, too.It has made me realize that most of systems security is an illusion. Here are my favorite alternate realities:1. Everything is safe behind the firewall.Ever heard of UBFWI—as in User’s Been Fooling With It? While IPD/IPS and firewall networked-technology has improved so vastly, there’s nothing like a user with an infected laptop to bring in a lulu.2. Obscure operating systems never get hit. Hackers only go for the gold with Windows.Here, let me laugh out loud and roll on the floor. Mine was an obscure server version on an obscure branch of an obscure BSD limb. Listen to the sound of lunch getting eaten: mine. Chomp, chomp, burp.To read this article in full or to leave a comment, please click here
0
When DR fails
Someone hacked into my main server. I have a small organization, and the server was an old Apple Xserve 10.6.7 chosen because it’s not the usual host. Now it’s time to scratch security through obscurity off the list.So let’s do a rudimentary recover. Forensics will have to wait.I went to a hosting company to spin up httpd and mail. They’re already my registrar. Pretty big organization.And they don’t have 24/7 support.Since this happened on a Saturday, I was already in trouble. I chose one of their hosting plans. It costs a rudimentary $60 for a web server plus mail. It uses the famous CPanel hosting.To read this article in full or to leave a comment, please click here
0
When DR fails
Someone hacked into my main server. I have a small organization, and the server was an old Apple Xserve 10.6.7 chosen because it’s not the usual host. Now it’s time to scratch security through obscurity off the list.So let’s do a rudimentary recover. Forensics will have to wait.I went to a hosting company to spin up httpd and mail. They’re already my registrar. Pretty big organization.And they don’t have 24/7 support.Since this happened on a Saturday, I was already in trouble. I chose one of their hosting plans. It costs a rudimentary $60 for a web server plus mail. It uses the famous CPanel hosting.To read this article in full or to leave a comment, please click here
0
Improve IT security: Start with these 10 topics
You want to be more responsible about IT security in your organization, but where do you start? May I suggest your first step be understanding these topics more thoroughly. This is list isn’t exhaustive. It’s only a beginning:1. DNS and DNSSEC: The biggest games in cyber war are hitting DNS providers. DNS can be compromised in many simple ways, but Domain Name System Security Extensions (DNSSEC) thwarts these—at the cost of understanding how it works, how to deploy it and how it’s maintained. There are ways to understand if your own organization is threatened with DDoS attacks. Study them. To read this article in full or to leave a comment, please click here
0
Improve IT security: Start with these 10 topics
You want to be more responsible about IT security in your organization, but where do you start? May I suggest your first step be understanding these topics more thoroughly. This is list isn’t exhaustive. It’s only a beginning:1. DNS and DNSSEC: The biggest games in cyber war are hitting DNS providers. DNS can be compromised in many simple ways, but Domain Name System Security Extensions (DNSSEC) thwarts these—at the cost of understanding how it works, how to deploy it and how it’s maintained. There are ways to understand if your own organization is threatened with DDoS attacks. Study them. To read this article in full or to leave a comment, please click here
0
Murphy’s Law: The security version
Since the first of the month, I’ve heard colleagues and others report each of the 10 security variants to Murphy’s Law listed below. Murphy is not only alive but has been reincarnated. It’s worth reminding the gentle reader of various famous last words:1. All documents will be out of date or simply missing Documents will not be maintained. Documents will have pages missing. And authors shall be unavailable for any reason (deployed to Mt. Everest is preferred). No documents shall be in an understandable language, be edited, collated, or have referring URLs that do not 404, 401 or 5XX. Any good documentation shall be the only copy on a laptop that was stolen whilst unencrypted. To read this article in full or to leave a comment, please click here
0
A breach alone means liability
Rich Santalesa, a programmer turned writer and lawyer, brought an interesting turn of events to my attention last week. We need to pay heed: A litigant can have standing in a U.S. Federal breach case where no personal fraud or identity theft has yet occurred.Usually, a litigant has to have suffered injury—a breech caused them identity theft or other fraudulent activity based upon information released in a security breach. This means if you’re cracked, you can be liable if personally identifiable information is released, exfiltrated, absconded, whatever. It also means that should you believe the axiom that currently most of us are hacked, we’re in for a litigious treat. To read this article in full or to leave a comment, please click here
0
A breach alone means liability
Rich Santalesa, a programmer turned writer and lawyer, brought an interesting turn of events to my attention last week. We need to pay heed: A litigant can have standing in a U.S. Federal breach case where no personal fraud or identity theft has yet occurred.Usually, a litigant has to have suffered injury—a breech caused them identity theft or other fraudulent activity based upon information released in a security breach. This means if you’re cracked, you can be liable if personally identifiable information is released, exfiltrated, absconded, whatever. It also means that should you believe the axiom that currently most of us are hacked, we’re in for a litigious treat. To read this article in full or to leave a comment, please click here
0
IoT: We’re serfs and pawns
There is a huge problem with the ugly Internet of Things (IoT). Many IoT thingies have the security of wet tissue paper, and they’re being used in large swarms and masses to wreak havoc. A colleague of mine, Stephen Satchell, says misbehaving IoT devices should bear the full front of the Consumer Product Safety Commission and be recalled, every last one of them. Recalled. Why won’t this happen? Let me speculate. It’s because our own government, that is to say the more covert parts of the U.S. government, has its own cadre of botnets and control vectors that allows them interesting windows into foreign lands. To read this article in full or to leave a comment, please click here
0
IoT: We’re serfs and pawns
There is a huge problem with the ugly Internet of Things (IoT). Many IoT thingies have the security of wet tissue paper, and they’re being used in large swarms and masses to wreak havoc. A colleague of mine, Stephen Satchell, says misbehaving IoT devices should bear the full front of the Consumer Product Safety Commission and be recalled, every last one of them. Recalled. Why won’t this happen? Let me speculate. It’s because our own government, that is to say the more covert parts of the U.S. government, has its own cadre of botnets and control vectors that allows them interesting windows into foreign lands. To read this article in full or to leave a comment, please click here
0
Dell PowerEdge R730xd: Now with Intel Broadwell afterburners
Dell recently sent us its R730xd PowerEdge rack server with uprated Intel Broadwell-series CPUs. The company claims that the 2U server with 22 cores is 20% faster than boxes running the older Haswell family of Intel chips.To read this article in full or to leave a comment, please click here(Insider Story)
0
Dell PowerEdge R730xd: Now with Intel Broadwell afterburners
Dell recently sent us its R730xd PowerEdge rack server with uprated Intel Broadwell-series CPUs. The company claims that the 2U server with 22 cores is 20% faster than boxes running the older Haswell family of Intel chips.To read this article in full or to leave a comment, please click here(Insider Story)
0
The IoT is uranium
Does the thought of 600 Gbps-plus of traffic hitting your URLs excite you? Do you get tingles up and down your spine thinking about watching your line of business apps frying? Perhaps that wonderful text, where an alert from you financial processor says “We’ve gone black, again, and expect to be back online perhaps maybe possibly tonight” thrills you.The Internet of Thingies (IoT) is actually nuclear, and we’ve witnessed the first use of a nuclear internet weapon. Brian Krebs’ Krebs on Security site was smashed. It could happen to you. To read this article in full or to leave a comment, please click here
0
The IoT is uranium
Does the thought of 600 Gbps-plus of traffic hitting your URLs excite you? Do you get tingles up and down your spine thinking about watching your line of business apps frying? Perhaps that wonderful text, where an alert from you financial processor says “We’ve gone black, again, and expect to be back online perhaps maybe possibly tonight” thrills you.The Internet of Thingies (IoT) is actually nuclear, and we’ve witnessed the first use of a nuclear internet weapon. Brian Krebs’ Krebs on Security site was smashed. It could happen to you. To read this article in full or to leave a comment, please click here