Vulnerability Discovery
Blog Posts
Using Alternate Data Streams in the Collection and Exfiltration of Data
In this blog post, we describe how attackers obscure their activity via alternate data streams (ADSs) and how to defend against malware attacks that employ ADSs.
Read More• By Dustin D. Updyke , Molly Jaconski
In Cybersecurity Engineering
Six Dimensions of Trust in Autonomous Systems
This post chronicles the adoption and growth of autonomous systems and provides six considerations for establishing trust.
Read More• By Paul Nielsen
In Software Engineering Research and Development
How Easy Is It to Make and Detect a Deepfake?
The technology underlying the creation and detection of deepfakes and assessment of current and future threat levels
Read More• By Catherine Bernaciak , Dominic A. Ross
In Artificial Intelligence Engineering
Security Automation Begins at the Source Code
Hi, this is Vijay Sarvepalli, Information Security Architect in the CERT Division. On what seemed like a normal day at our vulnerability coordination center, one of my colleagues asked me....
Read More• By Vijay S. Sarvepalli
In CERT/CC Vulnerabilities
VPN - A Gateway for Vulnerabilities
Virtual Private Networks (VPNs) are the backbone of today's businesses providing a wide range of entities from remote employees to business partners and...
Read More• By Vijay S. Sarvepalli
In CERT/CC Vulnerabilities
Update on the CERT Guide to Coordinated Vulnerability Disclosure
It's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament....
Read More• By Allen D. Householder
In CERT/CC Vulnerabilities
The Dangers of VHD and VHDX Files
Recently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with CERT BFF....
Read More• By Will Dormann
In CERT/CC Vulnerabilities
Announcing CERT Tapioca 2.0 for Network Traffic Analysis
A few years ago, I announced the release of CERT Tapioca for MITM Analysis. This virtual machine was created for the purpose of analyzing Android applications to find apps....
Read More• By Will Dormann
In CERT/CC Vulnerabilities
Automatically Stealing Password Hashes with Microsoft Outlook and OLE
Back in 2016, a coworker of mine was using CERT BFF, and he asked how he could turn a seemingly exploitable crash in Microsoft Office into a proof-of-concept exploit that …
Read More• By Will Dormann
In CERT/CC Vulnerabilities
The Curious Case of the Bouncy Castle BKS Passwords
While investigating BKS files, the path I went down led me to an interesting discovery: BKS-V1 files will accept any number of passwords to reveal information....
Read More