Month: July 2013

  • Buying Into the Bias: Why Vulnerability Statistics Suck [Presentation]

    Steve Christey, the CVE Editor from MITRE, and I gave a presentation at Black Hat Briefings 2013 on the problems we have witnessed over the years with poor vulnerability statistics. Rather than just debunk a handful, which we did, we also went into extensive detail on the different types of bias that ultimately lead to…

  • Seriously RIM? Call it the HackBerry from now on…

    [This was originally posted on the OSVDB blog.] Our sponsor Risk Based Security (RBS) posted an interesting blog this morning about Research In Motion (RIM), creator of the BlackBerry device. The behavior outlined in the blog, and from the original blog by Frank Rieger is shocking to say the least. In addition to the vulnerability…

  • Stalking me in Las Vegas…

    I fly out to Las Vegas tomorrow for the trifecta of summer security conventions held in oppressing heat. BlackHat Briefings, BSides Las Vegas, and DEF CON 21. If you want to catch up to talk about attrition.org, OSVDB, or anything vulnerability related, look for the disgruntled person likely wearing a squirrel-themed shirt. If you would…

  • Cybercrime Stats: From Bad to Bad

    [This was originally published on the OSVDB blog.] Since vulnerabilities are a cornerstone of computer crime, stats on it are of interest to us. Statistics on cybercrime have always been dodgy; more so than real-world crime statistics. When your car is broken into or stolen, you know it. More often than not, you will report…

  • Android versus iOS Security – Not Again…

    [This was originally published on the OSVDB blog.] About two weeks ago, another round of vulnerability stats got passed around. Like others before, it claims to use CVE to compare Apple iOS versus Android in an attempt to establish which is more secure based on “vulnerability counts”. The statistics put forth are basically meaningless, because…

  • The curiously creeping value of the iOS vulnerability…

    [This was originally published on the OSVDB blog.] The market for vulnerabilities has grown rapidly the last five years. While the market is certainly not new, going back well over ten years, more organizations are interested in acquiring 0-day / private vulnerabilities for a variety of needs. These vulnerabilities cover the gambit in applications and…

  • Are we so desperate?

    The current state of U.S. politics is beyond dismal and entirely depressing. Our society only follows the corporate controlled ‘news’ channels that stump for their party-of-choice. Our congress is laughably ineffective in doing their job. The bi-partisan House/Senate can’t agree on anything, and little gets done in the pathetic number of days these overpaid politicians…

  • The Popcorn Thesis

    During a recent email thread, a friend and I were comparing our local squirrels. She put forth that her Chicago squirrels did not eat popcorn, to which I expressed my disbelief. I couldn’t imagine a squirrel turning their nose up at it. I said I would have to test that theory. I’ll be curious whether…

  • Exploding the Review

    In the early 90’s, when I was moving in the world of computer bulletin board systems (BBS), it ultimately ended in my interest in phreaking. It started out reading t-files, moved into wardialing, and a few years later would result in PBX, voice mail, and switch hacking. While I got a late start in the…

  • T-Mobile’s Poor Implementation Works Against Amber Alerts

    Just over a month ago, I received a pop-up alert on my Samsung Galaxy 3 (via T-Mobile) with a standard, and persistent, emergency broadcast noise… Emergency alert Longmont, CO AMBER Alert: LIC/245FLJ (CO) 2001 Blue Ford F350 Pickup truck Type: AMBER Alert The noise stopped briefly, then picked back up again until I tapped “OK”.…