Tag: Vulnerabilities

  • Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery

    [This was originally published on RiskBasedSecurity.com.] On March 9, 2017, RAND released a report (PDF) titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits” by Lillian Ablon and Andy Bogart that received a fair amount of press. The RAND press release goes on to describe it as “the first publicly available research to…

  • The Steady Rise of Bounty Programs, and the Counterpart

    [This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent.  Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize…

  • Electronic Voting; an Old but Looming Threat

    [This was originally published on RiskBasedSecurity.com.] As everyone on the planet knows, U.S. politics are in full swing with primaries almost every week and an upcoming presidential election in November of this year. At Risk Based Security we find it curious that one of the most dangerous topics seems to evade the 24-hour a day…

  • 112 Years of Vulnerabilities: How did we get here, knowing what we know?

    I gave a presentation on computer vulnerability history at BSides Delaware in November, 2013. Shortly after, I gave the presentation a couple times at Westchester Community College and the University of Pennsylvania, along with a brief version for the Invisible Harms conference at UPenn. The linked version is the revised copy after my initial run at BSidesDE. The talk gives a…

  • The Lesser of Two Weevs

    Yesterday, Andrew Auernheimer (aka Weev), was sentenced for his 2012-08-16 indictment on one count of “fraud and related activity in connection with computers” (18 U.S.C. § 1030) and one count of “conspiracy to commit offense or to defraud” (18 U.S.C. § 371). This was the result of Auernheimer’s activities in 2010, where he manipulated a…

  • Rebuttal: Worst Anecdote …EVER.

    [This was originally published on attrition.org. This is a rebuttal piece to Worst April Fools’ Joke …EVER. (2010-04-01) by @wh1t3rabbit (Rafal Los).] To kick off this month of colossal “whoops-es” I thought I would tell you guys a story from way, way back when the web was young, and “developers” used notepad to write “web sites”. It was…

  • Rebuttal: Put Up or Shut Up Rafal

    [This was originally published on attrition.org. This is a rebuttal piece to Small Office, Big [Software/eHealth] Problems (2010-11-18) by @wh1t3rabbit (Rafal Los).] I’m not saying that open source sofware [sic] has more issues than commercial, closed-source code …but I don’t think I’ll find anyone to argue against that it’s more difficult to find corporate-level accountability with open-source software…

  • Rebuttal: phpMyAdmin XSS – A Quick Commentary

    [This was originally published on attrition.org. This is a rebuttal piece to phpMyAdmin XSS – A Quick Commentary (2010-08-30) by @wh1t3rabbit (Rafal Los).] Wake up phpMyAdmin users – if you haven’t updated to the latest version yet… what are you waiting for? Haven’t you seen the advisory the YEHG released? Advisory, complete with some interesting screen shots here.…

  • Rebuttal: eBay’s Sub-Domains Vulnerable to XSS …again

    [This was originally published on attrition.org. This is a rebuttal piece to eBay’s Sub-Domains Vulnerable to XSS …again (2010-08-27) by @wh1t3rabbit (Rafal Los).] Sometimes, old attack vectors re-appear in places we wouldn’t expect as security professionals. The re-emergence of XSS (Cross-Site Scripting) on eBay’s domains isn’t something you’d expect to see from a company that works so hard…

  • Who Discovered the Most Vulns?

    [This was originally published on the OSVDB blog.] This is a question OSVDB moderators, CVE staff and countless other VDB maintainers have asked. Today, Gunter Ollmann with IBM X-Force released his research trying to answer this question. Before you read on, I think this research is excellent. The relatively few criticisms I bring up are…