About: Steve Shead

Website

http://www.steve-shead.net

Profile

I am the I.T. Director and Information Security Officer for an ecommerce / retail company. I'm also a graphic designer; musician; martial arts instructor; pilot and all around creative genius.

Posts by Steve Shead:

    BIND 9 Resolver crashes after logging an error in query.c

    Here’s a some news – CVE-2011-4313 with a CVE rating of 7.8 – BIND 9 Resolver crashes after logging an error in query.c. Here is the original post: http://www.isc.org/software/bind/advisories/cve-2011-4313.

    Here’s the description:
    An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

    Easy fix? Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1

    Twitter and Legal Hacking

    I’ll admit I haven’t read through the whole article in the link below, but the government legally hacked someone? The fact that “legal” and “hacked” appear in the same sentence is a little concerning.

    That being said, it is feasible that there are times when something like this might need to happen – National Security etc – and this was with reference to Wikileaks …but, what rights do we really have? Are liberties taken, or do we even believe that the liberties should be taken.

    My thought is it can go either way, but if you are going to take away someone’s right to privacy, there had better be a darn good reason. That being said, I’ve heard talk of traffic traveling over and IP (what a concept) doesn’t belong the the person that is using the IP, therefore, can be intercepted. Really? That’s a little low don’t you think?

    Soap box aside, like I said this conversation could go either way, here’s the link. See what you think about it – here, courtesy of the Guardian, UK.

    Adobe 0Day Update Tomorrow

    It appears Adobe is releasing an emergency update to Flash Player to fix a 0Day vulnerability. Announcing it tells more people about it – catch 22 perhaps?

    Here’s the release from Adobe: http://blogs.adobe.com/psirt/2011/09/prenotification-security-update-for-flash-player.html

    …it never ends!

    UPDATE: It appears Google patched Flash for Chrome before Adobe patched their own! Interesting since those that want to know what the vulnerability is could analyze the differences between pre and post patched. Here’s the post from Larry Seltzer on PC Mag Security Watch.

    Mark Zuckerberg – The Social Network

    …just watched The Social Network, and here’s my synopsis, for what it’s worth.

    This was a story about two stuck up, high society snobs that couldn’t take the fact that a geek could put together a fully fledged idea. That idea wasn’t seeded by the twins idea. It was already set in his mind – he just needed the final piece of the jigsaw puzzle, and a conversation put that last piece in place. It wasn’t plagiarism, if was plain old thinking outside of the box. Zuckerberg is the genius, and the twins wanted to suck up from his idea. It’s not like they needed the money – I mean, really?

    To the episode with Sean (or was that Shawn?). Tell me, in all good faith that you (the reader) hadn’t exercised bad judgement in your early years? That you hadn’t been influenced by someone you saw as a hero of sorts? I think Zuckerberg’s only issue was trusting a drug taking smooth talker. That led him to a bad judgement call with regard to Eduardo and the diluted shares issue. Perhaps he wasn’t fully aware of what he was doing, who knows, but remember his age and the influences. Tell me you were infallible at that age. That being said, there was a positive spin to Sean (Shawn) being involved. It moved the company with an angel investor and created the last piece of the puzzle that launched Facebook. Would that have happened anyway with Eduardo – perhaps – maybe not so quickly, maybe not at all.

    How it played out – did he do the right thing? I think so, but the movie wasn’t going to give much of that process away. If the movies intent was to make Zuckerberg look like the villain, it failed. I saw a normal human being (well, uber intelligent, but geeky normal) at an early and impressionable stage of his life going through some ‘stuff’. Again, I defer to how good your judgment was at that age. I know mine was worse than Zuckerbergs at that age.

    The twins got some cash – you have to know that was all it was about for them. Eduardo got recognition and cash – deserved to be honest – and Zuckerberg went on to make it big. Damn fine show I say, and good luck to him.

    Carpe Diem.

    2011 – Information Security Breaches

    2011 is turning out to be a bad year when it comes to the amount of ‘records’ lost through security breaches. Searching around the web for information I’ve found a lot of resources that give details, but this article from networknewz.com, posted by Joe Purcell, puts it into perspective on the first couple of paragraphs, and has links to details on the breaches. Here are some of breaches from 2011, from the post. For the entire list, with links to the details go to the source of the article here:

    1.29 million Sega accounts

    100 million or more Sony accounts

    Potentially, the email accounts of over 2,500 companies serviced by Epsilon

    360,083 bank accounts at Citigroup

    280,000 accounts at Honda

    1.2 million accounts at the Texas Comptroller’s office

    114,000 accounts of iPad 3G owners

    40 million or more RSA SecurID tokens issued by EMC to over 30,000 companies and government agencies, including half of US banks that use SecurID tokens

    It’s quite scary to not only how many user accounts are compromised, but also (not mentioned in this article), how long it has taken certain entities to get their infrastructure back online. One has to assume that the issues were massive for it to have taken so long, perhaps? (supposition)

    You also have to ask if these were preventable. By nature it’s almost impossible to stay one step ahead of attackers. With undisclosed vulnerabilities, let alone Zero-day vulnerabilities it is all you can do to follow the flow. Bearing in mind the human factor is a huge influence on this field, and it almost feels like herding cats while chasing your own tail.

    Readiness – Red Teams – constant self assessments – audits – reaction drills – forensics – so much to be done with probably little budget, and sometimes little concern. I’ve said it a few times here, if we (security leaders) cannot convince senior leadership of the risk, should we be in that role? The variables are things like – it doesn’t matter how good you are, they still won’t listen – I guess then it’s time for a career change, if not at least a company change? Do we (you) have the balls to escalate your fears to the board? Should you?

    For fear of rambling on, suffice it to say 2011 has been a bad year for breaches. Perhaps companies will notice now, that you really do need to be aware and in control of information security to stand any chance of staying secure.

    « Older Entries
    Newer Entries »