Category: InfoSec

  • 2017 End-of-year Reports Based on CVE Data

    2017 End-of-year Reports Based on CVE Data

    [These were notes I took in 2017 and never got around to finishing. I have done some general formatting / cleanup to round out the sentences and such, but not much else. Given I made a prediction at the time, I am opting to publish this but backdate is accordingly. The general issue of CVE…

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science…

  • Let’s X-ray SCMagazine…

    [This was originally published on the OSVDB blog.] Hopefully a really quick blog, but a section of a news article titled “Hackers are having a field day with stolen credentials” by Amol Sarwate, Qualys’ Director of Vulnerability Labs, published in SC Magazine caught my attention. The section: Let’s X-ray the attack methods Typically, hackers “fingerprint”…

  • I do not think it means what you think it means… (CVE IDs)

    [This was originally published on the OSVDB blog.] Sometime in the past day or so, CVE-2016-10001 was publicly disclosed, and possibly a duplicate. Regardless, CVE-2016-10002 is also now public and legitimate. Tonight, I Tweeted that the presence of those IDs doesn’t mean what many will think it means. I say that based on the past…

  • NTIA, Bug Bounty Programs, and Good Intentions

    [This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…

  • Rebuttal: Dark Reading’s “9” Sources for Tracking New Vulnerabilities

    [This was originally published on the OSVDB blog.] Earlier today, Sean Martin published an article on Dark Reading titled “9 Sources For Tracking New Vulnerabilities“. Spanning 10 pages, likely for extra ad revenue, the sub-title reads: Keeping up with the latest vulnerabilities — especially in the context of the latest threats — can be a…

  • Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess

    [This was originally published on the OSVDB blog.] Earlier this week, Michael Roytman of Kenna Security wrote a blog with more details about the vulnerability section of the Verizon DBIR report, partially in response to my last blog here questioning how some of the data was generated and the conclusions put forth. The one real…

  • A Note on the Verizon DBIR 2016 Vulnerabilities Claims

    [This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did…

  • Electronic Voting; an Old but Looming Threat

    [This was originally published on RiskBasedSecurity.com.] As everyone on the planet knows, U.S. politics are in full swing with primaries almost every week and an upcoming presidential election in November of this year. At Risk Based Security we find it curious that one of the most dangerous topics seems to evade the 24-hour a day…

  • Badlock: The Day of Reckoning [Update #4]

    Badlock: The Day of Reckoning [Update #4]

    [This was originally published on the RBS Blog.]. Word circulated earlier today that Badlock would be revealed at 1PM EST, which is curious given that Microsoft’s “Patch Tuesday” releases are not always public by that time. Almost ten minutes before 1PM, word of the patches being public were making the rounds. The three patches and associated…