Computers don’t have reliable time information when booting. So why don’t we ignore the expiry date on Secure Boot certificates?

The 2011 Secure Boot certificates pre-installed in many PCs expire (or have expired) this year. The official recommendation is to upgrade those certificates in Windows Update, the BIOS or replace the PCs if that is not possible.
There’s so… Continue reading Computers don’t have reliable time information when booting. So why don’t we ignore the expiry date on Secure Boot certificates?

What’s the deal with CISA adding CVE-2024-49035 (Microsoft Partner Center vulnerability) to its catalog of exploited vulnerabilities?

Two weeks ago (Feb 25, 2025), CISA added CVE-2024-49035 to its catalog of actively exploited vulnerabilities.
Now, the thing is: CVE-2024-49035 is not a "classic" vulnerability in a software product where admins need to take acti… Continue reading What’s the deal with CISA adding CVE-2024-49035 (Microsoft Partner Center vulnerability) to its catalog of exploited vulnerabilities?

What "indicators of compromise" are there that end users can diagnose themselves?

I’m responsible for the IT security of a small (~5 users) office, and I’m preparing training materials for our users.
Obviously, the first step my users should do if anything seems suspicious is to keep calm and contact me. However, if I’m… Continue reading What "indicators of compromise" are there that end users can diagnose themselves?

Can it cost you money to push a number on the phone dial pad during an incoming call? [closed]

Heise online, a well-known German-language technology news site, recently published an article about phone scams.
They write the following about the "Interpol scam" (emphasis mine):

Vermehrt kommt es auch zu Anrufen von Betrüger… Continue reading Can it cost you money to push a number on the phone dial pad during an incoming call? [closed]

Mitigating the performance impact of strong hashes with Basic HTTP authentication

I am trying to decide which work factor to use for our hashed passwords, and I am facing the following dilemma. Let me elaborate for a moment.
Basic HTTP authentication works as follows:

The user tries to access a protected resource.
The … Continue reading Mitigating the performance impact of strong hashes with Basic HTTP authentication

Are there advantages to using a hardware token instead of a password on a potentially compromised system?

TLDR: Is there a security benefit to regularly accessing the admin account with a hardware token rather than with a well-protected password?

Long story: I’m both a developer and the system admin of our small network. Thus, on my PC, I usu… Continue reading Are there advantages to using a hardware token instead of a password on a potentially compromised system?