David L. Farquhar, computer security professional, train hobbyist, and landlord
You probably only have to ask the question twice to get two opposite answers. Are password generators safe? As a security professional, I’ll explain the problems with password generators. Then I’ll tell you why I use them anyway. Most importantly, I’ll tell you how I use them safely.
I had a busy day at work today, writing for my current employer about something my previous employer discovered. Qualys discovered a buffer overflow condition in sudo that, well, basically makes all your users root. I joked with one of my coworkers that Qualys could have used this to solve all its permissions problems when scanning Linux and Unix instead of disclosing this, but they did the right thing.
Most any Linux distro released between 2011 and 2020 has this flaw. So, run yum update or apt-get update to clean up those old sudos. Because we all know giving all your users root isn’t a good idea.
Where they rank any given year may vary, but there’s no doubt Qualys and Rapid7 are two of the big three in vulnerability scanning tools. Both tools have their pros and cons. Let’s look at Qualys vs Rapid7 so you can figure out which one is right for you.
For nearly 20 years, I was the guy people asked if an e-mail message they got was real. And if they were interested, I’d show them how I figured out if it was real. To do that, you have to look at the headers. Here’s how to view headers in Gmail.
Gmail doesn’t have an option called view headers–it’s called Show Original. Choosing this obscure option lets you view the headers and investigate a message.
I’ve spent a little more time than I would like studying severity models in vulnerability scanners. One question that comes up occasionally is Qualys severity vs CVSS, or any of its competitors, for that matter. Let’s take a look at how Qualys severity compares against the industry standard.
Qualys’ severity score predates CVSS, which is now the industry standard. The two have similarities but there are various reasons for choosing one over the other.
In security, we talk about asymmetric attacks all the time. If you don’t know what that means, here’s an easy definition and some examples from the real world. We have to be careful not to conduct asymmetric attacks on ourselves, because frequently we inadvertently do just that.
An asymmetric attack is an attack that’s substantially more expensive to protect against than to launch. This makes them a common challenge in security.
I don’t think it’s news to anybody that there’s been some civil unrest in 2020. And in many cases, when protestors have been detained, cops and feds have cited possession of police scanners as proof that they were up to no good. But are police scanners illegal?
Police scanners are not illegal. A police scanner is just a radio, picking up broadcasts on radio waves, which belong to anybody, some of which happen to be used by police. So-called police scanners have uses other than listening to police broadcasts, and listening to police broadcasts is not illegal.
What is the difference between CVE and CVSS? It can be confusing, especially if you’re not a security professional. Here’s how to make sense of the alphabet soup you hear from security analysts like me.
Both CVE and CVSS are industry standards that refer to vulnerabilities in computer software. Think of CVSS as the tracking number, and CVE as a measure of severity.
What In Information Security and Information Technology, CVE stands for Common Vulnerabilities and Exposure. It is a standard identifier for tracking vulnerabilities in computer software. I’ve only deployed updates to fix about 800,000 of them, but that experience taught me a little bit about working with them.
The CVE database is maintained by MITRE, and there are about 100 CVE Numbering Authorities (CNAs) who assign them. The CVEs themselves don’t include a lot of detail, but they serve the purpose of providing a common identifier that vendors and security professionals can use to track each unique security flaw.
What is CVSS? CVSS stands for Common Vulnerability Scoring System. It is a method to express the relative strength of vulnerabilities compared to each other. It’s a common statistic in computer security, especially in the field of vulnerability management.
There are two versions of CVSS in common use. The major difference is version 3 allows you to account for environmental factors to adjust it, but both of these versions have one significant weakness.