Common Vulnerability and Exposures & work

At work one of my unofficial tasks is to review the current CVE list.  We have been asked in the past several times if a vulnerability affects us and we have to quickly find out if it does.  Now we (actually just me) check every day for updates from the prior day against a list of software that we use.  We use a simple XLS to track the CVE, product, date and high level description and a summary is sent out the various team members to investigate.  It has paid off as we knew about a vulnerability before being asked about it and quickly responded to senior management with what was being done if impacted.

This allows us to identify any potential impacts, verify if we are or are not impacted.  If impacted then what are the mitigation steps required before the fix and when will the fix be installed.

The part that I find annoying is that many of the vulnerabilities can be prevented by the app developers during testing.  I suspect that management or marketing is pressuring the developers to push out the code and let the users and others find the bugs.

Terminology

CVE is Common Vulnerability and Exposures. WIKI for CVE.

CVSS is Common Vulnerability Scoring System. WIKI CVSS.

EPSS is Exploit Prediction Scoring System. WIKI for EPSS.

Buffer overflow. WIKI Buffer overflow.

Cross-Site Request Forgery (XSRF). WIKI XSRF.

Cross Site Scripting (XSS). WIKI XSS.

Race condition. WIKI Race condition.

SQL injection. WIKI SQL Injection.

CVE URL I use to check on updates

BrowseCVE vulnerabilities by date (cvedetails.com)

Using and liking Mastodon

When I dropped Twitter X I didn't miss the ongoing toxic waste dump.  I found a great replacement called Mastodon.  It does take a bit of work and time to get started, but I find it a friendly place.  I see what I want to see, I follow those who I want to follow and it isn't a spam filled, advertising filled site overflowing with hatred, bigotry and intolerance.  The administrators keep an eye on things and when spam does appear it quickly gets removed.  

There is a growing community of people who are willing to share, technical experts and media personalities who regularly post. 

If you are tired of X I suggest that you check it out.

I am not missing Twitter.

It has been over a year since I left Twitter and I don't miss it.  I have been using mastodon and it has been a much more enjoyable experience.  I am not subjected to spam, scam, advertising and hate.  It takes a bit to get accustomed to, but I have a wonderful feed with people who post and share information that I find interesting or makes me think.

In Linux there are clients (I am using TUBA at this time in MX Linux as a flatpack), Android has clients (I am using Trunks which is cross platform - Android & IOS).  It is also accessible via your browser as I haven't found a client there that works as well as the browser version.

That was an expensive project

 A short time ago the condo corporation sent all of the owners a notice that we needed to provide the ESA certificate that all wiring in our homes was up-to-date.  The reason is that the units were built when aluminum wiring was allowed and the insurance company wanted proof that all pig-tailed wiring was up to code.

I found an electrician who did aluminum and copper wiring to do an initial inspection.  He confirmed that we had the mix and the two switches he checked were not wired correctly.  He also inspected our breaker box and pointed out that all 24 breakers are full and 5 had two lines coming out.  I had him come in to do the full inspection and to swap out the box with one large enough for what we have and allow for future expansion.  We also were in agreement that a full house surge protector would be a great idea.

Day 1

Breaker pulled shutting down the house.  Not a problem as we have three UPS and a large battery backup.  I could run the router keeping our internet up and running and I could work using the corporate laptop.  The laptop could last 4 hours before I would hook it up to battery backup and the router used two of the three UPS.  The upgrade didn't take as long as he planned in the worst case scenario.  He estimated 4-6 hours and after 3 we had power back.

Day 2

The electrician focused on all of the plugs, switches and junction boxes.  The whole house has 100 items for him to check.  He found one burnt wire in the bathroom as it appeared someone not an electrician wired new lights and did not correctly pig-tail aluminum and copper.  Before the fix the lights would on the rare occasion would flicker and I thought it was the light bulb and replace it.

For the rest of the house almost half of the switches, outlets and junction boxes were copper so that part went quickly.  The rest were aluminum to copper pig-tails.  Out of the 100 items he found 39 problems.  Some of the boxes when he opened up the marrettes fell out and the live wires were almost touching the box!  For 4 of the boxes the bottom screw broke the part of the box it would fasten too.  He is coming back in April or May to do full box replacements.  Definitely someone not an electrician did that.

Day 3

 Today is the last day for inspection and changes.  We have a number of ceiling lamps and fans.  We wanted all of the fans pulled out and replaced with flush mount light fixtures.  This appeared to have been a good choice as the fans were not properly wired.  One actually fell apart when we pulled it down and one was using the wrong type of screw to fasten it to the plate and we don't know why it hadn't fallen down.

After

All of the work was inspected and the ESA issued their certificate.  A copy of the certificate will be posted on the breaker box so that when we sell the buyers will see that all electrical work was done to code.

Next time we look to buy a home we will be asking to see the ESA certificate.

The full project was expensive, but worth it.  House wiring is to code, we have full house surge protection and if we need to run a new line it will have its own circuit.