CVSS, CVE, CWE, and CAPEC are widespread and well-known security standards to rate the severity of vulnerabilities, uniquely identify vulnerabilities, describe common weaknesses in software, and categorize common attack patterns of bad guys.
In this article, we present the four standards and give brief guidance for daily usage.
UltraVNC is open-source software to remotely control other systems and visually share desktops. If you look at its track record, it looks great: only 7 security vulnerabilities in 13 years. However, this month, Kaspersky published not only one newly-found vulnerability in UltraVNC, not two, not five, but 22 security vulnerabilities (KLCERT-19-003 to KLCERT-19-024) that all have their own CVE identifiers. Most vulnerabilities come with a CVSS v3.0 base score of 10.0 out of 10.0, which means that it can’t be worse anymore.
The official website and forum of UltraVNC aren’t better: there is no HTTPS, there are no modern security features, there was a file containing secrets, and the CMS is obviously totally outdated. In this article, we show several vulnerabilities of uvnc.com to raise awareness about insecure websites.
Last November, LineageOS dropped support for more than 20 smartphones, leaving them vulnerable to future flaws in Android. Unfortunately, this also affected one of our 5 cell phones used for testing apps. We started to look for a replacement, and in January, we spotted the French /e/ Foundation that promises a privacy-enabled smartphone operating system.
In this article, we briefly look at the features offered by the /e/ Android ROM, and whether there is actual “better data privacy and data security for individuals and corporations” as promised by /e/.
In this part of the Web server security series, we present less technical but yet important parts of your web server: policies, and up-to-date security contact information.
In this part of the Web server security series, we discuss GDPR-friendly logging, and server monitoring. Both actions are essential to securely operate a web server. The whole idea can be extended to all server-side log files.