Category: InfoSec

  • CVE and the matter of “unique” ID numbers

    Common Vulnerability Enumeration, now known as Common Vulnerabilities and Exposures (CVE) is a vulnerability database (ignore their silly claim to be a ‘dictionary’) that the information security industry relies on heavily, unfortunately. Per MITRE’s CVE page, “CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly…

  • Questions to Ask When Shopping for Threat Intelligence – Recorded Future Podcast

    Questions to Ask When Shopping for Threat Intelligence – Recorded Future Podcast

    On April 2, 2019, I was a guest on the Recorded Future podcast. The episode was titled “Questions to Ask When Shopping for Threat Intelligence”. The summary: “Our guest today is Brian Martin, vice president of vulnerability intelligence at Risk Based Security, a company that provides risk identification and security management tools leveraging their data-breach…

  • Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers…

  • Guest Appearance on the Cyberwire Research Saturday Podcast

    Guest Appearance on the Cyberwire Research Saturday Podcast

    On December 14, 2018, I was a guest on Dan Bittner’s podcast, and the topic was the Sony data breach. Show Notes Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interesting…

  • Case Study: Third-Party Plugins

    [This was originally published on RiskBasedSecurity.com in the 2018 Q3 Vulnerability QuickView Report.] Many people are familiar with content management systems (CMS), which are used in a variety of roles. Millions of people use them via hosted software such as WordPress.com and companies use them for blogging and knowledgebase systems. Historically, despite their wide deployment,…

  • New libssh Vulnerability – No Logo But Plenty Of Attention

    New libssh Vulnerability – No Logo But Plenty Of Attention

    [This was originally published on RiskBasedSecurity.com.] Earlier this week, Andreas Schneider announced the release of a new version of libssh, covering “an important security” that addressed “an authentication bypass vulnerability in the server code”. Pretty quickly we saw several news articles published that covered this issue, as well as third-party blogs that added commentary on the technical side of the vulnerability. Since we were following…

  • You Didn’t Think the Sony Saga Was Over, Did You?

    You Didn’t Think the Sony Saga Was Over, Did You?

    [This was originally posted to the Risk Based Security blog. Unfortunately, no copy made it to the Internet Archive. A re-imagined version appeared on the Flashpoint Blog. The original is below.] On November 24th, 2014 a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs…

  • The Attrition DC26 Badge Challenge Post Mortem

    This year, which was my final trip to DEF CON, I made up one last round of Attrition DEF CON badges. In prior years they were typically engraved luggage tags a bit more specific to the year: Since #BadgeLife has become a big thing, especially this year as far as I can tell, I decided…

  • Our Reports Clickbait? No. Click Here To Find Out Why…

    Our Reports Clickbait? No. Click Here To Find Out Why…

    [This was originally posted to the Risk Based Security blog (now 404 and no IA copy), with contributions from Jake Kouns.] Last week, we published our 2018 mid-year report that included an overview of the vulnerabilities that we have tracked and included in VulnDB. We highlighted a key takeaway from the report in the title:…

  • Case Study: Not A Vulnerability (NAV)

    [This was originally published on RiskBasedSecurity.com in the 2018 Vulnerability Mid-year Report.] As stated earlier in this report, “incomplete information, constant updates and revisions, misinterpretation, and errors in reporting can all contribute to a level of confusion regarding the impact, severity and risk a vulnerability represents.” One way that this manifest is in vulnerability reports…