Posted by jkouns
Tue, 15 Jul 2008 04:39:00 GMT
The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database - Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008.
Attrition.org’s Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project’s core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records.
DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. "We’ve worked hard to research, gather, and make this data open to the public," says Kelly Todd, one of the project leaders for DataLossDB. "Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information."
The Open Security Foundation’s DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. "For a data set as dynamic as this, it made sense to build it into a more user-driven format.", states David Shettler, the lead developer for the Open Security Foundation. "With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers".
The DataLossDB’s mail list will continue to be available to over 1,500 current subscribers and will accept new subscriptions under the Attrition.org banner until a migration to OSF has been completed. RSS feeds will also be available under the OSF banner for timely alerts about new and updated data loss events. We expect this transition to be completed in the coming months without impact to current subscribers.
Open Security Foundation’s DataLossDB is an open source community project that strives to provide a clear understanding of data loss issues and needs your support. Assistance can be provided through database updates, project leadership, word-of-mouth promotion, financial donations, and sponsorship to assist with the ongoing maintenance of the project. "The DataLossDB project provides a critical service that enables detailed analysis on the true impact of data loss.", says Jake Kouns. "The Open Security Foundation is in a perfect position to support the expansion of the DataLossDB project." Any entities interested in licensing the database for commercial ventures are encouraged to contact OSF.
Posted in OSVDB News | no comments
Posted by jericho
Tue, 08 Jul 2008 04:54:00 GMT
Reported Phishing/Vulnerable Site! The web site www.google.com has been reported as a vulnerable site that may pose a threat to your web browsing. Vulnerable sites do not prioritize security and don’t care about their users and customers. These sites may pose a risk to you, exploit the trust between you and their site and may cause your computer to perform actions you did not approve.
To carry on the scary wording in the style of others; Some web sites are high profile and may seem trustworthy, but you shouldn’t trust them at all. They are full of buggy code, don’t care about protecting their users (that’s you!) and generally suck. Despite using their site as a virtual crutch, you should clearly stay away from them unless it is to send nasty mails or mock them. Again, do not trust Google’s web sites or search engine, because they have been known to be vulnerable. What assholes!
On a more serious note, if anyone at Google is reading this, I hope you pass this on to the jackasses that develop Google Toolbar or whatever hook they use to integrate with Firefox. Not only is it worse than malware (every piece of software tries to get me to install it), it uses misleading wording to scare customers from visiting perfectly safe and innocent web sites (namely this blog). While it caters to morons, it doesn’t give users a real opportunity to learn why a site was ‘blocked’ other than vague wording.
My only guess as to why this warning occurs was an incident earlier this year, in which the OSVDB blog fell victim to a zero-day exploit in WordPress. I blogged about the incident to make our readers aware of the incident and clear up any confusion. I assume that Google’s crawl of the this blog noted the script code and subsequently declared us an "attack site", even though that is hardly the case.
The discouraging part is the "diagnostic page" says that Google visited ONE page in the last 90 days and 0 of those pages resulted in malicious software being downloaded. Google, if you are going to play Lord of the Browser, visit more than one page before you make that determination. To do anything less is a disservice to your users and a fast way to miss obvious malware. The third question mentions "intermediary" which is technically accurate as far as the script code that was injected in a few blog posts. However, the big red warning says nothing about ‘intermediary’ and explicitly labels us as some kind of malware hosting site with the intent of attacking people. That is libelous to say the least. Under ‘How did this happen’, Google mentions that sometimes third parties can inject such code, but doesn’t take the time to help clear this up. If the previous script injection issue is the cause of this, the fact that the script loaded content from a third party domain (in China no less) should be a good indication that WE did not host the malware. Sure, most users are dumb as a rock, but the few smart cookies that click for details should get just that.. details.
What Google Toolbar users may see when visiting this blog:
Finally, I opened the blog post calling Google’s search engine a threat, and I was serious. Google has a track record of vulnerabilities far worse than OSVDB does. Not only in their popular search engine, but their various products too. Besides, the mechanism for reporting potentially dangerous sites is a bit dubious to say the least.
Update: Ends up, we had another iframe injection into one of our posts (which is now removed), and the hunt for how this is happening now begins. That said, while Google’s warning that this site is "dangerous" may have been accurate, their mechanism for warning users in a vague manner (as shown in the image linked off ‘vague warning’) and not warning the site administrator is far from friendly. I can see that Google doesn’t care about warning sites of issues before warning the public, a far cry from ‘responsible disclosure’, something that Google pretends to care about:
This process of notifying a vendor before publicly releasing information is an industry-standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure.
Next time OSVDB is informed of a vulnerability that impacts Google products or services, I sure hope it doesn’t slip our mind to contact them. Perhaps the apparent race condition between the vague wording and the not-so-vague wording that users may see constitutes a bug. If they can read this blog, they can see the bug in action and then contact us if they have more questions.
Update 2: Google apparently tried to send mail to our domain: From: Google Search Quality
Posted in OSVDB News | no comments
Posted by jericho
Tue, 08 Jul 2008 03:40:02 GMT
Adam Penenberg wrote an article titled ”The Black Market Code Industry” for FastCompany in which he details his research of two HP employees that actively sold exploit code in their spare time, at least one selling exploits in HP’s own software. According to the article, HP knew about one of the employees at the time of the article and were investigating. While a neat article and fun read, it left me with a lot more questions that I hope get answered at some point (how about a ‘Part 2’ Adam?).
- Does Rigano still work for HP now that the article has been out a week?
- Did either individual have access to source code to make their exploit writing easier? If so, did they have access to edit source code in any capacity (e.g. backdoors, adding vulnerable code)?
- Did Rigano actually sell his exploits? If so, to who and for how much? Checking the Full-Disclosure list archives, he appears to have had exploits for IIS 6.0, Firefox 2.x, MSIE 7, SAP, Apache, Microsoft Office and more.
- If Rigano did sell vulnerabilities, did he vette his buyers or could he have sold them to ‘enemy’ nations or hostile countries (relative I know)?
- Why is the FBI investigating a France based employee of HP?
- Is t0t0 a current employee of HP? If not, did he leave for his exploit selling activities? The article suggests that HP is aware of one of the two sellers. What do they have to say about this article now?
Posted in Vulnerability Disclosure, Vulnerability Market/Value | 1 comment
Posted by jericho
Sun, 06 Jul 2008 15:48:00 GMT
I’m big on Vulnerability Database (VDB) evolution. I tend to harp on them for not adding features, not making the data more accessible and generally doing the exact same thing they did ten years ago. While the target of my ire is typically functionality or usability, today it is about a little more.
Last night I wanted to check for details on a CVE entry that was rather vague and had a single reference to BID. This is fairly common in the VDB world as one database will add an entry and not provide a link to the source of the data (Secunia and BID primarily). As luck would have it, BID was down. Almost twelve hours later and their VDB is still down. What annoys me is that while they aren’t delivering vulnerability information, they sure are delivering advertisements. Why can’t VDBs get the same dedication and resources that ad farms get?
Next, I wanted to find out if the other VDBs created an entry for the latest OpenBSD flap yet, so I went to X-force which is a pretty reliable database. Much to my dismay, it appears that the ‘advanced’ search is now gone. While it wasn’t extremely powerful, it let you do some basic sorting that was immensely helpful in finding what you need. I have mail out to them asking for confirmation that it is indeed gone versus a web geek error. I certainly hope it is the latter…
Update: Over 24 hours later, the BID database is finally available again. ISS has not replied to at least two mails from VDB managers asking about the missing advanced search feature.
Posted in Vulnerability Databases | 4 comments
Posted by jkouns
Sat, 21 Jun 2008 16:24:09 GMT
OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.
We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at:
http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568
OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:
Jake Kouns, president of the Open Security Foundation, introduces the Open
Source Vulnerability Database Project.
David Maxwell, Open Source Strategist at Coverity, discusses the findings
from Coverity’s analysis of over 55 million lines of open source code.
Robert Charpentier from Defence Research Establishment Valcartier and
Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia
University present a summary of their research into providing security
hardening for the C programming language.
Frederic Michaud and Frederic Painchaud from Defence Research and
Development Canada describe their evaluation of automated tools that search
for security bugs.
Key messages from Carleton University’s Stoyan Tanev’s recent presentation
on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s
presentation on building successful communities.
Michael Geist, Canada’s Research Chair of Internet and E-commerce Law,
explains why the proposed Bill C-61 does not address the rights of
Canadians.
Alan Morewood from Bell Canada provides an example of open source meeting a
business need.
Next month’s editorial theme is “Accessibility”–contact the OSBR Editor if you
are interested in a submission.
Posted in OSVDB News, General Security | no comments
Posted by jericho
Wed, 18 Jun 2008 23:32:25 GMT
Stephen Christey of CVE posted asking a question about VDBs and the inclusion of coffee makers. Yes, you read that correctly, vulnerabilities are being found in coffee makers that are network accessible. Don’t be surprised, we all knew the day was coming when every household appliance would become IP aware.
Before you laugh and spew your own coffee all over the keyboard, consider that the vulnerabilities are legitimate in the sense that a remote attacker can manipulate how the device performs and possibly do physical damage to the unit. This is really no different than SCADA devices such as air conditioners that are IP aware.
Some replies (like mine) were a bit more serious suggesting this type of vulnerability is definitely worth inclusion in OSVDB. If we can’t draw the line between coffee makers, air conditioners and other SCADA devices today, we will be able to in a year or years from now? At some point, the blur between computing device and household appliance will be too hard to distinguish. Rather than waste too much time arguing that line, why not track these few vulnerabilities now that might be a bit primitive, but will surely show historic value if nothing else.
Other replies were a bit less serious but fun, suggesting that making weak (or no) coffee would lead to disgruntled code writers that produce poor code filled with more vulnerabilities. Either way, count on us to include vulnerabilities in your favorite IP aware devices, kitchen, computing or otherwise, to this database.
Posted in General Vulnerability Info | 1 comment
Posted by jericho
Fri, 30 May 2008 05:28:12 GMT
This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in pointing fingers. If you receive the ’wag of my finger’, stop being part of the problem and wise up.
I blinked and missed someone disclosing that there was a dreaded 0-day vulnerability in Adobe Flash Player and that it was a big threat. Apparently Symantec noticed that evil Chinese sites were exploiting Flash and the current 9.0.124.0 could be successfully exploited. When pressed for details, Symantec backtracked and said that they were wrong and it appeared to be the same exploit as previously disclosed by Mark Dowd (CVE-2007-0071). Bad Symantec, poor research.
To make matters worse, Symantec then further claimed that even though it was an old issue, the “in-the-wild exploit was effective against stand-alone versions of Flash Player 9.0.124.0” and that not all versions had been patched correctly. Way to save face Ben Greenbaum of Symantec!! Oh wait, today he changed his mind and said that Symantec’s claims were based on erroneous conclusions and that the behavior of Flash on Linux they were observing was indeed intended by Adobe and not proof it was vulnerable. To make matters worse, Symantec researchers downloaded the “latest” Flash and found it “vulnerable”, which lead to their sky-is-falling panic. Shortly after, they realized that they didn’t download all of the security patches and had been exploiting a known vulnerable version of Flash. Oops?
Two rounds of hype-driven 0-day threat warnings, and no real new threat. Whew, hopefully Symantec raised their THREATCON to blood red or whatever is appropriate for such 0-day threats. You do monitor that don’t you?
This fiasco lead many news outlets and vendors to issue warnings about the new 0-day threat. Secunia, SecurityFocus/BID, SecurityTracker, CERT and FrSIRT all released new warnings and created entries in their respective databases as a result. In the VDB world, this is a royal pain-in-the-ass to deal with. Secunia ‘revoked’ their entry, BID ‘retired’ their entry, SecurityTracker flaged theirs ‘duplicate entry’, FrSIRT ‘revoked’ their entry and CERT still has it listed.
Fortunately for OSVDB, we were a few hours behind the rest and noticed the discrepancies and waited for more information. Unfortunately, the rest of the world, including ALL of the VDBs and news outlets listed above (and others) failed miserably in using common sense and a government funded resource to better prevent this kind of problem. As of this posting, Secunia, BID, SecurityTracker, FrSIRT, CERT, Dancho, ComputerWorld and eWeek still don’t link to the CVE ID for the vulnerability. Only Adobe’s updated blog entry actually references CVE-2007-0071 (but doesn’t link to it). Secunia links to a previous ID that has seven CVEs associated with it. The original CVE was assigned 2007-01-04 and published around 2008-04-08, a month and a half prior to this mess.
VDBs, shame on you for adding to the confusion. Symantec, shame on you for crying 0-day when your own engineers screwed up badly. Shame on everyone for not clearing it up fully by linking to the correct CVE entry or their own previous entries.
Before any of you receiving a “wave of the finger” bitch, consider the real world impact of your actions. In this case, only 12 MILLION people ended up seeing a vague warning when they loaded their favorite game. Blizzard included the correct fix information which was the same as a month or more before, but the sudden ‘security alert’ (that is extremely rare) only prompted their customers to wonder, possibly panic and definitely kill some demons as a result.
Posted in Vulnerability Disclosure | 1 comment
Posted by jkouns
Sat, 24 May 2008 20:16:53 GMT
Who is the top vulnerability researcher? Who has discovered the most computer security vulnerabilities? Which country has the most researchers and publishes the most vulnerabilities? Who has discovered the most critical vulnerabilities?
From looking at OSVDB here are the top 12 researchers in terms of volume:
Rank Creditee # Vulns
-----------------------------------------
1) r0t 770
2) Lostmon Lords 241
3) rgod 239
4) Aliaksandr Hartsuyeu 201
5) Kacper 199
6) James Bercegay 180
7) luny 142
8) Diabolic Crab 139
9) Janek Vind "waraxe" 136
10) JeiAr 117
11) Dedi Dwianto 86
12) M.Hasran Addahroni 79
Take a look at the other OSVDB Browse categories and note you can even click on a Creditee’s name and see all of the vulnerabilities that they have discovered here:
http://osvdb.org/browse
Of course our statistics are based off of the content in OSVDB and we need your help to provide better statistics. If you are a researcher, it would help if you could take the time to create an OSVDB account and update the vulnerabilities that you have discovered!
You can signup for an OSVDB account here:
https://osvdb.org/account/signup
Here is a quick overview:
-Search for your vulnerabilities at http://osvdb.org/search/advsearch
-Click on your vuln, then click “Edit Vulnerability”
-Click the Credits menu item, if credit is missing click “Toggle Add Author…”
-You name may already be in the database, as you type it will search OSVDB to see if your information is there. If so, select and click “Add Author”.
-Once you add the creditee information you can update your information or if your name is not there you can add it as a new creditee.
Rinse and repeat!
Posted in Vulnerability Statistics | 3 comments
Posted by jkouns
Fri, 16 May 2008 02:41:24 GMT
Layered Technologies has provided hosting for the OSVDB production and development servers since October 2007 and continues to support the project. The new servers have been a critical contributing factor to the success and deployment of OSVDB 2.0. In fact, OSVDB 2.0 and the new services that we are now offering have been more resource intensive than we originally thought and we must upgrade.
On Friday, May 16th at 9pm EST we will be taking the OSVDB server offline. The outage should be minimal and service will be restored as soon as possible.
We would like to take a moment to thank Jeremy Suo-Anttila for his assistance and support of the OSVDB project. If you are interested in high quality but affordable hosting with very responsive support we recommend that you contact Layered Technologies.
Posted in General Vulnerability Info | no comments
Posted by jkouns
Tue, 22 Apr 2008 04:04:45 GMT
We are pleased to report that OSVDB has been provided three projects for 2008. We would like to thank everyone that applied and encourage students that were not selected to still consider getting involved with the project. We had quite a few great applications but were unable to accept any more due to our limited mentoring resources this summer and the large number of new organizations taking part in SoC this year.
Here are the projects that were selected:
Patch Management Portal by Ronny Yabar Aizcorbe, mentored by David Shettler
The system will provide a way to define when a patch should be in development, testing or production status. And will allow users the ability to select vulnerabilities and patches based on the OSVDB watch list. The main components of the tool will be: Prioritization and scheduling, Testing, Implementation and Compliance.
OSVDB Widgets and Gadgets by Marc Augustin, mentored by Chris Newby
This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals via Gadgets and Widgets.
OSVDB Training Portal Framework by Sergios Pericleous, mentored by Jake Kouns
This project will create a training framework which will aim to integrate as much as possible with the existing OSVDB portal. The portal will allow specific admin users to create training material and quizzes for end-users, and it will also allow end-users to read this training material and make comments on it, take the quizzes and receive a score, and to track their progress using a progress report and graphs.
Congrats Ronny, Marc and Sergios and we look forward to another successful summer!
Posted in OSVDB News | 3 comments
