alerting, reminding, reminding, reminding and releasing vulnerabilities
DESCRIPTION
A presentation describing the problems within vulnerability disclosureTRANSCRIPT
![Page 1: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/1.jpg)
Alerting, Reminding, Reminding, Reminding and Releasing Vulnerabilities
Thomas Mackenzie
![Page 2: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/2.jpg)
$ whois spiderlabs.tom$ whois upsploit.tom
![Page 3: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/3.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Tom
• Web Application Security Consultant - SpiderLabs
• Founder and Creative Director – upSploit Ltd
• OWASP Chapter Leader / Board Member – Birmingham UK
• Podcasting / Greg Evans
![Page 4: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/4.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
About SpiderLabs ®
PentestingIncident
Response Application Security
Research & Development Security
Conferences
Global Security Report
![Page 5: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/5.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Agenda
• Vulnerability
• Researcher vs. Hacker
• Perfect Disclosure
• Real World Disclosure
• Third Parties
• Conclusion
![Page 6: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/6.jpg)
COPYRIGHT TRUSTWAVE 2011
WARNING!!!!
![Page 7: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/7.jpg)
COPYRIGHT TRUSTWAVE 2011
Vulnerabilities
![Page 8: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/8.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› What is a vulnerability? – according to wikipedia - http://en.wikipedia.org/wiki/Vulnerability_(computing)
› A systems susceptibility or weakness
› Attackers access to the weakness
› Attackers ability to exploit that weakness
![Page 9: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/9.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› Adobe Coldfusion
– Weakness = Local File Inclusion
– Access = Unauthenticated Access
– Exploit = ../../../../../../etc/passwd%00en
![Page 10: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/10.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› FCKEditor
– Weakness = Arbitrary File Upload
– Access = Unauthenticated Access
– Exploit = upload shell, command execution.
![Page 11: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/11.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› What are the common denominators?
– A systems susceptibility or weakness
– Attackers access to the weakness
– Attackers ability to exploit that weakness
![Page 12: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/12.jpg)
COPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
![Page 13: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/13.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
• Researcher does it for the greater good (most of the time…)
• Hackers use the information
Image: digitalart / FreeDigitalPhotos.net
![Page 14: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/14.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
ť Bug Bounties?
• Researchers work hard!
• Just need to remember!
Image: digitalart / FreeDigitalPhotos.net
![Page 15: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/15.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
One thing that a researcher does over a hacker?
›Alerting the vendor.
Researcher vs. Hacker
![Page 16: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/16.jpg)
COPYRIGHT TRUSTWAVE 2011
The “Perfect” Disclosure
![Page 17: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/17.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
The “Perfect” Disclosure
Researcher and Vendor work together on disclosure
Vendor fixes the vulnerability
Vendor responds
Researcher alerts the vendor
Researcher finds a vulnerability
Disclosure occurs and people worldwide now know how to fix the issue that was found
• Two biggest factors are the two parties i.e.
• Researcher vs. Vendor
• If one gets angry with the other, or one doesn’t respond – the flow chart breaks
![Page 18: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/18.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vendor vs. Researcher
![Page 19: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/19.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
The Chess Game
http://www.flickr.com/photos/yourdon/3405809406/
![Page 20: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/20.jpg)
Real World Disclosure
![Page 21: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/21.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Real World Disclosure
›Why were you doing this?
• You are not one of our customers!
• Found the information on a pen test
• Vendor thought that this was us pen testing them without permission
• Threatened by lawyers and lawsuits for unauthorised access
• LACK OF UNDERSTANDING…
![Page 22: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/22.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Your timing is very suspicious.
• Company is going through a large change i.e.
– Acquisition, large scale attack and / or change in a key member of personnel
• Even once fixed not happy that the vulnerability is going to be disclosed, “why must you do this”?
– To alert people to the fact they may be running vulnerable software / services.
• Lawyers and / or lawsuit.
• LACK OF UNDERSTANDING…
Real World Disclosure
![Page 23: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/23.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›This has been fixed in X version.
• Where is this version?
• Have to pay!
• Not made this problem public and therefore no one knows the necessity of updating.
• Having to pay for security updates is not right.
• LACK OF CARING…
Real World Disclosure
![Page 24: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/24.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Where is the security contact?
• No public way to make the vendor aware
• Can end up guessing or searching for a long time
• Twitter accounts are too public
• Maybe NO WAY AT ALL to submit
• LACK OF RESOURCES…
Real World Disclosure
![Page 25: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/25.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Time-frame
• How long before you disclose
• At what point does full disclosure become
right?
• Vendor or Researcher
• Should time frames even be discussed?
• Lack Of Communication…
Real World Disclosure
![Page 26: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/26.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Others
• Language Barriers
• Different Time Zones
• NO CONTACT
• Is the bug being exploited in the wild?
• etc.
Real World Disclosure
![Page 27: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/27.jpg)
COPYRIGHT TRUSTWAVE 2011
Third Parties
![Page 28: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/28.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›A number of companies exist:
• Vupen
• ZDI
• upSploit
• Secunia
• etc
Third Parties
![Page 29: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/29.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›The aim:
• Speed up the process.
• Take away the stress and hassle from the researcher.
• Co-ordinate fair disclosure
• Help to distribute to databases
• General media attention.
Third Parties
![Page 30: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/30.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Third Parties
![Page 31: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/31.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Third Parties
![Page 32: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/32.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Problems:
• Vendors don’t want more people involved.
• Researchers don’t want more people involved.
• Things can go smoothly and then someone wants to change something.
• Where is the vulnerability being stored?
Third Parties
![Page 33: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/33.jpg)
COPYRIGHT TRUSTWAVE 2011
Conclusions
![Page 34: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/34.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Problems:
• Vendor contacts
• Vendor understanding
• Vendor caring
• Researcher ethics
• Co-operation
Conclusion
![Page 35: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/35.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›How can this be tackled?
• Not a third party, but a portal / gateway which works to solve these problems.
• i.e. OSVDB have a large list of vendors and contacts, but…
• Combining?
Conclusion
![Page 36: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/36.jpg)
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Centralized repository for:
• Contact details
• Best practices
• Easy to read information and starter guides
• Contact details for third parties
• Maybe some kind of integrations with them
Conclusion
![Page 37: Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities](https://reader033.vdocument.in/reader033/viewer/2022052321/55636122d8b42a2f508b4eab/html5/thumbnails/37.jpg)
COPYRIGHT TRUSTWAVE 2011
Questions?
[email protected]@[email protected]
@tmacuk@upsploit@spiderlabs
http://www.tmacuk.co.ukhttps://www.upsploit.comhttp://blog.spiderlabs.com