Dailydave mailing list archives

Re: Exploits matter.

From: Tom Parker <tom () rooted net>
Date: Thu, 8 Oct 2009 10:01:14 -0400

On Wed, Oct 7, 2009 at 2:39 PM, security curmudgeon
<jericho () attrition org>wrote:

Ten thousand or not, I cannot download the exploit from Immunity's web
site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks
that metric, that is flagged as 'rumored/private'.

Can our industry really put a numeric line on public vs private in the
scenario you describe? Do 9,999 CANVAS customers = private, but 10,000
CANAVAS customers = public?


While I understand the challenge of verifying the existence and nature of
commercial exploitation tools, down playing exploits by databases like OSVDB
is damaging to the industry and is creating a false sense of security
amongst organizations - especially those who charge their security programs
to vanilla CISSP's. Case in point - large company runs an automated scanner
over their network on a monthly basis, which regularly finds flaws. They
prioritize remediation of findings based on CVSS scores, which have been
calculated in part through utilizing data from OSVDB. Days, months, weeks
later the organization is attacked/audited by a group who
paid/stole/borrowed a copy of Canvas/Core/et al. Organization gets owned.

The past two VzB data breach reports have demonstrated a trend, that a large
number of compromises (around 70% if memory serves), resulted from
exploitation of vulnerabilities that at time of compromise had been patched
by the vendor for a year or more. I'm not sure how you would go about
obtaining this kind of data (or indeed how VzB gets their data), but it
would be an interesting metric to see how many of those known/vendor-patched
issues had been neglected/de-prioritized due to misconceptions about their
level of exploitability.

It would indeed be a good thing if Immunity et al would publish some kind of
unified database of their proprietary exploits, mapped to CVE-ID etc, but
I'm not sure if it's their responsibility to do so. IMO, the scanning
vendors, Qualys, Rapid7, nCircle etc are missing a trick if they aren't
buying themselves a copy of CANVAS and ensuring that when their scanner
finds a vulnerability supported by it [CANVAS], they are providing users a
CVSS score based on the fact that they have independently verified the
existence of robust exploit code for the respective vuln.

-Tom

.b
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Exploits matter., (continued)
- - - Re: Exploits matter. Matt Olney (Oct 09)
    - Re: Exploits matter. Tom Parker (Oct 07)
    - Re: Exploits matter. security curmudgeon (Oct 07)
    - Re: Exploits matter. c0lists (Oct 07)
    - Re: Exploits matter. security curmudgeon (Oct 07)
    - Re: Exploits matter. c0lists (Oct 07)
    - Re: Exploits matter. Matthew Wollenweber (Oct 08)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 22)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 08)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 08)
    - Re: Exploits matter. Tom Parker (Oct 08)
    - Re: Exploits matter. alexm (Oct 08)
    - Re: Exploits matter. vincent hinderer (Oct 08)
    - Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Steve Shockley (Oct 07)
  - Re: Exploits matter. Ilfak Guilfanov (Oct 08)
    - Re: Exploits matter. Alexander Sotirov (Oct 08)
    - Re: Exploits matter. Jesse Gough (Oct 08)
    - Re: Exploits matter. Aaron (Oct 08)