A Linux sudo bug

I had a busy day at work today, writing for my current employer about something my previous employer discovered. Qualys discovered a buffer overflow condition in sudo that, well, basically makes all your users root. I joked with one of my coworkers that Qualys could have used this to solve all its permissions problems when scanning Linux and Unix instead of disclosing this, but they did the right thing.

Most any Linux distro released between 2011 and 2020 has this flaw. So, run yum update or apt-get update to clean up those old sudos. Because we all know giving all your users root isn’t a good idea.

View headers in Gmail to see if that mail is real

View headers in Gmail to see if that mail is real

For nearly 20 years, I was the guy people asked if an e-mail message they got was real. And if they were interested, I’d show them how I figured out if it was real. To do that, you have to look at the headers. Here’s how to view headers in Gmail.

Gmail doesn’t have an option called view headers–it’s called Show Original. Choosing this obscure option lets you view the headers and investigate a message.

Read more

Qualys severity vs CVSS

Qualys severity vs CVSS

I’ve spent a little more time than I would like studying severity models in vulnerability scanners. One question that comes up occasionally is Qualys severity vs CVSS, or any of its competitors, for that matter. Let’s take a look at how Qualys severity compares against the industry standard.

Qualys’ severity score predates CVSS, which is now the industry standard. The two have similarities but there are various reasons for choosing one over the other.

Read more

Asymmetric attack examples

Asymmetric attack examples

In security, we talk about asymmetric attacks all the time. If you don’t know what that means, here’s an easy definition and some examples from the real world. We have to be careful not to conduct asymmetric attacks on ourselves, because frequently we inadvertently do just that.

An asymmetric attack is an attack that’s substantially more expensive to protect against than to launch. This makes them a common challenge in security.

Read more

Are police scanners illegal?

Are police scanners illegal?

I don’t think it’s news to anybody that there’s been some civil unrest in 2020. And in many cases, when protestors have been detained, cops and feds have cited possession of police scanners as proof that they were up to no good. But are police scanners illegal?

Police scanners are not illegal. A police scanner is just a radio, picking up broadcasts on radio waves, which belong to anybody, some of which happen to be used by police. So-called police scanners have uses other than listening to police broadcasts, and listening to police broadcasts is not illegal.

Read more

What does CVE stand for? How do you fix one?

What does CVE stand for? How do you fix one?

What In Information Security and Information Technology, CVE stands for Common Vulnerabilities and Exposure. It is a standard identifier for tracking vulnerabilities in computer software. I’ve only deployed updates to fix about 800,000 of them, but that experience taught me a little bit about working with them.

The CVE database is maintained by MITRE, and there are about 100 CVE Numbering Authorities (CNAs) who assign them. The CVEs themselves don’t include a lot of detail, but they serve the purpose of providing a common identifier that vendors and security professionals can use to track each unique security flaw.

Read more

What CVSS is and how to use it

What CVSS is and how to use it

What is CVSS? CVSS stands for Common Vulnerability Scoring System. It is a method to express the relative strength of vulnerabilities compared to each other. It’s a common statistic in computer security, especially in the field of vulnerability management.

There are two versions of CVSS in common use. The major difference is version 3 allows you to account for environmental factors to adjust it, but both of these versions have one significant weakness.

Read more