Category: InfoSec

  • Sharks Are Scary but Worry About Mosquitoes

    Sharks Are Scary but Worry About Mosquitoes

    [This was originally published on RiskBasedSecurity.com and was included in the 2021 Mid Year Vulnerability QuickView Report.] It seems like every day that we hear about a new hack and read headlines that tell us that so-called advanced persistent threats (APT) are compromising major organizations. These APT and nation-state actors have incredible skill and seemingly…

  • Reflections on “CVE Approach for Cloud Vulnerabilities”

    At Black Hat Briefings USA this week, Ami Luttwak and Shir Tamari called for a “CVE” style approach to documenting vulnerabilities that affect cloud offerings (note: I have not seen the talk). As one of two people (the other being Jake Kouns) that may have the longest history in this specific space, I wanted to…

  • Is the Kaseya Hack Actually a Supply Chain Attack?

    [This was originally published on RiskBasedSecurity.com as part of a larger series on the Kaseya breach.] What is a Supply Chain Anyway? Within hours of the Kaseya breach becoming public, some critics called out that it was being incorrectly labelled as a supply chain attack. As Nick Carr pointed out, “precise language is important in…

  • Perlroth and the History of Microsoft Vulns

    While reading “This Is How They Tell Me The World Ends“, early in the book I ran across a single line that made me double-take. I took a note to revisit it after a complete read since it was so early in the book. For those familiar with my blogs, I tend to write about…

  • RSA Hack Thoughts

    I read the article “The Full Story of the Stunning RSA Hack Can Finally Be Told” by Andy Greenberg in Wired and several things stood out to me. So this is my commentary on the article and events that are covered. “It opened my eyes to supply chain attacks.” says Mikko Hypponen, chief research officer…

  • Perlroth, How the World Ends, and Errata

    This will be my fourth and very likely final blog on Nicole Perlroth’s book, “This Is How They Tell Me The World Ends”, as far as the subject matter goes. I may write a couple more that are centered around vulnerability history, based on something included in the book, but more along the lines of…

  • Perlroth, Terminology, and Hyperbole

    I finished reading “This Is How They Tell Me The World Ends” by Nicole Perlroth a few weeks ago but haven’t had time to write this blog, and likely another, based on specific aspects of the book. I have written two blogs on topics covered in the book after reading it already, but both written…

  • The Rundown: CVE IDs & RESERVED Status

    During the process of assigning a CVE ID, there is a time period between the assignment and the disclosure, and again between the disclosure and it becoming available on MITRE’s CVE site or NIST’s National Vulnerability Database (NVD). During this period, the ID will be shown as RESERVED. First, it is important to note that…

  • The Rundown: CVE IDs & REJECT Status

    For analysts and practitioners that digest CVE regularly, you will likely be familiar with CVEs that are in REJECT status. If you are new to CVE or not familiar with some of the more gritty details, a CVE assignment may be rejected for various reasons. When that happens, it will receive a capitalized REJECT status:…

  • The Rundown: CVE IDs, Meanings, & Assumptions

    For almost two decades, CVE has been considered an industry standard for vulnerability tracking. A CVE ID can be affiliated with many vulnerabilities, in a format like CVE-2014-54321. Note my choice in ID, from 2014 with a consecutive set of numbers. That is because I specifically chose a ‘sample’ CVE that was set aside as…