David L. Farquhar, computer security professional, train hobbyist, and landlord
Once you know what to look for, a buffer overflow is almost as easy to spot as it is to understand. So here’s what a buffer overflow looks like, whether you’re looking at suspicious network traffic or a suspicious file on disk.
A buffer overflow is a long sequence of NOP operations followed by machine code. The long sequence of NOPs is a tell-tale sign, but disassembling the data that follows will verify it–if it doesn’t disassemble to gibberish, you found a buffer overflow.
Kenna Security is a vulnerability management tool you may have heard of but never used. I find it exceptionally useful, though that’s not always a universal opinion. So how does Kenna Security work, and how can you make it work better?
Kenna Security is not a vulnerability scanner. It works with your existing scanner to enrich the data and make recommendations. This makes it distinct from a vulnerability scanner like Qualys’ flagship product. Using that enriched data to make decisions is key to success with Kenna.
Slate’s Josephine Wolff argues that you have a moral imperative to claim $125 from Equifax as part of their breach settlement. Preventing the kinds of things that happened to Equifax is what I’ve done for a living for the bulk of my career. So here’s why I agree with her argument in favor of making an example of Equifax.
Most companies, in my experience, do patch management and vulnerability management on the cheap and write off the consequences as a cost of doing business. The cost of not doing it right needs to be high enough to get them to spend enough on tools and personnel to get the job done. And as the guy who pushed the patches for 9 years and then shifted in 2014 to being the guy who coaches the patch-pushers, I have a pretty good idea what it takes to do the job right.
CompTIA positions A+ as a precursor to Security+, but it’s not necessary to have both certifications. It can be helpful, but whether you need one or both depends on what you want to specialize in. And that’s really what it comes down to in A+ vs Security+: area of specialty.
A+ is a certification that covers computer hardware and operating systems, intended for technicians and system administrators. Security+ is an entry-level security certification, and the overlap between the two may not be obvious.
Why does the government require CISSP or Security+ for certain jobs? While requiring people to pass a test can cause problems, I’ve seen it solve bigger problems.
Certification tests establish a baseline set of knowledge that a person filling a role has mastered. It provides a standard, repeatable, and objective third-party measure of a person’s qualifications, even if it’s possible to game the system.
I was talking with an insurance adjuster when he asked me what I do for a living. I explained that I help companies make sure they’re doing a good enough job of updating their computers. That visibly disturbed him. “So should I install updates on my computer or not?” he asked.
Security experts agree that installing updates on your computer is one of the top three things, if not the most important thing, you can do to protect your security and privacy. It’s also one of the easiest, and the most practical thing home users can do.
Someone asked me recently why hackers hack the government. That’s a little more complex question than why they hack other people. Governments are complex, so that means there’s more reason to hack a government than to hack a corporation or a citizen.
Government hackers generally have three motivations behind them: Money, activism, or espionage. The motivations depend based on who is doing the hacking.
It happens every year when Daylight Savings Time (Summer Time in Europe) starts kicking in. Qualys displays weird times in its user interface and it gets hard to figure out what time scans outside your local time zone are actually going to run. So here’s what to do about Qualys showing the wrong time in its user interface.
Qualys factors Daylight Savings Time into scheduled scans as long as you select the DST checkbox, but it doesn’t factor it into the user interface if you specify your local timezone. Setting your timezone to Auto will fix that.
When you’re hunting through job postings, sometimes you may see Security+ as a requirement. Sometimes you might see Security+ce instead. Theoretically, I’m out of luck if they really want Security+ce. Let’s talk about Security+ vs Security+ce and whether the difference means anything for you.
Security+ vs Security+ce really comes down to when you took the exam. If you took the exam after 2010, and certainly after 2011, you have both. If, like me, you took the exam before 2010 and didn’t convert it, you just have Security+. And some jobs require ce.
I helped a company troubleshoot its vulnerability scans recently. They had multiple Windows domains because of their line of business. This made scans difficult, but we found some solutions. Here are some tips for authenticated scans across multiple domains.
Scanning multiple domains in a single scan can cause account lockouts if the usernames and passwords don’t all match. Three possible solutions include separating each domain into its own scan, using completely unique accounts to scan, or syncing up the accounts so they have the same username and password.