Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

Alerting, Reminding, Reminding,
Reminding and Releasing Vulnerabilities
Thomas Mackenzie

$ whois spiderlabs.tom
$ whois upsploit.tom

Tom

• Web Application Security Consultant - SpiderLabs

• Founder and Creative Director – upSploit Ltd

• OWASP Chapter Leader / Board Member – Birmingham UK

• Podcasting / Greg Evans

COPYRIGHT TRUSTWAVE 2011 Confidential

About SpiderLabs ®

Incident
Response Application
Pentesting
Security

Research & Global Security
Development Security Report
Conferences


Agenda

• Vulnerability

• Researcher vs. Hacker

• Perfect Disclosure

• Real World Disclosure

• Third Parties

• Conclusion


WARNING!!!!

COPYRIGHT TRUSTWAVE 2011

Vulnerabilities


Vulnerabilities

› What is a vulnerability? – according to wikipedia -
http://en.wikipedia.org/wiki/Vulnerability_(computing)

› A systems susceptibility or weakness

› Attackers access to the weakness

› Attackers ability to exploit that weakness


Vulnerabilities

› Adobe Coldfusion

– Weakness = Local File Inclusion

– Access = Unauthenticated Access

– Exploit = ../../../../../../etc/passwd%00en


Vulnerabilities

› FCKEditor

– Weakness = Arbitrary File Upload

– Access = Unauthenticated Access

– Exploit = upload shell, command execution.


Vulnerabilities

› What are the common denominators?

– A systems susceptibility or weakness

– Attackers access to the weakness

– Attackers ability to exploit that weakness


Researcher vs. Hacker



• Researcher does it for the greater good
(most of the time…)

• Hackers use the information

Image: digitalart / FreeDigitalPhotos.net



• Bug Bounties?

≈
• Researchers work hard!

• Just need to remember!

Image: digitalart / FreeDigitalPhotos.net



One thing that a researcher does
over a hacker?

›Alerting the vendor.


The “Perfect” Disclosure


The “Perfect” Disclosure
Researcher finds a vulnerability

Researcher alerts the vendor

Vendor responds

• Two biggest factors are fixes two vulnerability
Vendor the the parties i.e.

• Researcher vs. Vendor
Researcher and Vendor work together on disclosure
• If one gets angry with the other, or one doesn’t respond – the
flow chart breaks
Disclosure occurs and people worldwide now know how to fix the issue that was found


Vendor vs. Researcher


The Chess Game

http://www.flickr.com/photos/yourdon/3405809406/


Real World Disclosure

›Why were you doing this?

• You are not one of our customers!

• Found the information on a pen test

• Vendor thought that this was us pen testing
them without permission

• Threatened by lawyers and lawsuits for unauthorised access

• LACK OF UNDERSTANDING…



›Your timing is very suspicious.

• Company is going through a large change i.e.

– Acquisition, large scale attack and / or change in a key
member of personnel

• Even once fixed not happy that the vulnerability is going to be disclosed, “why must
you do this”?

– To alert people to the fact they may be running vulnerable
software / services.

• Lawyers and / or lawsuit.

• LACK OF UNDERSTANDING…



›This has been fixed in X version.

• Where is this version?

• Have to pay!

• Not made this problem public and therefore no one knows the
necessity of updating.

• Having to pay for security updates is not right.

• LACK OF CARING…



›Where is the security contact?
• No public way to make the vendor aware

• Can end up guessing or searching for a long time

• Twitter accounts are too public

• Maybe NO WAY AT ALL to submit

• LACK OF RESOURCES…



›Time-frame
• How long before you disclose

• At what point does full disclosure become right?

• Vendor or Researcher

• Should time frames even be discussed?

• Lack Of Communication…



›Others
• Language Barriers

• Different Time Zones

• NO CONTACT

• Is the bug being exploited in the wild?

• etc.


Third Parties


Third Parties

›A number of companies exist:

• Vupen

• ZDI

• upSploit

• Secunia

• etc


Third Parties

›The aim:

• Speed up the process.

• Take away the stress and hassle from the researcher.

• Co-ordinate fair disclosure

• Help to distribute to databases

• General media attention.


Third Parties


Third Parties

›Problems:

• Vendors don’t want more people involved.

• Researchers don’t want more people involved.

• Things can go smoothly and then someone wants to change something.

• Where is the vulnerability being stored?


Conclusions


Conclusion

›Problems:

• Vendor contacts

• Vendor understanding

• Vendor caring

• Researcher ethics

• Co-operation


Conclusion

›How can this be tackled?

• Not a third party, but a portal / gateway which works to solve these
problems.

• i.e. OSVDB have a large list of vendors and contacts, but…

• Combining?


Conclusion

›Centralized repository for:

• Contact details

• Best practices

• Easy to read information and starter guides

• Contact details for third parties

• Maybe some kind of integrations with them


Questions?
tmac@tmacuk.co.uk
thomas.mackenzie@upsploit.com
tmackenzie@trustwave.com

@tmacuk
@upsploit
@spiderlabs

http://www.tmacuk.co.uk
https://www.upsploit.com
http://blog.spiderlabs.com


Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities

More Related Content

What's hot (8)

Similar to Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities (20)

Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities