security

Once you know what to look for, a buffer overflow is almost as easy to spot as it is to understand. So here’s what a buffer overflow looks like, whether you’re looking at suspicious network traffic or a suspicious file on disk.

A buffer overflow is a long sequence of NOP operations followed by machine code. The long sequence of NOPs is a tell-tale sign, but disassembling the data that follows will verify it–if it doesn’t disassemble to gibberish, you found a buffer overflow.

Read more

Slate’s Josephine Wolff argues that you have a moral imperative to claim $125 from Equifax as part of their breach settlement. Preventing the kinds of things that happened to Equifax is what I’ve done for a living for the bulk of my career. So here’s why I agree with her argument in favor of making an example of Equifax.

Most companies, in my experience, do patch management and vulnerability management on the cheap and write off the consequences as a cost of doing business. The cost of not doing it right needs to be high enough to get them to spend enough on tools and personnel to get the job done. And as the guy who pushed the patches for 9 years and then shifted in 2014 to being the guy who coaches the patch-pushers, I have a pretty good idea what it takes to do the job right.

Read more

CompTIA positions A+ as a precursor to Security+, but it’s not necessary to have both certifications. It can be helpful, but whether you need one or both depends on what you want to specialize in. And that’s really what it comes down to in A+ vs Security+: area of specialty.

A+ is a certification that covers computer hardware and operating systems, intended for technicians and system administrators. Security+ is an entry-level security certification, and the overlap between the two may not be obvious.

Read more

Why does the government require CISSP or Security+ for certain jobs? While requiring people to pass a test can cause problems, I’ve seen it solve bigger problems.

Certification tests establish a baseline set of knowledge that a person filling a role has mastered. It provides a standard, repeatable, and objective third-party measure of a person’s qualifications, even if it’s possible to game the system.

Read more

I was talking with an insurance adjuster when he asked me what I do for a living. I explained that I help companies make sure they’re doing a good enough job of updating their computers. That visibly disturbed him. “So should I install updates on my computer or not?” he asked.

Security experts agree that installing updates on your computer is one of the top three things, if not the most important thing, you can do to protect your security and privacy. It’s also one of the easiest, and the most practical thing home users can do.

Read more

Someone asked me recently why hackers hack the government. That’s a little more complex question than why they hack other people. Governments are complex, so that means there’s more reason to hack a government than to hack a corporation or a citizen.

Government hackers generally have three motivations behind them: Money, activism, or espionage. The motivations depend based on who is doing the hacking.

Read more

It happens every year when Daylight Savings Time (Summer Time in Europe) starts kicking in. Qualys displays weird times in its user interface and it gets hard to figure out what time scans outside your local time zone are actually going to run. So here’s what to do about Qualys showing the wrong time in its user interface.

Qualys factors Daylight Savings Time into scheduled scans as long as you select the DST checkbox, but it doesn’t factor it into the user interface if you specify your local timezone. Setting your timezone to Auto will fix that.

Read more