Tom Henderson

Author Archives: Tom Henderson

Getting a handle on spam emanating from generic top-level domains

Since I posted my tome about the generic top-level domains (gTLDs), I’ve received mostly bouquets. A few brickbats were also metaphorically hurtled through the window. I’m disturbing business models fostered by the new gTLDs.A lawyer who doesn’t want to be named just threw a tort across the transom. It ended up as junk mail, but I fished it out and responded.+ Also on Network World: Best practices for email security +To read this article in full or to leave a comment, please click here

Shifting the cost of security

If you deal with enterprise systems security, you likely have an idea what your annual expenditure for security and forensic security is. It’s huge. It’s a time and resource suck like few others. The licensing costs will vary, but they’re a considerable fraction of most organizations’ annual IT spend. Ready-made modular costs are platform-dependent. In Windows, it might be a framework from Symantec, Intel Security, or a host of others. Integration into Active Directory isn’t so much difficult as it is tedious. If you start or add Linux, the cost shifts towards any number of frameworks that require at least a moderate amount of labor costs in customization, maintenance and ongoing platform mods.To read this article in full or to leave a comment, please click here

The new internet domains are a wasteland

The many new DNS top-level domains (TLDs) were heralded as a way to take pressure off the older DNS TLDs. It seems, however, the new TLDs are almost uniformly the source of spammers and malware launchers.There might be valid web resources in the new TLDs. They seem rarely referenced beyond a handful of sites, though, as .com, .org, .net and even .co have common usage aside from country-specific addresses such as .us, .uk, .de, .jp, etc.But .xyz? Spam. I get about four dozen spam emails from that domain most days. The .click TLD? I’ve gotten about 400 embedded malware emails from there so far this year. Then there’s .xxx, .website and dozens of other new TLDs that are nothing more than difficult-to-block and nearly-impossible-to-kill spam/malware sources. It’s frustrating, and admins don’t have much chance to stanch the spam.To read this article in full or to leave a comment, please click here

The new internet domains are a wasteland

The many new DNS top-level domains (TLDs) were heralded as a way to take pressure off the older DNS TLDs. It seems, however, the new TLDs are almost uniformly the source of spammers and malware launchers.There might be valid web resources in the new TLDs. They seem rarely referenced beyond a handful of sites, though, as .com, .org, .net and even .co have common usage aside from country-specific addresses such as .us, .uk, .de, .jp, etc.But .xyz? Spam. I get about four dozen spam emails from that domain most days. The .click TLD? I’ve gotten about 400 embedded malware emails from there so far this year. Then there’s .xxx, .website and dozens of other new TLDs that are nothing more than difficult-to-block and nearly-impossible-to-kill spam/malware sources. It’s frustrating, and admins don’t have much chance to stanch the spam.To read this article in full or to leave a comment, please click here

LinkedIn: Microsoft’s acquisition could open a box of trouble

A Pandora’s box (pardon the pun) will open when Microsoft closes on its recently announced acquisition of LinkedIn. Make no mistake; this is about a huge resource pool of both data and client prospects. It’s also many eggs in one basket.LinkedIn is underdeveloped. It has not been mined, nor has it been very creative. Yes, there are many vanity things one can do: list accomplishments, rally the troops, promote business and prospect—actual B2B can start there. But there’s no mechanism for fulfillment at LinkedIn that doesn’t include LinkedIn in terms of promotion.To read this article in full or to leave a comment, please click here

Linked-Out: Microsoft’s acquisition could open a box of trouble

A Pandora’s box (pardon the pun) will open when Microsoft closes on its recently announced acquisition of LinkedIn. Make no mistake; this is about a huge resource pool of both data and client prospects. It’s also many eggs in one basket. LinkedIn is underdeveloped. It has not been mined, nor has it been very creative. Yes, there are many vanity things one can do: list accomplishments, rally the troops, promote business and prospect—actual B2B can start there. But there’s no mechanism for fulfillment at LinkedIn that doesn’t include LinkedIn in terms of promotion.To read this article in full or to leave a comment, please click here

Mea culpa: Docker’s security tool and Black Duck’s Security Checker are NOT the same

It pays to look deeply, and I didn’t. I apologize. Some days, I make mistakes. Further education says Black Duck Software’s Security Checker and the Docker Cloud Security Scanning tool aren’t the same thing. Both check vulnerabilities with the CVE database—in a quest to match inflated Docker container problems—and rate containers based on the severity of vulnerabilities and the number found.These two tools (and there are others) are designed to load and parse Docker images and run a manifest against CVEs. Here’s where things largely diverge. Note also that there are other container security tools available, and I’ll get to them in a subsequent blog post.To read this article in full or to leave a comment, please click here

Walks like a Black Duck: Docker’s security teaseware tool unmasked

I read of Docker’s announcement June 6, about a new security vetting online tool for its containers. Yes, it’s a step forward. But it’s not Docker’s.Last week, I received a briefing and did a proof-of-concept test on another SaaS container-checking tool, Black Duck’s Security Checker.  Hmmmm. Docker’s tool quacks like a Black Duck.After some quick queries, I confirmed that these tools are indeed the same.The short of it is this: there are two SaaS front ends pointing to the same tool—Black Duck’s Hub product, which vets, among other things, Docker containers. You get three free tests at Black Duck. However, at Docker, it’s FREE-AS-IN-BEER until Aug. 1, 2016. You pick. It’s subscription-only afterwards, unless the model changes. To read this article in full or to leave a comment, please click here

Walks like a Black Duck: Docker’s security teaseware tool unmasked

I read of Docker’s announcement June 6, about a new security vetting online tool for its containers. Yes, it’s a step forward. But it’s not Docker’s.Last week, I received a briefing and did a proof-of-concept test on another SaaS container-checking tool, Black Duck’s Security Checker.  Hmmmm. Docker’s tool quacks like a Black Duck.After some quick queries, I confirmed that these tools are indeed the same.The short of it is this: there are two SaaS front ends pointing to the same tool—Black Duck’s Hub product, which vets, among other things, Docker containers. You get three free tests at Black Duck. However, at Docker, it’s FREE-AS-IN-BEER until Aug. 1, 2016. You pick. It’s subscription-only afterwards, unless the model changes. To read this article in full or to leave a comment, please click here

Credibility and trust: Microsoft blows it

On the surface, Microsoft has yielded to turns in the market more rapidly. But now they’ve blown it, pushing back increased trust and credibility, perhaps years, and for an inane reason: shoving Windows 10 down user’s throats.It’s a fine operating system. It has the madness of near-malware ads now sewn into it, and damnable tracking—with no publicly vetted method of preventing adware malware. Yet it’s more stable than Windows 7, it’s nicer to use than Windows 8-something, and it’s a great price model.That is, it’s a great price model until you get to this point: allowing users to reject it, for whatever reason they want. Foisting it upon them is boorish. Citations of “quit bitching” don’t acknowledge that the current trust for Microsoft is still really tenuous.To read this article in full or to leave a comment, please click here

Zombie servers will kill you

You thought it was buried. You forgot. Someone didn’t document it. A ping sweep didn’t find it. It lay there, dead. No one found it. But there was a pulse:It’s still running, and it’s alive. And it’s probably unpatched.Something probed it long ago. Found port 443 open. Jacked it like a Porsche 911 on on Sunset Boulevard on a rainy Saturday night. How did it get jacked? Let me count the ways.Now it’s a zombie living inside your asset realm.It doesn’t matter that it’s part of your power bill. It’s slowly eating your lunch.It doesn’t matter that you can’t find it because it’s finding you.It’s listening quietly to your traffic, looking for the easy, unencrypted stuff. It probably has a few decent passwords to your router core. That NAS share using MSChapV2? Yeah, that was easy to digest. Too bad the password is the same as the one for every NAS at every branch from the same vendor. Too bad the NAS devices don’t encrypt traffic.To read this article in full or to leave a comment, please click here

Zombie servers will kill you

You thought it was buried. You forgot. Someone didn’t document it. A ping sweep didn’t find it. It lay there, dead. No one found it. But there was a pulse:It’s still running, and it’s alive. And it’s probably unpatched.Something probed it long ago. Found port 443 open. Jacked it like a Porsche 911 on on Sunset Boulevard on a rainy Saturday night. How did it get jacked? Let me count the ways.Now it’s a zombie living inside your asset realm.It doesn’t matter that it’s part of your power bill. It’s slowly eating your lunch.It doesn’t matter that you can’t find it because it’s finding you.It’s listening quietly to your traffic, looking for the easy, unencrypted stuff. It probably has a few decent passwords to your router core. That NAS share using MSChapV2? Yeah, that was easy to digest. Too bad the password is the same as the one for every NAS at every branch from the same vendor. Too bad the NAS devices don’t encrypt traffic.To read this article in full or to leave a comment, please click here

Zombie servers will kill you

You thought it was buried. You forgot. Someone didn’t document it. A ping sweep didn’t find it. It lay there, dead. No one found it. But there was a pulse:It’s still running, and it’s alive. And it’s probably unpatched.Something probed it long ago. Found port 443 open. Jacked it like a Porsche 911 on on Sunset Boulevard on a rainy Saturday night. How did it get jacked? Let me count the ways.Now it’s a zombie living inside your asset realm.It doesn’t matter that it’s part of your power bill. It’s slowly eating your lunch.It doesn’t matter that you can’t find it because it’s finding you.It’s listening quietly to your traffic, looking for the easy, unencrypted stuff. It probably has a few decent passwords to your router core. That NAS share using MSChapV2? Yeah, that was easy to digest. Too bad the password is the same as the one for every NAS at every branch from the same vendor. Too bad the NAS devices don’t encrypt traffic.To read this article in full or to leave a comment, please click here

Comcast shouldn’t buy any companies until it fixes its core competencies

Today I’m confronted with the possibility that Comcast may buy DreamWorks. This should be banned. Why? Last Thursday, I called Comcast to move my service. No matter that I’ve had Comcast on and off (no pun intended) since 1998. Disregard the numerous complaints to the Indiana Utility Regulatory Commission regarding the company’s service, billing, infrastructure problems and varying forms of incompetence. During call #1, the over-eager customer service agent (CSA) disconnected my service then and there, and thus also terminated my call, as it was over Skype.To read this article in full or to leave a comment, please click here

U.S. government data security is an embarrassment

The U.S. spends a lot of money—Congressionally encumbered funds, but also unknown/untold amounts of money on its domestic, international and military-based espionage and intelligence activities.You’d think the U.S. was getting a good deal. Yet its citizenry is being robbed blind—and frequently. A mysterious hacking group, APT6, has been noodling around inside our infrastructure for years undetected until recently.This is to say: the greatest “superpower” on planet Earth has let the Office of Personnel Management (OPM), IRS and only heaven knows what infrastructure get cracked open like an egg. Your data, my data, yes, our information assets are in some cache resting in some dark data center somewhere—but not in the original spot where it belonged.To read this article in full or to leave a comment, please click here

UPDATE: UL responds to blogger’s criticism

UPDATE: Underwriters Laboratory has requested comments, which are appended at the bottom.Today, Underwriters Laboratory announced the UL CyberSecurity Assurance Program. I won’t call it an oxymoron, but I’m deeply worried about it. While I have faith in UL, I’m not sure if they realize the breadth and depth of what they’re getting into.UL is the reason there are only small holes in appliances and CE gear. Why? So an average toddler can’t stick something inside and become electrocuted. UL helps product vendors have liability insurance within sane ranges. They promulgate standards that vendors are responsible to adhere to for insurance sake. Test labs do the rest, ensuring that First Article Samples (and then, perhaps subsequent production samples) of products adhere to a bevy of standards—all designed to make products safer but at least insurable.To read this article in full or to leave a comment, please click here

Underwhelmed by UL’s announcement

Today, Underwriters Laboratory announced the UL CyberSecurity Assurance Program. I won’t call it an oxymoron, but I’m deeply worried about it. While I have faith in UL, I’m not sure if they realize the breadth and depth of what they’re getting into.UL is the reason there are only small holes in appliances and CE gear. Why? So an average toddler can’t stick something inside and become electrocuted. UL helps product vendors have liability insurance within sane ranges. They promulgate standards that vendors are responsible to adhere to for insurance sake. Test labs do the rest, ensuring that First Article Samples (and then, perhaps subsequent production samples) of products adhere to a bevy of standards—all designed to make products safer but at least insurable.To read this article in full or to leave a comment, please click here

Underwhelmed by UL’s announcement

Today, Underwriters Laboratory announced the UL CyberSecurity Assurance Program. I won’t call it an oxymoron, but I’m deeply worried about it. While I have faith in UL, I’m not sure if they realize the breadth and depth of what they’re getting into.UL is the reason there are only small holes in appliances and CE gear. Why? So an average toddler can’t stick something inside and become electrocuted. UL helps product vendors have liability insurance within sane ranges. They promulgate standards that vendors are responsible to adhere to for insurance sake. Test labs do the rest, ensuring that First Article Samples (and then, perhaps subsequent production samples) of products adhere to a bevy of standards—all designed to make products safer but at least insurable.To read this article in full or to leave a comment, please click here

Hyper-connected cars can drive you to paranoia

This sounds like an ugly thing for a ham radio operator and director of a community radio station to say but: Clip your car’s antenna. Or stuff a wad of chewing gum into your car’s USB port, and perhaps its ODB2 port. Enough is enough.As Andy Greenberg of WIRED wrote of a US DOT Public Service Announcement, “it is important that consumers and manufacturers maintain awareness of potential cyber security threats” to their now hyper-connected cars.There are likely two antennas, one for radio and one that connects your car to a third-party monitoring system. On-Star, if you have it, is tracking your every move. Do they give information to the NSA? Consider that the NSA probably already gets such cell-phone transmitted information anyway. GM cards have it, and many other cars have their own in-vehicle two-way monitoring systems.To read this article in full or to leave a comment, please click here

Setting the scene from RSAC 2016

Among the waves of noise, mutterings of threats, analysis, BYOD demands, the Great Fear of IoT, and the hyper-ptui of sales blather, I saw something at RSA. Call it a security crocus, that first brave flower of people paying attention. There are a smattering of hardened security professionals at RSA. They’ve seen it all, watched as secure data was opened like a can of old anchovies, and smelled just as bad. You can see it in their eyes, mostly: Skepticism mixed with scar tissue, thick skin, and I-told-you-so, with a short attention span and nary a smile. + MISS RSA? Catch up with all the news from the show +To read this article in full or to leave a comment, please click here