Home Tags Vulnerabilities

Tag: Vulnerabilities

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

WikiLeaks Reveals CIA Tool ‘Scribbles’ For Document Tracking

The CIA is planting web beacons inside Microsoft Word documents to track whistleblowers, journalists and informants, according to WikiLeaks.

Threatpost News Wrap, April 28, 2017

Mike Mimoso and Chris Brook recap this year's SOURCE Boston Conference and discuss the week in news, including the long term implications of the NSA's DoublePulsar exploit, and the HipChat breach.

Ransomware, Cyberespionage Dominate Verizon DBIR

Verizon's Data Breach Investigations Report for 2017 shows big growth in the reported number of ransomware attacks and incidents involving cyberespionage.

Lack of Communication Achilles’ Heel for Ransomware Fighters

A member of law enforcement acknowledged at SOURCE Boston that the lack of communication around ransomware remains a serious problem.

Chrome to Mark More HTTP Pages ‘Not Secure’

Starting with Chrome 62, Google will start marking any HTTP page where users may enter data, and any HTTP page visited in incognito mode

The Time Has Arrived to Embrace Hackers

Source Boston keynoter Keren Elazari sounded a call to action for industry to extend an acceptance of hackers.

Attack Method Highlights Weaknesses in Microsoft CFG

As Microsoft hardens its defenses with tools such as Control Flow Guard, researchers at Endgame are preparing for the reality of Counterfeit Object-Oriented Programming attacks to move from theoretical to real.

Air Force Hopes To Attract Hackers With Bug Bounty Program

The Hack the Air Force bug bounty program invites white hats from inside and outside the U.S. to hack its websites.

Lack of Security Talent Afflicts Healthcare

At Source Boston, Josh Corman of the Atlantic Council said that healthcare is suffering from a lack of security talent, devices rife with vulnerabilities, and government incentivizing bad behavior.

Auto Lender Exposes Loan Data For Up To 1 Million Applicants

A trove of consumer auto loan data—some 1 million records—has been locked down after a researcher found an exposed and accessible database online.

Atlassian Resets HipChat Passwords Following Breach

Atlassian reset user passwords for its group chat service HipChat on Monday following an incident that may have resulted in unauthorized access to a server used by the service.

xDedic Market Spilling Over With School Servers, PCs

Nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belong to schools and universities based in United States.