- Impact: How prevalent is it – in other words, how many systems and services are potentially affected. Also, how many users are potentially affected.
- Severity - How much damage can it do – what is capable of giving or exposing and to whom?
- Difficulty - How difficult is it to exploit – do you need special access or knowledge, etc. This would also include whether an exploit has been made available “in the wild”.
Friday, April 18, 2014
Tuesday, April 15, 2014
Heartbleed - the most dangerous bug you will see this year - and the emails coming out from companies are almost criminal.
Simply put, the problem is/was with the OpenSSL library. The OpenSSL library basically sits between the Kernel and the Server (remember, server is SOFTWARE, not HARDWARE). When there is the overflow request, it dumps memory as the output. As you are not hitting a server, the server is not logging the request. This means that your web server, your ftp server, or your ssh server is not seeing it. Since it is not seeing it, it isn't logging it. The kernel is seeing it, but it doesn't log what it sees (under 99.999% of the scenarios) at this level, so it doesn't log it. Get details at many locations. Once such location is http://en.wikipedia.org/wiki/Heartbleed#Claims_of_possible_knowledge_and_exploitation_prior_to_disclosure; another such location is http://heartbleed.com/
So, what kind of FUD and dis-information is out there... let's see:
- Change your password. While it is good to regularly change your password, to have distinct passwords for each service, and all that; this is NOT the first line of defense that people should be taking. This is the equivalent of putting your stack of $20 bills in the front seat of your 1967 mustang convertible, making sure the windows are up and the doors are locked and then walking away. Did you make sure the top was up? NO. Therefore, bad person reaches over the window and takes your $1,240 and laughs and laughs and laughs. The first thing you should do is make sure that the server has been patched and is no longer vulnerable. Once this has occurred, then change your password, make sure that each service has a distinct password, uses multiple forms of authentication, and whatever else will ensure that you can sleep at night knowing that your facebook, twitter, or email account is safe and secure.
- Currently, we have no indication that any of
customers’ information was compromised. Of course they don't. Nice marketing; doesn't mean squat and in fact is mis-leading almost to the point of criminal.
Wednesday, February 26, 2014
Annapolis, MD – February 21, 2014 – The Chesapeake Regional Tech Council (CRTC) today announced the finalists for the upcoming 9th annual TechAwards 2014: Get in the Game, honoring the region's rising tech companies, outstanding innovators and all-around top "geeks."
The Tech Company of the Year Award is awarded to an enterprise that has proven its dedication, vision and ability to work with a sustained, strategic business plan and to steadily grow into a prominent player in the Annapolis-Washington-Baltimore tech industry. Finalists include:
Wednesday, July 17, 2013
Who talks about your work?