Archive of posts filed under the General category.
SMBv1 isn’t safe
Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1. Disabling old protocols isn’t sexy. You’re breaking things, and not introducing new features. You’re fixing theoretical future attacks. Perhaps the willingness to take on this challenge is a good measure of the maturity level of …
Battery Backup PSA
One of the better things you can do to protect your money spent on electronics devices is have a good surge protector and battery backup. If you’re like me, you only buy the kind where you can disable the audible alarms. The problem with this is now you might not get any warning if …
Password Expiration
FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may …
IRS Phone Scams
I received the following voicemail on my home number today. “The reason of this call is to inform you that the IRS is filing lawsuit against you to get more information about this case file. Please call immediately on our department number 347-637-6615. I repeat 347-637-6615. Thank you.” While tax season is the high season …
Vulnerability Scanners and HTTP Headers
This week Tenable released a new “plugin” (what they call a vulnerability detection) named “Web Server HTTP Header Information Disclosure”, plugin id 88099. In spite of even the title saying it only an information disclosure vulnerability, they rate this a medium. In my environment that means we need to address it. I think its a …
Continue reading ‘Vulnerability Scanners and HTTP Headers’ »
Community Channel’s Natalie Tran on Password Policy
The Case of the missing 5 hours
I had some Windows 2008 R2 servers in Amazon AWS EC2. To save some money, they were turned off when they weren’t needed. I noticed when I did boot them that they had some time issues apparently jumping from Eastern US time to UTC time for a while before switching back. It seems when …
Bitlocker encryption bypass
Management types are always trying to push BitLocker rather than third party encryption because its free. “Free” as in, “included in Windows Professional/Enterprise”. They never consider the less obvious costs in usability and to the helpdesk. The Windows guys would even team up with the management types complaining that non-Microsoft full disk encryption …
LogMeIn Buys LastPass
I was just recommending LastPass on a corporate Chatter. Then I read that LogMeIn has bought LastPass. LogMeIn isn’t one of my favorite companies IIRC it is quite impossible to block LogMeIn’s enterprise security circumventing product without blocking remote support sessions also. This is becuase they use the same servers for each. GoToMyPC on the other …