Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999

Published byShea Lampshire Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999"— Presentation transcript:

1 Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999 jrauch@securityfocus.com

2 Outline Goals Who are the players? What do they do? What are the problems? What works? Full Disclosure: The critic’s view Full Disclosure: The proponents view

3 Outline... Case studies –Via vendors –Via security vendors –Full Disclosure –Response teams What we’ve learned What should YOU do?

4 Goals Figure out what the state of vulnerability reporting and disclosure Determine the pro’s and con’s of each Determine what works and what doesn’t Figure out how to use this knowledge to improve your security

5 The Players Software vendors Security vendors Emergency response capabilities Hackers Security Enthusiasts Victims

6 Software Vendors What they do –Design and develop software –Sell it to you –Includes all types of software -- OS’s, network utilities, word processors, etc

7 Software Vendors... What they think of security vulnerabilities –Don’t like them –Don’t want them to be found –Don’t want them to be publicized in the event they are found –Want them to be quietly fixed

8 Emergency Response Capabilities CERT/CIAC/AUSCERT/FIRST, etc, etc Tend to be non-profit, and funded by government, educational, or vendor grants Limited budgets Tend to be reactionary

9 Security Vendors ISS, NAI, SNI, etc Issue advisories on popular software packages Spend $$ to find vulnerabilities Use media exposure to sell product or services

10 Security Vendors... Work with vendors to a degree –usually give time limitations –will release advisory as soon as patches are available

11 The Hacker Wants to break in to your network Will typically not report a vulnerability to a vendor Might talk too much, give out exploits, and vulnerability will trickle to surface (someday)

12 Security Enthusiast / Full Disclosure Publish vulnerability to security “community” at large May or may not contact the vendor, or give long enough time for patch to be developed Disclose all details needed to exploit the vulnerability, sometimes even actual exploit

13 Full Disclosure... Embodied in mailing list like Bugtraq, Usenet security groups, NTBugtraq (to a degree) Motive is interest/desire to fix problems –Idealistic –Often, motive is personal publicity too

14 Problems with Issuers Each method has good and bad points Each has its proponents Not all work very effectively

15 Problems with Security Vendor Initiated Vuln’s Profit/Publicity motivated –Typically will use vulnerabilities to their advantage, marketing wise –May sit on vulnerabilities for marketing reasons –May cover up their own product vulnerabilities

16 Problems with Security Vendor... Will sit on vulnerabilities for vendor relations –Usually want to be positively viewed by vendors –Usually give time for patches Time delays lead to exposure –Often, bugs will trickle to the surface while they’re being worked on

17 Problems with Security Vendor... Rarely release full exploits or details –Hackers usually can figure out the exploits –Average, overworked administrator can’t

18 Response Teams Report on vulnerabilities found in wild, or by others VERY slow –Will always work with vendor, to their schedule –up to 6 months behind current vulnerabilities

19 Response Teams… Primary function is to alert end users to known problems May be too late –2 days may be too late, 2 months is deadly

20 Hacker Wants to break into your network Doesn’t want vulnerabilities fixed Doesn’t want you or the vendor to know about the vulnerability You never find out Tell their friends Usually results in big incidents

21 Security Enthusiast / Full Disclosure May give limited time to vendor Wants problem solved, but may not wait for an official patch Everyone gets the “exploit,” including the hackers May create a larger problem where none previously existed.

22 Full Disclosure: Why it’s Good Levels the playing ground –Everyone finds out about the vulnerability –Workarounds and temporary fixes are almost always available, and are discussed. Vulnerabilities are exposed quickly –Prevents holes from being quietly exploited –Allows for quick fixes

23 Full Disclosure: Why it’s Good... Large percentage of vulnerabilities caught prior to them being a problem –In any given week, as many as 15 new vulnerabilities are exposed in forums like Bugtraq Keeps pressure on vendors –Many attribute full disclosure to new proactivity on the part of some vendors

24 Full Disclosure: Why it’s good... Discussion of program flaws has led to better programming –No longer are there dozens of buffer overruns being exposed every week –Same old mistakes aren’t being made –Introduction by many vendors of safer versions of functions snprintf()

25 Full Disclosure... Vulnerabilities get the publicity they need

26 Full Disclosure: What the critics say Full disclosure creates problems where they otherwise didn’t exist –Vulnerabilities always exist –Never assume they aren’t already in the wrong hands Vulnerabilities may exist in the wild even prior to their disclosure –Irix buffer overruns

27 Full Disclosure: What the critics... Full disclosure amounts to little more than hackers legitimizing their exploit trading –Large % of those involved in full disclosure are security professionals –Many are system administrators merely trying to help others

28 What the critics say... Working with vendors is the quickest and best way to get things done –Vendors *have* to be slow Release cycles testing regression –Usually try to limit disclosure of bug

29 Case Studies Through Vendors –Sun SNMP –Sun getpwnam() vulnerability Through vendor, via Security Vendor –Microsoft SNMP

30 Case Studies... Full Disclosure –eEye IIS Vulnerability Response Teams –Various

31 Through Vendors Sun SNMP vulnerabilities –Found and documented vulnerabilities in April, 1998. –Allowed for remote users to gain local and remote root access via undocumented, and non-removable community name –Full details forwarded to Sun –Agreed to not publicize, allow Sun to quietly fix in Solaris 7, and issue patches

32 Sun SNMP... What worked: –Vulnerabilities weren’t used in the wild –Solaris 7 was not vulnerable –Patches were issued What didn’t work –Fix took over 4 months to reach users, as did news of the vulnerability –Patch was insufficient

33 Sun Solaris getpwnam() Vulnerability discovered in November, 1996 allowed for local and remote root access Sun was informed, and given exploit Vulnerability was quietly fixed in a libc patch, 6 months later

34 Getpwnam()... What worked –Limited public exposure What didn’t work –Vulnerability was never publicized –Remained in wild for 6 months –Dozens of machines still vulnerable –Known in the “underground”

35 Via Security Vendor: Microsoft NT SNMP Agent Vulnerabilities discovered January, 1998 MS reported immediately Work “began” to address the problem Advisory released by NAI in October, 1998 Fix available in Service Pack 4

36 Microsoft SNMP agent... What worked –Patch was issued prior to widespread problems What didn’t work –SP4 default setting for SNMP still allowed for problems –SNMP fix was not a publicized part of SP4 –Patch took 9 months

37 Full Disclosure: IIS Buffer Overflow eEye releases advisory to Bugtraq, June 15 1999 Microsoft given 1 week prior notice Full exploit details released Workaround supplied Official patch/hotfix available within a couple of days

38 MS IIS Overflow... What worked: –Vulnerability got extensive media coverage ZDNet, Associated Press, Forbes, Wired... –Patches quickly available What didn’t work –Machines that may have been otherwise been ignored may have been attacked

39 Response Teams Not usually finding new vulnerabilities Days of 6 month delays are gone Still don’t issue advisories until vulnerability is already public, and patched.

40 Affects of Full Disclosure Vendors attempting to be proactive –Sun fixes numerous bugs in Solaris 7 –MS fixing flaws in network security model Response Teams acting quicker OS’s getting more secure –Well, maybe not just yet...

41 Lessons to be learned Vendors tend to be slow unless the proverbial cat is out of the bad Hackers have the exploits Ignorance is *not* bliss when it comes to security Better to know and have to work around than to not know at all

42 What You Can Do Mailing Lists –Bugtraq Full Disclosure Covers all varieties of operating systems, network appliances, firewalls, etc http://www.securityfocus.com –NTBugtraq Pretty much full disclosure Covers only the Microsoft NT OS and apps http://www.ntbugtraq.com

43 What to do... Lists continued… –Incidents Mailing list Covers breaking threats and incidents http://www.securityfocus.com –InfoSec News Covers security related news isn@sekurity.org

44 What to do... Summary lists –ISS Summarizes previous 2 week’s vulnerabilities http://xforce.iss.net/mailinglists –Microsoft Security Publishes security information from Microsoft on security issues microsoft_security-subscribe- request@announce.microsoft.com –(Just about every vendor has a list)

45 Summary Vendor’s tend to hush security issues Security vendor advisories work, but have limitations Full Disclosure is the best way to know what’s going on prior to it becoming an issue

46 Questions? jrauch@securityfocus.com

Download ppt "Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999"

Similar presentations

S-Curves & the Zero Bug Bounce:

S-Curves & the Zero Bug Bounce:
At-Risk Contractor Program 2011 Revision. At-Risk Definition New to the craft or new to the Dow Freeport site and have been on Site less than 1 year.

At-Risk Contractor Program 2011 Revision. At-Risk Definition New to the craft or new to the Dow Freeport site and have been on Site less than 1 year.
SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!
Customers Request the Darndest Things* 10 Challenges for VUI Designers Eduardo Olvera User Interface Designer.

Customers Request the Darndest Things* 10 Challenges for VUI Designers Eduardo Olvera User Interface Designer.
GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
A new standard in Enterprise File Backup. Contents 1.Comparison with current backup methods 2.Introducing Snapshot EFB 3.Snapshot EFB features 4.Organization.

A new standard in Enterprise File Backup. Contents 1.Comparison with current backup methods 2.Introducing Snapshot EFB 3.Snapshot EFB features 4.Organization.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Www.bls.gov CPS Disability Supplement--May 2012 Terence M. McMenamin Economist Division of Labor Force Statistics Disability Compendium Briefing 11/02/2011.

CPS Disability Supplement--May 2012 Terence M. McMenamin Economist Division of Labor Force Statistics Disability Compendium Briefing 11/02/2011.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
Upgrading Software CIT 1100 Chapter4.

Upgrading Software CIT 1100 Chapter4.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong.

Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,

Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
12 Building and Maintaining Information Systems.

12 Building and Maintaining Information Systems.

Similar presentations

Ads by Google