Dailydave mailing list archives
Re: Exploits matter.
From: Tom Parker <tom () rooted net>
Date: Thu, 8 Oct 2009 10:01:14 -0400
On Wed, Oct 7, 2009 at 2:39 PM, security curmudgeon <jericho () attrition org>wrote:
Ten thousand or not, I cannot download the exploit from Immunity's web site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks that metric, that is flagged as 'rumored/private'.
Can our industry really put a numeric line on public vs private in the scenario you describe? Do 9,999 CANVAS customers = private, but 10,000 CANAVAS customers = public?
While I understand the challenge of verifying the existence and nature of commercial exploitation tools, down playing exploits by databases like OSVDB is damaging to the industry and is creating a false sense of security amongst organizations - especially those who charge their security programs to vanilla CISSP's. Case in point - large company runs an automated scanner over their network on a monthly basis, which regularly finds flaws. They prioritize remediation of findings based on CVSS scores, which have been calculated in part through utilizing data from OSVDB. Days, months, weeks later the organization is attacked/audited by a group who paid/stole/borrowed a copy of Canvas/Core/et al. Organization gets owned. The past two VzB data breach reports have demonstrated a trend, that a large number of compromises (around 70% if memory serves), resulted from exploitation of vulnerabilities that at time of compromise had been patched by the vendor for a year or more. I'm not sure how you would go about obtaining this kind of data (or indeed how VzB gets their data), but it would be an interesting metric to see how many of those known/vendor-patched issues had been neglected/de-prioritized due to misconceptions about their level of exploitability. It would indeed be a good thing if Immunity et al would publish some kind of unified database of their proprietary exploits, mapped to CVE-ID etc, but I'm not sure if it's their responsibility to do so. IMO, the scanning vendors, Qualys, Rapid7, nCircle etc are missing a trick if they aren't buying themselves a copy of CANVAS and ensuring that when their scanner finds a vulnerability supported by it [CANVAS], they are providing users a CVSS score based on the fact that they have independently verified the existence of robust exploit code for the respective vuln. -Tom
.b _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Exploits matter., (continued)
- Re: Exploits matter. Matt Olney (Oct 09)
- Re: Exploits matter. Tom Parker (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. Matthew Wollenweber (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 22)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Tom Parker (Oct 08)
- Re: Exploits matter. alexm (Oct 08)
- Re: Exploits matter. vincent hinderer (Oct 08)
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Ilfak Guilfanov (Oct 08)
- Re: Exploits matter. Alexander Sotirov (Oct 08)
- Re: Exploits matter. Jesse Gough (Oct 08)
- Re: Exploits matter. Aaron (Oct 08)