• Brief analysis of “Analyzing Websites for User-Visible Security Design Flaws”

    On July 23, 2008, an article was released touting the numbers of a recent study on website security design flaws. The article only quoted some statistics from the research and did not link to it or go into detail on how the statistics were derived. I posted a quick rebuttal to the Dataloss mail list calling the entire study…

  • The Black Market Code Industry

    [This was originally published on the OSVDB blog.] Adam Penenberg wrote an article titled “The Black Market Code Industry” for FastCompany in which he details his research of two HP employees that actively sold exploit code in their spare time, at least one selling exploits in HP’s own software. According to the article, HP knew…

  • Stop Using Google, It’s Dangerous!

    [This was originally published on the OSVDB blog.] Reported Phishing/Vulnerable Site! The web site http://www.google.com has been reported as a vulnerable site that may pose a threat to your web browsing. Vulnerable sites do not prioritize security and don’t care about their users and customers. These sites may pose a risk to you, exploit the…

  • VDBs Devolving?

    [This was originally published on the OSVDB blog.] I’m big on Vulnerability Database (VDB) evolution. I tend to harp on them for not adding features, not making the data more accessible and generally doing the exact same thing they did ten years ago. While the target of my ire is typically functionality or usability, today…

  • June 2008 Reviews (In the Name of the King, Balls of Fury, Reno 911!: Miami)

    [This was originally published on attrition.org.] This Movie Bits review is dedicated to a few recent comedies. In the Name of the King 2007 Some mythical land, some boring king, some farmer that must be a hero since there is focus on him. So normal and so not a hero that he is only known as Farmer, how…

  • Coffee makers are SCADA, right?!

    [This was originally published on the OSVDB blog.] Steven Christey of CVE posted asking a question about VDBs and the inclusion of coffee makers. Yes, you read that correctly, vulnerabilities are being found in coffee makers that are network accessible. Don’t be surprised, we all knew the day was coming when every household appliance would…

  • Opera upgrade woes

    I use the Opera web browser for doing work on OSVDB. It started when I used 6.02 and it was a screaming fast browser and lasted for years. At some point the site became more feature rich and the ancient version didn’t cut it. I bit the bullet and upgraded to Opera 9 which had…

  • Useless Compensation for Data Loss Incidents

    [This was written with Apacid and originally published on attrition.org.] If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn’t abused. The recent BNY Mellon incident (which…

  • Useless Compensation for Data Loss Incidents

    [This was originally published on attrition.org. It was written by Apacid and Jericho.] If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn’t abused. The…

  • Who’s to blame? The hazard of “0-day”.

    [This was originally published on the OSVDB blog.] This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in…