Tag: Vulnerability Disclosure

  • Efail: What A Disclosure FAIL That Was!

    Efail: What A Disclosure FAIL That Was!

    [This was originally published on RiskBasedSecurity.com.] Yesterday, news broke of a “critical” vulnerability in OpenPGP and S/MIME, named ‘Efail’ that could lead to an attacker gaining access to plaintext emails. News broke in the form of a dire warning from the Electronic Frontier Foundation warning people to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”…

  • CryptoCurrency, Blockchain, & SCADA

    [This was originally published on RiskBasedSecurity.com in the 2018 Q1 Vulnerability QuickView Report.] CryptoCurrency and Blockchain: The Latest Rage Blockchain technology, the foundation of CryptoCurrency such as Bitcoin, Ethereum, and countless others is starting to dominate the news. With the wild ride of Bitcoin prices, where one coin was worth around $19,000 in December, 2017…

  • The Blurred or Not So Blurred Lines Of Vulnerability Research

    The Blurred or Not So Blurred Lines Of Vulnerability Research

    [This was originally published on RiskBasedSecurity.com.] On April 18, 2018, vpnMentor disclosed a ‘critical’ vulnerability in LG NAS devices, which also received a bit of media attention. The blog leads with “Here at vpnMentor, we are concerned about your security and privacy.” However, that didn’t seem to apply to a specific system in South Korea. In their…

  • Researchers Find One Million Vulnerabilities?!

    Researchers Find One Million Vulnerabilities?!

    [This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve…

  • Let’s X-ray SCMagazine…

    [This was originally published on the OSVDB blog.] Hopefully a really quick blog, but a section of a news article titled “Hackers are having a field day with stolen credentials” by Amol Sarwate, Qualys’ Director of Vulnerability Labs, published in SC Magazine caught my attention. The section: Let’s X-ray the attack methods Typically, hackers “fingerprint”…

  • NTIA, Bug Bounty Programs, and Good Intentions

    [This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…

  • Yes, Font Files can Own Your Computer! For Over a Decade…

    [This was originally published on RiskBasedSecurity.com.] On February 5, the Cisco Talos research team published an advisory covering several vulnerabilities in the Graphite (a.k.a. libgraphite) project. According to the vendor page, it “is a ‘smart font’ system developed specifically to handle the complexities of lesser-known languages of the world.” This prompted the media and some in our industry to comment…

  • Mozilla and Transparency

    Mozilla and Transparency

    [Back in 2015, Mozilla promised transparency but was anything but regarding some products and vulnerabilities. I had contacted Slackware trying to determine if they were impacted and found out their hands were tied, due to Mozilla. I am posting my raw notes as-is, just so they are public and can be referenced.] https://blog.mozilla.org/security/2015/09/04/improving-security-for-bugzilla/Openness, transparency, and…

  • Vendors sure like to wave the “coordination” flag… (revisiting the ‘perfect storm’)

    [This was originally published on the OSVDB blog.] I’ve written about coordinated disclosure and the debate around it many times in the past. I like to think that I do so in a way that is above and beyond the usual old debate. This is another blog dedicated to an aspect of “coordinated” disclosure that…

  • An Analysis of Google’s Project Zero and Alleged Vendor Bias

    [This was originally published on RiskBasedSecurity.com.] Google announced a new initiative called Project Zero. The basic premise of the project was that Google invests heavily in their own security and had for quite some time been also tasking their researchers part time work on improving the security of other high-profile products. Project Zero is Google’s…