Tag: Vulnerabilities

  • Commentary on Radware’s Top Web Exploits of 2020

    Commentary on Radware’s Top Web Exploits of 2020

    At the close of each year we see at least one article covering the top vulnerabilities / exploits from the prior year. This is usually written on the back of having large detection networks across the Internet that get a comprehensive view of exploitation. It’s a great way to get real intelligence for criminal hacking…

  • Why EVM Security Hasn’t Changed For More Than 15 Years

    Why EVM Security Hasn’t Changed For More Than 15 Years

    [This was originally published on RiskBasedSecurity.com in the 2020 Q3 Vulnerability Quickview Report. It was authored with Curtis Kang.] In our 2019 Year End Vulnerability QuickView Report, we presented a detailed history of public Electronic Voting Machine (EVM) vulnerabilities. We’ve seen little change to the overall EVM security picture since then. With the Presidential elections…

  • Electronic Voting Machines; That Old Redux…

    Electronic Voting Machines; That Old Redux…

    [This was originally published on RiskBasedSecurity.com in the 2019 End-of-year Vulnerability Report.] Integrity is one of the cornerstones to both the concept and the practice of Information Security. We want to make sure that the integrity of the systems we use remains intact. It doesn’t matter if it is your smart watch, smart IoT device,…

  • Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers…

  • New libssh Vulnerability – No Logo But Plenty Of Attention

    New libssh Vulnerability – No Logo But Plenty Of Attention

    [This was originally published on RiskBasedSecurity.com.] Earlier this week, Andreas Schneider announced the release of a new version of libssh, covering “an important security” that addressed “an authentication bypass vulnerability in the server code”. Pretty quickly we saw several news articles published that covered this issue, as well as third-party blogs that added commentary on the technical side of the vulnerability. Since we were following…

  • RIP CERT.org – You Will Be Missed

    RIP CERT.org – You Will Be Missed

    [This was originally published on RiskBasedSecurity.com.] On February 22, Will Dormann tweeted that the main CERT Coordination Center (CERT/CC) website (www.cert.org) had been shuttered. Upon checking ourselves we found the website now redirecting to the Software Engineering Institute at Carnegie Mellon, the parent group of CERT. As a 14-year veteran at CERT/CC, Dormann understandably had some feelings about the…

  • Researchers Find One Million Vulnerabilities?!

    Researchers Find One Million Vulnerabilities?!

    [This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve…

  • Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery

    Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery

    [This was originally published on RiskBasedSecurity.com.] On March 9, 2017, RAND released a report (PDF) titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits” by Lillian Ablon and Andy Bogart that received a fair amount of press. The RAND press release goes on to describe it as “the first publicly available research to…

  • The Steady Rise of Bounty Programs, and the Counterpart

    The Steady Rise of Bounty Programs, and the Counterpart

    [This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent.  Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize…

  • Electronic Voting; an Old but Looming Threat

    Electronic Voting; an Old but Looming Threat

    [This was originally published on RiskBasedSecurity.com.] As everyone on the planet knows, U.S. politics are in full swing with primaries almost every week and an upcoming presidential election in November of this year. At Risk Based Security we find it curious that one of the most dangerous topics seems to evade the 24-hour a day…