Crowdfense launches Vulnerability Research Hub for top security researchers

Crowdfense officially launched the Vulnerability Research Hub out of beta. After being internally developed and fine-tuned for several months, Crowdfense opened their process-oriented platform to a wider audience of researchers and brokers interested in trading 0day cyber capabilities, which can be both within the scope of Crowdfense public Bug Bounty Program or freely proposed (for a specific set of key targets). “This is our next step in standardizing and supporting the development of what has … More

Incorporating sensitive asset data into your vulnerability and compliance program

In this podcast recorded at Black Hat USA 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, talks about the importance of incorporating inaccessible or sensitive asset data into your overall vulnerability and compliance program. Here’s a transcript of the podcast for your convenience. Hello, my name is Tim White. I’m director of product management for compliance at Qualys, and today I’m going to talk to you a little bit about the importance … More

Critical vulnerability in Oracle Database, patch without delay!

Oracle is urging users to patch their Oracle Database installations to plug a critical security issue that can result in complete compromise of the Oracle Database and shell access to the underlying server. About the vulnerability (CVE-2018-3110) The vulnerability (CVE-2018-3110) affects Oracle Database versions and on Windows and is apparently easy to exploit, but can only be exploited remotely by an authenticated attacker. The vulnerability is in the Java Virtual Machine component of … More

Kryptowire introduces the mobile phone firmware vulnerability feed

Kryptowire discovered vulnerabilities in mobile device firmware and pre-installed mobile apps that pose a risk for the mobile phone supply chain because they can expose consumer and enterprise data on purchase. This means that the vulnerabilities are present, and the user is exposed to attacks even before she performs any activity such as using wireless communications or installing third-party apps. Firmware exploits bypass all existing defenses including commercial Mobile Threat Detection (MTD), or mobile anti-virus, … More

WhiteSource unveils free open source Vulnerability Checker

WhiteSource announced the release of its Vulnerability Checker, a free tool that provides companies with immediate, real-time alerts on the 50 most critical open source vulnerabilities published in the open source community. The new standalone CLI tool is free to use and available for anyone to download as a desktop application directly from the WhiteSource website. Once downloaded, the Vulnerability Checker offers users the opportunity to import and scan any library and run a quick … More

Bluetooth vulnerability allows snooping of traffic between paired devices

Researchers Eli Biham and Lior Neumann have discovered a vulnerability in two Bluetooth features that could be exploited by attackers to gain a man-in-the-middle position and to monitor and fiddle with the traffic between two devices connected via that wireless technology. “Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected,” the Carnegie-Mellon CERT notes. The vulnerability (CVE-2018-5383) … More

Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab. Any member … More

Tripwire’s IP360 vulnerability management solution features agent-based scanning

Tripwire announced that agent-based vulnerability scanning is available in the latest version of Tripwire IP360. With the addition of agent-based capabilities, Tripwire IP360 9.0 provides a view of vulnerability risks across hybrid environments, including on-premise, in the cloud and in container-based environments. Leveraging agents for vulnerability management provides visibility into areas where traditional network scanning is not practical – such as environments with intermittently connected devices, dynamic IP addresses and cloud images – and bypasses … More

How to improve software vulnerability disclosure in Europe

As software gets embedded in more and more things we use every day, the problem of software vulnerability reporting and patching rises in importance. Unfortunately, only a few European countries have put vulnerability disclosure processes in place. CEPS, a ​think tank and ​forum for debate on EU affairs, has delved in the problematics, listened to industry experts, academics, representatives of EU and international institutions and civil society, and has come up with recommendations on how … More

Vulnerability landscape evolution for common desktop applications

Flexera released Vulnerability Review 2018: Top Desktop Apps, part of the annual report series from Secunia Research. This new edition focuses on heavily used desktop applications, which can be easily breached through the Internet. “Companies are in desperate need to improve patching so they can reduce risk. Ultimately that means creating a smart process,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “To do that you have to cut through the noise … More