TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs team members gave 20 presentations throughout 2010. Abstracts and slides are available here.

RealNetworks Vulnerability Remediation Improvements

RealNetworks will patch 27 issues tomorrow, December 10, 2010. Twenty of these are vulnerabilities reported by the ZDI. At the time ZDI announced the Vendor Disclosure Policy Changes RealNetworks held 20 outstanding cases. In just four months they have patched these outstanding 20 plus seven additional bugs. ZDI applauds RealNetworks for their dedication and sig ...

ZDI Payment Process Improvements

Time to talk money.

As we near the end of our 5th year of TippingPoint ZDI, it's a pleasure to report that we have made recent improvements to researcher payment time. In the past, payments took approximately two to three weeks to reach the researcher. With researchers in mind we've made some changes to streamline this process.

Ekoparty 2010 Wrap-Up

Ekoparty 2010 has come and gone and I think it's fair to say that a stellar time was had by all. Throw out the fact that the conference is highly technical and yet completely informal. Throw out the fact that the attendees are some of the coolest and friendliest geeks around. Throw out the fact that the conference organizers are the most generous hosts I've ever had the pleasure of spending a week with. The simple truth is that Buenos Aires, Argentina is a beautiful city rich in culture, cuisine and friendly faces. Everywhere I went, I was struck by the portenos' willingness to accommodate my piss-poor Spanish and help me enjoy their wonderful city. If you get the chance, I highly recommend you make the trip down to Buenos Aires and make some new friends. And hey, if you can do it during Ekoparty 2011, all the better!

Blackhatnomics ™

Blackhatnomics ™ Whenever I present publicly and discuss the underground I am without exception asked at some point about the realities associated with the economics which perpetuate its (the undergrounds) growth.  Often I pause and consider where to begin.   Do I start with a clever anecdote?  Maybe a well thought out analogy?  Should I cite statistics or estimations referenced by industry pundit ...

Elegant Worm: How Stuxnet Is Redefining The Game

Brilliance and elegance are powerful adjectives most often used to describe things of beauty -- people, places, and things.  Works of art whether they are literary or visual; aural or editable often bear these designations but it is rare indeed when we see them used to describe malicious code & content.   Prior to the discovery and release of information related to the Stuxnet Worm, you may never have heard anyone outside of security rese ...

Top Cyber Security Risks 2010

Today, DVLabs released our Top Cyber Security Risks Threat Report for 2010. With help from the folks at SANS, Qualys and OSVDB we highlight the latest attack and vulnerability trends, as well as explore what these trends mean to the security administrator...

Security Advisory for NetWare 6.5 OpenSSH

This is a little information clarifying the exploitability of ZDI-10-169. Novell has classified this bug as a Denial of Service and will not be issuing a patch. Narrated by the Old Spice Guy.

ZDI Disclosure Policy Changes

As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same. Throughout the lifetime of the ZDI we have maintained the same process of procurement and responsible disclosure to affected vendors. In doing so we have abided by these vendors' w ...

ZDI 2010 Milestone

This week the Zero Day Initiative has reached an impressive milestone of 125 advisories published thus far in 2010. This is impressive because 2009 saw a total of 101 advisories and we have surpassed that already, only halfway through the year. After 5 years the Zero Day Initiative has seen amazing growth both in terms of researcher participation and vulnerabilities acquired, and therefore vulnerability disclosure. That all being said, this isn't a numbers game for TippingPoint's ...

MOBOTS: WeatherFist Exposed

Last week, San Francisco was kind enough to play host to the annual RSA Security Conference. As you may remember from Jason Avery's last post, several TippingPointers were on-hand for the festivities. My colleague Derek Brown and I were fortunate to be granted an engagement in the "Research Revealed" track. We presented our case study in mobile phone botnets entitled "MOBOTS: A Pocketful of Pwnage." Catchy, right? We both felt that the talk was a great success and, despite the modest yet respectable attendance, the audience seemed to enjoy our antics as much as we did. As is the norm for such things, our live demonstration ran long and we didn't get to parlance with the audience for as long as we'd hoped. To that end, and for the benefit of those not fortunate enough to make it to The City by the Bay, we would like to expound on some of the specifics of the talk that have garnered the much of the post-RSA interest.

RSA Conference 2010 Talks

Hey all! Jason here giving this year's RSA participates a heads up on talks to not miss. This year, TippingPoint is presenting five talks and panels, with three sessions by members of the DVLabs team. If you're going to be at the show, be sure not to miss these talks. Tuesday, March 02 01:00 PM Blue Room 103 Session Code: EXP-106 Session Title: The Seven Most Dangerous New Attack Techniques and What Is Coming Next Session Abstract: Nation states an ...

Pwn2Own 2010

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.