Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
description
Transcript of Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding and Releasing Vulnerabilities
Thomas Mackenzie
$ whois spiderlabs.tom$ whois upsploit.tom
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Tom
• Web Application Security Consultant - SpiderLabs
• Founder and Creative Director – upSploit Ltd
• OWASP Chapter Leader / Board Member – Birmingham UK
• Podcasting / Greg Evans
ConfidentialCOPYRIGHT TRUSTWAVE 2011
About SpiderLabs ®
PentestingIncident
Response Application Security
Research & Development Security
Conferences
Global Security Report
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Agenda
• Vulnerability
• Researcher vs. Hacker
• Perfect Disclosure
• Real World Disclosure
• Third Parties
• Conclusion
COPYRIGHT TRUSTWAVE 2011
WARNING!!!!
COPYRIGHT TRUSTWAVE 2011
Vulnerabilities
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› What is a vulnerability? – according to wikipedia - http://en.wikipedia.org/wiki/Vulnerability_(computing)
› A systems susceptibility or weakness
› Attackers access to the weakness
› Attackers ability to exploit that weakness
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› Adobe Coldfusion
– Weakness = Local File Inclusion
– Access = Unauthenticated Access
– Exploit = ../../../../../../etc/passwd%00en
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› FCKEditor
– Weakness = Arbitrary File Upload
– Access = Unauthenticated Access
– Exploit = upload shell, command execution.
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vulnerabilities
› What are the common denominators?
– A systems susceptibility or weakness
– Attackers access to the weakness
– Attackers ability to exploit that weakness
COPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
• Researcher does it for the greater good (most of the time…)
• Hackers use the information
Image: digitalart / FreeDigitalPhotos.net
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Researcher vs. Hacker
ť Bug Bounties?
• Researchers work hard!
• Just need to remember!
Image: digitalart / FreeDigitalPhotos.net
ConfidentialCOPYRIGHT TRUSTWAVE 2011
One thing that a researcher does over a hacker?
›Alerting the vendor.
Researcher vs. Hacker
COPYRIGHT TRUSTWAVE 2011
The “Perfect” Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
The “Perfect” Disclosure
Researcher and Vendor work together on disclosure
Vendor fixes the vulnerability
Vendor responds
Researcher alerts the vendor
Researcher finds a vulnerability
Disclosure occurs and people worldwide now know how to fix the issue that was found
• Two biggest factors are the two parties i.e.
• Researcher vs. Vendor
• If one gets angry with the other, or one doesn’t respond – the flow chart breaks
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Vendor vs. Researcher
ConfidentialCOPYRIGHT TRUSTWAVE 2011
The Chess Game
http://www.flickr.com/photos/yourdon/3405809406/
Real World Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Real World Disclosure
›Why were you doing this?
• You are not one of our customers!
• Found the information on a pen test
• Vendor thought that this was us pen testing them without permission
• Threatened by lawyers and lawsuits for unauthorised access
• LACK OF UNDERSTANDING…
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Your timing is very suspicious.
• Company is going through a large change i.e.
– Acquisition, large scale attack and / or change in a key member of personnel
• Even once fixed not happy that the vulnerability is going to be disclosed, “why must you do this”?
– To alert people to the fact they may be running vulnerable software / services.
• Lawyers and / or lawsuit.
• LACK OF UNDERSTANDING…
Real World Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›This has been fixed in X version.
• Where is this version?
• Have to pay!
• Not made this problem public and therefore no one knows the necessity of updating.
• Having to pay for security updates is not right.
• LACK OF CARING…
Real World Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Where is the security contact?
• No public way to make the vendor aware
• Can end up guessing or searching for a long time
• Twitter accounts are too public
• Maybe NO WAY AT ALL to submit
• LACK OF RESOURCES…
Real World Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Time-frame
• How long before you disclose
• At what point does full disclosure become
right?
• Vendor or Researcher
• Should time frames even be discussed?
• Lack Of Communication…
Real World Disclosure
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Others
• Language Barriers
• Different Time Zones
• NO CONTACT
• Is the bug being exploited in the wild?
• etc.
Real World Disclosure
COPYRIGHT TRUSTWAVE 2011
Third Parties
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›A number of companies exist:
• Vupen
• ZDI
• upSploit
• Secunia
• etc
Third Parties
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›The aim:
• Speed up the process.
• Take away the stress and hassle from the researcher.
• Co-ordinate fair disclosure
• Help to distribute to databases
• General media attention.
Third Parties
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Third Parties
ConfidentialCOPYRIGHT TRUSTWAVE 2011
Third Parties
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Problems:
• Vendors don’t want more people involved.
• Researchers don’t want more people involved.
• Things can go smoothly and then someone wants to change something.
• Where is the vulnerability being stored?
Third Parties
COPYRIGHT TRUSTWAVE 2011
Conclusions
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Problems:
• Vendor contacts
• Vendor understanding
• Vendor caring
• Researcher ethics
• Co-operation
Conclusion
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›How can this be tackled?
• Not a third party, but a portal / gateway which works to solve these problems.
• i.e. OSVDB have a large list of vendors and contacts, but…
• Combining?
Conclusion
ConfidentialCOPYRIGHT TRUSTWAVE 2011
›Centralized repository for:
• Contact details
• Best practices
• Easy to read information and starter guides
• Contact details for third parties
• Maybe some kind of integrations with them
Conclusion
COPYRIGHT TRUSTWAVE 2011
Questions?
[email protected]@[email protected]
@tmacuk@upsploit@spiderlabs
http://www.tmacuk.co.ukhttps://www.upsploit.comhttp://blog.spiderlabs.com