Tagged: vulnerability

03
Dec
2019

VNC Client and Server Software Vulnerabilities Found

The Hacker News reports that dozens of new VNC client and server vulnerabilities have been found in the open source versions of the tools used by IT departments all over the world. If you are like me and think “VNC, who uses that any more?” then you should go check out a YouTube video by Tobias M├Ądel where he connects to open VNC servers all over the internet. Sure, the video is from 2015, but when you think about how quickly industrial plant management software and device firmware is updated you can bet money that there are still plenty of open VNC servers still running and accessible.

The moral of the story? Don’t expose critical systems and services (like RDP and VNC) over the internet unless it is absolutely essential. If it is essential, and you can’t put them behind a VPN, then you had better use a very strong and complex password to secure the access. Even with a VPN you should do that. Lastly, you need to makes sure you and any vendor you are purchasing software and devices from have a strong policy of pushing out updates anytime a vulnerability is found. You can’t afford to wait five years for an update when your chemical plan control system is left completely exposed on the internet through remote access software flaws.

13
Nov
2019

The End is Nigh! Time to Ditch Windows 7 Now

ITWorld has a very interesting long running series of articles chronicling the slow but steady demise of Windows 7 and the slow but stead rise of Windows 10 in terms of market share. Come January 14th 2020, Windows 7 support will officially end (unless you want to keep paying Microsoft for security updates on a per PC basis) and you will no longer get all of those critical updates needed to keep your organization secure.

What amazes me about the whole process is the prediction by Net Applications that Windows 7 may retain 10+ percent market share well into 2022, long after support has ended and almost every known flaw will be easily exploitable. Don’t get me wrong, I know first hand how painful it can be to update and replace thousands of physical PCs to get rid of an old OS but as hard as that may be, it is well worth it. In my own experience, the reduction in vulnerabilities just from going to a fully patched version of Windows 7 to a fully patched version of Windows 10 will make a world of difference on your audit scorecards.

Please do you and your organization a favor and move to Windows 10 now. You will be happy you did and it will allow you to sleep better at night.

11
Nov
2019

Python Overtakes Java

InfoWorld has an article about the Python programming language overtaking Java in terms of popularity on GitHub. 15 years ago I was taking computer science classes primarily focused on Java development and now Java, what was touted as the programming language to end all languages for cross platform application development, has been eclipsed. I’m not particularly sad to see it get knocked down a notch. Java has always been notoriously buggy and full of vulnerabilities. It has been the bane of IT managers worldwide since its inception, causing audit findings because older versions are required to run certain applications, because there are new zero day vulnerabilities, and because vendors’ Java coding practices have been less than optimal. Throw Tomcat into the mix and you have the recipe to be the next Equifax.

Vulnerabilities aside, the news about Java being overtaken in popularity is a reminder to programmers everywhere that they must keep their skills current and not be afraid to learn new things. Yes, I know COBOL and Fortran are still around, but do you really want to be the last dinosaur standing or would you rather be able to evolve and avoid extinction? I would suggest the latter.