Category: InfoSec
-
Case Study: Not A Vulnerability (NAV)
[This was originally published on RiskBasedSecurity.com in the 2018 Vulnerability Mid-year Report.] As stated earlier in this report, “incomplete information, constant updates and revisions, misinterpretation, and errors in reporting can all contribute to a level of confusion regarding the impact, severity and risk a vulnerability represents.” One way that this manifest is in vulnerability reports…
-
Jericho in Vegas Next Week… (for real)
Hi! Given my occasional good-natured trolling on Twitter, and since many have asked me the last few weeks, I want to set the record straight. I will be in Las Vegas next week, for real. I arrive tomorrow evening and leave the following Sunday. This is the first time at BH/DC in several years for…
-
DC26 Attrition Badge Round-up
This is the first DEF CON I am attending after a long break. For kicks I decided to make up a run of DC26 Attrition badges like prior years and conferences. Depending on who you ask, the badge is a decoration only, or it gets you into fabulous parties and amazing events. Anyone with a…
-
DEF CON 26 CFP Basic Statistics and Observations
This is the second blog in a series about DEF CON 26 CFP. The first: A Look Into the DEF CON CFP Review Board (we’re actually really boring people) First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary…
-
A Look Into the DEF CON CFP Review Board (we’re actually really boring people)
Written by Highwiz with contributions and editing from Jericho Being on the DEF CON CFP Review Board can be as exciting as {something}; as frustrating as {something}; as thought provoking as {something}; and as enriching as {something}. It’s like mad libs, I hope you’ve filled in this section with something good. Each year, myself and…
-
The Great (belated) Mozilla Firefox CVE Dump
[This was originally published on RiskBasedSecurity.com.] On June 11th, MITRE published descriptions and references for 318 entries, all relating to Mozilla Firefox. Yes; three hundred and eighteen entries. It may be tempting to think Mozilla was holding back on disclosures or there was a flurry of research activity leading to a slew of new vulnerabilities being discovered.…
-
Efail: What A Disclosure FAIL That Was!
[This was originally published on RiskBasedSecurity.com.] Yesterday, news broke of a “critical” vulnerability in OpenPGP and S/MIME, named ‘Efail’ that could lead to an attacker gaining access to plaintext emails. News broke in the form of a dire warning from the Electronic Frontier Foundation warning people to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”…
-
CryptoCurrency, Blockchain, & SCADA
[This was originally published on RiskBasedSecurity.com in the 2018 Q1 Vulnerability QuickView Report.] CryptoCurrency and Blockchain: The Latest Rage Blockchain technology, the foundation of CryptoCurrency such as Bitcoin, Ethereum, and countless others is starting to dominate the news. With the wild ride of Bitcoin prices, where one coin was worth around $19,000 in December, 2017…
-
The Blurred or Not So Blurred Lines Of Vulnerability Research
[This was originally published on RiskBasedSecurity.com.] On April 18, 2018, vpnMentor disclosed a ‘critical’ vulnerability in LG NAS devices, which also received a bit of media attention. The blog leads with “Here at vpnMentor, we are concerned about your security and privacy.” However, that didn’t seem to apply to a specific system in South Korea. In their…
-
RIP CERT.org – You Will Be Missed
[This was originally published on RiskBasedSecurity.com.] On February 22, Will Dormann tweeted that the main CERT Coordination Center (CERT/CC) website (www.cert.org) had been shuttered. Upon checking ourselves we found the website now redirecting to the Software Engineering Institute at Carnegie Mellon, the parent group of CERT. As a 14-year veteran at CERT/CC, Dormann understandably had some feelings about the…