Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

Alerting, Reminding, Reminding, Reminding and Releasing Vulnerabilities

Thomas Mackenzie

$ whois spiderlabs.tom$ whois upsploit.tom

ConfidentialCOPYRIGHT TRUSTWAVE 2011

• Web Application Security Consultant - SpiderLabs

• Founder and Creative Director – upSploit Ltd

• OWASP Chapter Leader / Board Member – Birmingham UK

• Podcasting / Greg Evans

About SpiderLabs ®

PentestingIncident

Response Application Security

Research & Development Security

Conferences

Global Security Report

Agenda

• Vulnerability

• Researcher vs. Hacker

• Perfect Disclosure

• Real World Disclosure

• Third Parties

• Conclusion

COPYRIGHT TRUSTWAVE 2011

WARNING!!!!

Vulnerabilities

› What is a vulnerability? – according to wikipedia - http://en.wikipedia.org/wiki/Vulnerability_(computing)

› A systems susceptibility or weakness

› Attackers access to the weakness

› Attackers ability to exploit that weakness

Vulnerabilities

› Adobe Coldfusion

– Weakness = Local File Inclusion

– Access = Unauthenticated Access

– Exploit = ../../../../../../etc/passwd%00en

Vulnerabilities

› FCKEditor

– Weakness = Arbitrary File Upload

– Access = Unauthenticated Access

– Exploit = upload shell, command execution.

Vulnerabilities

› What are the common denominators?

– A systems susceptibility or weakness

– Attackers access to the weakness

– Attackers ability to exploit that weakness

Researcher vs. Hacker

• Researcher does it for the greater good (most of the time…)

• Hackers use the information

Image: digitalart / FreeDigitalPhotos.net

≈• Bug Bounties?

• Researchers work hard!

• Just need to remember!

Image: digitalart / FreeDigitalPhotos.net

One thing that a researcher does over a hacker?

›Alerting the vendor.

The “Perfect” Disclosure

Researcher and Vendor work together on disclosure

Vendor fixes the vulnerability

Vendor responds

Researcher alerts the vendor

Researcher finds a vulnerability

Disclosure occurs and people worldwide now know how to fix the issue that was found

• Two biggest factors are the two parties i.e.

• Researcher vs. Vendor

• If one gets angry with the other, or one doesn’t respond – the flow chart breaks

Vendor vs. Researcher

The Chess Game

http://www.flickr.com/photos/yourdon/3405809406/

Real World Disclosure

›Why were you doing this?

• You are not one of our customers!

• Found the information on a pen test

• Vendor thought that this was us pen testing them without permission

• Threatened by lawyers and lawsuits for unauthorised access

• LACK OF UNDERSTANDING…

›Your timing is very suspicious.

• Company is going through a large change i.e.

– Acquisition, large scale attack and / or change in a key member of personnel

• Even once fixed not happy that the vulnerability is going to be disclosed, “why must you do this”?

– To alert people to the fact they may be running vulnerable software / services.

• Lawyers and / or lawsuit.

• LACK OF UNDERSTANDING…

›This has been fixed in X version.

• Where is this version?

• Have to pay!

• Not made this problem public and therefore no one knows the necessity of updating.

• Having to pay for security updates is not right.

• LACK OF CARING…

›Where is the security contact?

• No public way to make the vendor aware

• Can end up guessing or searching for a long time

• Twitter accounts are too public

• Maybe NO WAY AT ALL to submit

• LACK OF RESOURCES…

›Time-frame

• How long before you disclose

• At what point does full disclosure become

right?

• Vendor or Researcher

• Should time frames even be discussed?

• Lack Of Communication…

›Others

• Language Barriers

• Different Time Zones

• NO CONTACT

• Is the bug being exploited in the wild?

• etc.

Third Parties

›A number of companies exist:

• Vupen

• ZDI

• upSploit

• Secunia

• etc

Third Parties

›The aim:

• Speed up the process.

• Take away the stress and hassle from the researcher.

• Co-ordinate fair disclosure

• Help to distribute to databases

• General media attention.

Third Parties

›Problems:

• Vendors don’t want more people involved.

• Researchers don’t want more people involved.

• Things can go smoothly and then someone wants to change something.

• Where is the vulnerability being stored?

Third Parties

Conclusions

›Problems:

• Vendor contacts

• Vendor understanding

• Vendor caring

• Researcher ethics

• Co-operation

Conclusion

›How can this be tackled?

• Not a third party, but a portal / gateway which works to solve these problems.

• i.e. OSVDB have a large list of vendors and contacts, but…

• Combining?

Conclusion

›Centralized repository for:

• Contact details

• Best practices

• Easy to read information and starter guides

• Contact details for third parties

• Maybe some kind of integrations with them

Conclusion

Questions?

tmac@tmacuk.co.ukthomas.mackenzie@upsploit.comtmackenzie@trustwave.com

@tmacuk@upsploit@spiderlabs

http://www.tmacuk.co.ukhttps://www.upsploit.comhttp://blog.spiderlabs.com

Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

weakness copyright trustwave

parties copyright trustwave

en copyright trustwave

researchercopyright

hackercopyright trustwave

partiescopyright trustwave

vendor researcher

vendor vendor

Documents

11 Sessions for Releasing Kings 1. Introduction to Releasing...

Emergency Notification & Alerting Policy and …...

Alerting Overview - Rigor Monitoring

Can Alerting Sounds Reduce

IP Paging | Alerting | Intercom

More Efficient throughout the Alerting Process ·...

REMINDING SAFETY

Emergency Notification & Alerting Policy and Procedures ·....

SMS Alerting System - Nagios · Nagios SMS Alerting System....

From Alerting to Awareness

Scalable Monitoring & Alerting

Alerting Services Side 2

Alerting the Campus Community

Enhancing + Scaling Emergency Alerting

Jim Stein Meyer - Reminding & Deceiving

CAP multimedia alerting - PrepareCenter