So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. The field desperately needs more of us, so I’m happy to share with you how to become […]
Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers. There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used […]
I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected. I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not […]
I was doing some scanning with a new vulnerability scanner at work and I found something listening on a lot of servers, described only as Apache and OpenSSL listening on port 2381. The versions varied. Luckily I had another scanner at my disposal that solved the mystery quickly: It’s the HP System Management Homepage, a […]
I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet. He’s right. It’s at least 19 years old. But that’s merely interesting, not important. What’s important […]
This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch. Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.
Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability. If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done.
New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.
I met a young IT contractor a little while back. His talent was sky high, and his potential was matched only by his rawness. It’s not my place to go into great detail about that rawness, but one thing I noticed about him was that he had a very self-defeating attitude about him. Several times […]
“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day. “What, Cygwin’s bash?” I asked. “No, in CMD.EXE.” I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those […]