Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

Alerting, Reminding, Reminding, Reminding and Releasing Vulnerabilities

Thomas Mackenzie

$ whois spiderlabs.tom$ whois upsploit.tom

ConfidentialCOPYRIGHT TRUSTWAVE 2011

Tom

• Web Application Security Consultant - SpiderLabs

• Founder and Creative Director – upSploit Ltd

• OWASP Chapter Leader / Board Member – Birmingham UK

• Podcasting / Greg Evans


About SpiderLabs ®

PentestingIncident

Response Application Security

Research & Development Security

Conferences

Global Security Report


Agenda

• Vulnerability

• Researcher vs. Hacker

• Perfect Disclosure

• Real World Disclosure

• Third Parties

• Conclusion

COPYRIGHT TRUSTWAVE 2011

WARNING!!!!


Vulnerabilities


Vulnerabilities

› What is a vulnerability? – according to wikipedia - http://en.wikipedia.org/wiki/Vulnerability_(computing)

› A systems susceptibility or weakness

› Attackers access to the weakness

› Attackers ability to exploit that weakness

http://en.wikipedia.org/wiki/Vulnerability_(computing


Vulnerabilities

› Adobe Coldfusion

– Weakness = Local File Inclusion

– Access = Unauthenticated Access

– Exploit = ../../../../../../etc/passwd%00en


Vulnerabilities

› FCKEditor

– Weakness = Arbitrary File Upload

– Access = Unauthenticated Access

– Exploit = upload shell, command execution.


Vulnerabilities

› What are the common denominators?

– A systems susceptibility or weakness

– Attackers access to the weakness

– Attackers ability to exploit that weakness


Researcher vs. Hacker



• Researcher does it for the greater good (most of the time…)

• Hackers use the information

Image: digitalart / FreeDigitalPhotos.net



≈• Bug Bounties?

• Researchers work hard!

• Just need to remember!

Image: digitalart / FreeDigitalPhotos.net


One thing that a researcher does over a hacker?

›Alerting the vendor.



The “Perfect” Disclosure


The “Perfect” Disclosure

Researcher and Vendor work together on disclosure

Vendor fixes the vulnerability

Vendor responds

Researcher alerts the vendor

Researcher finds a vulnerability

Disclosure occurs and people worldwide now know how to fix the issue that was found

• Two biggest factors are the two parties i.e.

• Researcher vs. Vendor

• If one gets angry with the other, or one doesn’t respond – the flow chart breaks


Vendor vs. Researcher


The Chess Game

http://www.flickr.com/photos/yourdon/3405809406/

Real World Disclosure



›Why were you doing this?

• You are not one of our customers!

• Found the information on a pen test

• Vendor thought that this was us pen testing them without permission

• Threatened by lawyers and lawsuits for unauthorised access

• LACK OF UNDERSTANDING…


›Your timing is very suspicious.

• Company is going through a large change i.e.

– Acquisition, large scale attack and / or change in a key member of personnel

• Even once fixed not happy that the vulnerability is going to be disclosed, “why must you do this”?

– To alert people to the fact they may be running vulnerable software / services.

• Lawyers and / or lawsuit.

• LACK OF UNDERSTANDING…



›This has been fixed in X version.

• Where is this version?

• Have to pay!

• Not made this problem public and therefore no one knows the necessity of updating.

• Having to pay for security updates is not right.

• LACK OF CARING…



›Where is the security contact?

• No public way to make the vendor aware

• Can end up guessing or searching for a long time

• Twitter accounts are too public

• Maybe NO WAY AT ALL to submit

• LACK OF RESOURCES…



›Time-frame

• How long before you disclose

• At what point does full disclosure become

right?

• Vendor or Researcher

• Should time frames even be discussed?

• Lack Of Communication…



›Others

• Language Barriers

• Different Time Zones

• NO CONTACT

• Is the bug being exploited in the wild?

• etc.



Third Parties


›A number of companies exist:

• Vupen

• ZDI

• upSploit

• Secunia

• etc

Third Parties


›The aim:

• Speed up the process.

• Take away the stress and hassle from the researcher.

• Co-ordinate fair disclosure

• Help to distribute to databases

• General media attention.

Third Parties


Third Parties


›Problems:

• Vendors don’t want more people involved.

• Researchers don’t want more people involved.

• Things can go smoothly and then someone wants to change something.

• Where is the vulnerability being stored?

Third Parties


Conclusions


›Problems:

• Vendor contacts

• Vendor understanding

• Vendor caring

• Researcher ethics

• Co-operation

Conclusion


›How can this be tackled?

• Not a third party, but a portal / gateway which works to solve these problems.

• i.e. OSVDB have a large list of vendors and contacts, but…

• Combining?

Conclusion


›Centralized repository for:

• Contact details

• Best practices

• Easy to read information and starter guides

• Contact details for third parties

• Maybe some kind of integrations with them

Conclusion


Questions?

[email protected]@[email protected]

@tmacuk@upsploit@spiderlabs

http://www.tmacuk.co.ukhttps://www.upsploit.comhttp://blog.spiderlabs.com

Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

Documents

Transcript of Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities