Security Basics mailing list archives

RE: Vulnerability Data

From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Mon, 14 Feb 2011 09:33:15 -0500

This is very interesting discussion. The main problem  (and once I've publish an article briefly describing such a 
problem) I see is a classification of attacks and exposures. Even the same virus could cause different damage depending 
on internal organization's environment. Thus we need to collect not only info about a fact, attack variant, but about 
security/insecurity environment.
So far, AFAIC there is no such public database. Private, which are sold together with so named "Risk Management" 
software is a black cat in a dark room.
Regards

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA 
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114
http://www.commonwealthcare.org
mutin () commonwealthcare org

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of lonervamp () gmail com
Sent: Friday, February 11, 2011 2:52 PM
To: security-basics () securityfocus com
Subject: Re: Vulnerability Data

Great question!

There is Zone-H.org (http://www.zone-h.org) which usually focuses on web defacements. Likewise the Vulnerabl Sites 
Database (http://www.vs-db.info).

There is the datalossdb.org (http://datalossdb.org) which tends to focus on # of records lost and by whom, via public 
records, but does also track the general breach types. I'm sure this gets interesting once an attack uses more than 1 
weakness and it sometimes doesn't satisfy the questions that security persons have about specific incidents.

There is the sanitized annual Verizon DBIR paper 
(http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/) which contains stats on distilled incident 
details.

But I'm not sure there is something specifically that will document, on an ongoing basis, various attacks mapped to 
discussions on how those attacks were performed/successful. Maybe not always in painful, recreation-type details, but 
enough to make it clear where the biggest problems lie (SQLi, lack of laptop disk encryption, social eng, weak 
passwords, LOIC/DDoS...) and that will include such hits as  Gawker, HBGary Federal, Mozilla and Apple/AT&T last 
year...  Some attacks are interesting while others border on the inane (guessed security questions).

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Vulnerability Data Maverick (Feb 11)
- Re: Vulnerability Data Richard Thomas (Feb 11)
- Re: Vulnerability Data Brad Bemis (Feb 15)
- Re: Vulnerability Data Saif El Sherei (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- <Possible follow-ups>
- Re: Vulnerability Data lonervamp (Feb 11)
  - RE: Vulnerability Data Mikhail A. Utin (Feb 15)
  - Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 15)
    - Re: Firewall question - how easy is it to get thru - Proof Francois Yang (Feb 15)
    - RE: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)
    - RE: Firewall question - how easy is it to get thru - Proof Mark Brunner (Feb 18)
    - Re: Firewall question - how easy is it to get thru - Proof Todd Haverkos (Feb 15)
    - Re: Firewall question - how easy is it to get thru - Proof Jan Muenther (Feb 15)
    - Re: Firewall question - how easy is it to get thru - Proof Max Chow (Feb 17)
    - Re: Firewall question - how easy is it to get thru - Proof Gichuki John Chuksjonia (Feb 18)
    - Re: Firewall question - how easy is it to get thru - Proof Robson de Oliveira Albuquerque (Feb 17)
    - Re: Firewall question - how easy is it to get thru - Proof Ansgar Wiechers (Feb 17)