Security vulnerabilities have high value and finding them is hard work and cost a lot of money. And there’s a market out there for them.
Vendors relays on security researchers to choose the “responsible disclosure” way and report bugs they find (for free).
Reporting security vulnerabilities is a risky business, legally and professionally.
Reporting security vulnerabilities without any legal agreements pretty much sucks.
Reporting security vulnerabilities for free – sucks too.
In my opinion, vendors should have a pre-made agreement, written by the company CSO/security manager, backed up by the company CEO and the company lawyer, for vulnerability disclosure and rewarding methods. Price can be calculated by the vulnerability severity and probability level (CVSS style) and the technical details and further work the security researcher provide. For example, the researcher wrote a PoC exploit code – low value. Researcher wrote a reliable universal exploit code – high value.
This way, security researchers will have more than enough reason to disclose vulnerabilities to vendors and get reward for it as it should be, instead of choosing other way (and in my opinion, the wrong way) to gain profit, either money or just fame.
The opinions about the “no more free bugs” argument around the world are mixed. Ross Thomas of SophosLabs thinks the security industry sunk in to a new level of lameness. Adam O’Donnell say there’s nothing to be excited about and there were never such a thing as free bugs.
I think there is nothing new under the sun. Vendors won’t rush to make vulnerability disclosure rewarding agreements just because three top security researchers state the party is over and no bugs will be given away for free any more. Security researchers and bug hunters are still stuck with the dilemma of the actions to take after finding a bug – responsible disclosure, full disclosure, selling it to whoever are willing to pay or doing nothing with it.
Collected a bunch of useful guides for some new capabilities of the Metasploit Framework.
Some of the capabilities are post 3.2 version. I strongly recommend updating your version to the latest 3.3-dev snapshot.
– Using the WMAP Metasploit module for web application penetration testing: WMAP (Metasploit Module).
In today’s world the Internet is not what it used to be. Back in the days hacking was pretty easy – an attacker who wants to penetrate a company network just had to do a little reconnaissance – host discovery, port scanning, OS and services detection to find a vulnerable service, fire up an exploit and that’s all there is to it.
Scenarios of such are almost impossible these days. The vast majority of companies have heavily protected internal networks from outside threats. Thanks to firewalls, IDS/IPS‘s, content/web filtering appliances, anti-virus/spyware software, SIM/SOC products and etc’, penetrating a company internal network is a really hard job. Therefore, the easiest way for an attacker to penetrate a company internal network is to attack her weakest link – Users.
Anyone in the IT/information security field who’s aware of attacks and exploitation trends for the past few years knows the statistics – attackers are now attacking users, or in other words, exploiting client-side vulnerabilities. A quick look at the exploits posted daily on milw0rm proves this fact. Or, reading the statistics of the Mass SQL Injection attacks and how it got so damn popular in the last couple of years. Exploiting client-side vulnerabilities actually works quite efficiently, and that’s what attackers exploit.
In the attackers arsenal you’ll find tons of exploits targeting users desktops. It starts with web browser exploits and ActiveX exploits (various IE toolbars and other), through 3rd party applications exploits (Adobe Reader, Adobe Flash, Apple QuickTime, RealPlayer and more) and various fileformat exploits, targeting Microsoft Office and other office suites, media players, image viewers and what not. Attackers are able to exploit users desktops in so many ways and so easily that most of the time attacks will be successful.
The following presentation is about this subject, and demonstrating it well using the Metasploit Framework. It’s called Attacking Layer 8: Client-Side Penetration Testing, presented at SOURCE Boston 2009 by the guys of Full Scope Security and they doing a great job explaining how client-side vulnerabilities risk companies more then any other threat these days.
I’ve got banned from Google AdSense service. Why exactly? I don’t really know. I didn’t violate any part of their license, I didn’t post ads at p0rn sites and I didn’t use any script\service\something automated to rise my profit. Actually, I almost didn’t make any profit. One or two checks from them a year and that’s it, paying for the site hosting service.
I looked at the server logs and haven’t seen anything that implies abuse of any kind.
This is the mail I got from them:
Hello,
While going through our records recently, we found that your AdSense
account has posed a significant risk to our AdWords advertisers. Since
keeping your account in our publisher network may financially damage our
advertisers in the future, we’ve decided to disable your account.
Please understand that we consider this a necessary step to protect the
interests of both our advertisers and our other AdSense publishers. We
realize the inconvenience this may cause you, and we thank you in advance
for your understanding and cooperation.
I’ve just register to Twitter and joined the world-wide hype.
Isn’t that shit suppose to be secure?
Update: they’ve fixed the XSS vulnerability. You know I tried notifying them in advance, but after about 15 minutes searching for an email address for bug reporting with no luck, I’ve decided to publish it here.
Make your homework Twitter guys.
Thought Wardialing is dead? Think again. H D Moore released today a very cool new tool for telephone systems security assessments, WarVOX 1.0.0. I haven’t wardial for about 6 years or so… Mostly because it is time consuming and the software for such things is pretty old.
I can’t wait testing it in large organizations, should be a lot of fun!
The announcement:
WarVOX is a suite of tools for exploring, classifying, and auditing
telephone systems. Unlike normal wardialing tools, WarVOX works with the
actual audio from each call and does not use a modem directly. This
model allows WarVOX to find and classify a wide range of interesting
lines, including modems, faxes, voice mail boxes, PBXs, loops, dial
tones, IVRs, and forwarders. WarVOX provides the unique ability to
classify all telephone lines in a given range, not just those connected
to modems, allowing for a comprehensive audit of a telephone system.
WarVOX requires no telephony hardware and is massively scalable by
leveraging Internet-based VoIP providers. A single instance of WarVOX on
a residential broadband connection, with a typical VoIP account, can
scan over 1,000 numbers per hour. The speed of WarVOX is limited only by
downstream bandwidth and the limitations of the VoIP service. Using two
providers with over 40 concurrent lines we have been able to scan entire
10,000 number prefixes within 3 hours.
The resulting call audio can be used to extract a list of modems that
can be fed into a standard modem-based wardialing application for
fingerprinting and banner collection. One of the great things about the
WarVOX model is that once the data has been gathered, it is archived and
available for re-analysis as new signatures, plugins, and tools are
developed. The current release of WarVOX (1.0.0) is able to
automatically detect modems, faxes, silence, voice mail boxes, dial
tones, and voices.
Right after an exploit code was published for the MS08-067 vulnerability it was only a matter of time until virus coders will write a virus that use this vulnerability to spread.
Well, exploiting this vulnerability is one of the techniques the Conficker (aka Downadup and Kido) virus use to spread itself, and that’s what makes it so dangerous.
With more then 20 millions infected computers out there, security firms say it is the severest computer virus since the SQL Slammer, and Microsoft is going nuts over it, offering a $250,000 bounty for information leading to the catch of the guys who created and/or distribute the virus.
In my opinion, 20 million is a really rough estimate of the infected computers out there. I believe the numbers are greater, due to the fact that the virus also spread itself through portable storage devices (USB drives and other removable media) and by that slipping in to organizations internal networks. Here’s where the numbers are getting blurry, we don’t know what’s the virus infection scale inside these internal networks, where it can spread much more easily using network shares, computers with weak passwords and exploiting the MS08-067 vulnerability.
It’s a known fact that the software and operating systems inside these organizations internal networks aren’t always up-to-date, and sometimes it takes months, if not years, for these organizations to update their computers.
It happens mostly when vendors release major service packs or… after a virus infects their networks :-)
Conficker is that example, a lesson for all these organizations that doesn’t patch their systems. I guess they need these kind of lesson every once and a while.
Even the IDF internal networks got infected by Conficker (Hebrew).
Update:
Win32/Conficker.C is on the loose, armed with more self protection mechanisms and a larger domain pool.
On April 1st, Conficker.C will attempt to dial home to 500 random domains out of 50000 generated domains. A great change from the previous variants that would dial home to 32 out of 250 domains.
This time the worm is also much more violent and will attempt to disable Windows Automatic Updates and stop access to the Windows Security Center, also killing anti-virus processes, preventing access to anti-virus websites, delete system restore points, disable various protection services such as Windows Defender and the Windows Error Reporting Service and much more.
Read the following argument by Dino A. Dai Zovi, Charlie Miller and Alex Sotirov – No More Free Bugs.
Comments RSS | 
TrackBack URL
Collected a bunch of useful guides for some new capabilities of the 
In today’s world the Internet is not what it used to be. Back in the days hacking was pretty easy – an attacker who wants to penetrate a company network just had to do a little reconnaissance – host discovery, port scanning, OS and services detection to find a vulnerable service, fire up an exploit and that’s all there is to it.
I’ve got banned from Google AdSense service. Why exactly? I don’t really know. I didn’t violate any part of their license, I didn’t post ads at p0rn sites and I didn’t use any script\service\something automated to rise my profit. Actually, I almost didn’t make any profit. One or two checks from them a year and that’s it, paying for the site hosting service.
I’ve just register to 
Thought Wardialing is dead? Think again. H D Moore released today a very cool new tool for telephone systems security assessments, WarVOX 1.0.0. I haven’t wardial for about 6 years or so… Mostly because it is time consuming and the software for such things is pretty old.
Right after an exploit code was published for the 
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
