Category: InfoSec

  • The Blurred or Not So Blurred Lines Of Vulnerability Research

    [This was originally published on RiskBasedSecurity.com.] On April 18, 2018, vpnMentor disclosed a ‘critical’ vulnerability in LG NAS devices, which also received a bit of media attention. The blog leads with “Here at vpnMentor, we are concerned about your security and privacy.” However, that didn’t seem to apply to a specific system in South Korea. In their […]

  • RIP CERT.org – You Will Be Missed

    [This was originally published on RiskBasedSecurity.com.] On February 22, Will Dormann tweeted that the main CERT Coordination Center (CERT/CC) website (www.cert.org) had been shuttered. Upon checking ourselves we found the website now redirecting to the Software Engineering Institute at Carnegie Mellon, the parent group of CERT. As a 14-year veteran at CERT/CC, Dormann understandably had some feelings about the […]

  • Before you publish your end-of-year vulnerability statistics…

    TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or […]

  • John Thomas Draper: Setting the Record Straight re: Blue Box

    The tl;dr cliffnotes: John Draper was not invent the Blue Box. In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications. […]

  • Thoughts about CNNVD vs. US NVD

    [This was originally published on RiskBasedSecurity.com in the 2017 Q3 Vulnerability QuickView report.] In October, Bill Ladd of Recorded Future released a study comparing CVE and the U.S. NationalVulnerability Database (NVD) with China’s National Vulnerability Database (CNNVD). This report, titled“The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting” was covered by John Leyden inThe […]

  • Researchers Find One Million Vulnerabilities?!

    [This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve […]

  • That Vulnerability is “Theoretical”!

    [This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability […]

  • A View Into DEF CON 25 CFP…

    First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily […]

  • Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery

    [This was originally published on RiskBasedSecurity.com.] On March 9, 2017, RAND released a report (PDF) titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits” by Lillian Ablon and Andy Bogart that received a fair amount of press. The RAND press release goes on to describe it as “the first publicly available research to […]

  • The Steady Rise of Bounty Programs, and the Counterpart

    [This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent.  Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize […]