Month: March 2006

  • FrSIRT Puts Exploits Up For Sale

    [This was originally published on the OSVDB blog.] FrSIRT Puts Exploits up for SaleBy Ryan NaraineMarch 15, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits…

  • Book Review: High-Tech Crimes Revealed

    High-Tech Crimes RevealedCyberwar Stories from the Digital FrontSteven BraniganISBN: 0-321-21873-6Addison-Wesley, Copyright 2005 I found this book just after Christmas (Dec 2005) and grabbed it hoping for a decent read about computer crimes and sociology, backed by real world experience and first hand tales from the ‘digital front’. Instead, I got the worst collection of naïve…

  • US Government Studies Open Source Quality

    [This was originally published on the OSVDB blog.] US Government Studies Open Source Quality reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled Homeland Security report tracks down rogue open source code. The author of the article, Gavin Clarke, doesn’t link to the company…

  • The Excel Pebble

    [This was originally published on the OSVDB blog.] Back on December 8th, 2005, I posted a comment about someone who created an eBay entry for a “Brand new Microsoft Excel Vulnerability”. The vulnerability was never sold via eBay, but may have traded hands through other means. For the most part, this incident faded into the…

  • Vulnerability Markets

    [This was originally published on the OSVDB blog.] There has been a steady stream of papers and research examining the market for vulnerabilities. Countless people have blogged on it in passing and more people are starting to take interest in it for many reasons. Here are a couple papers (courtesy of Danchev’s blog) that cover…

  • Pink Hearts

    [This was originally published on the OSVDB blog.] Maybe I am immature but does anyone else find the Hitachi Incident Response Team logo a bit amusing? Pink hearts, yellow XSS, orange SQL, blue DoS and green overflows!

  • For Sale: VDB

    [This was originally published on the OSVDB blog.] Jason Bergen posted to Full-Disclosure trying to sell a “Security Vulnerability Database Company“. From that mail: The company maintains a database of all security vulnerabilities, and the database is updated on a daily basis. The company maybe of interest to organisations who are currently licensing a vulnerability…

  • Depending on how you count flaws..

    [This was originally published on the OSVDB blog.] After flap, Symantec adjusts browser bug countDepending on how you count flaws, either IE or Firefox could be considered less secureNews Story by Robert McMillan MARCH 07, 2006 (IDG NEWS SERVICE) – A report issued today by Symantec Corp. seeks to satisfy users of both Mozilla Corp.’s…

  • What a Tangled Web of Code We Weave

    [This was originally published on the OSVDB blog.] While digging around the usual sources of vulnerability information tonight, I ran into this sequence of links trying to find where an underlying vulnerability really was: 1. sux0r 1.6 was released to fix a vuln2. this was due to a vuln in MagpieRSS, which v 0.72 fixed3.…

  • Vendor Confidence

    [This was originally published on the OSVDB blog.] Lance James of Secure Science Corporation posted an advisory detailing a serious flaw in the Fedex/Kinkos ExpressPay smart card payment system. A knowledgeable attacker with relatively minor resources can abuse the system to defraud the company. In response to the advisory, Fedex/Kinkos replied to them saying: “Our…