Dailydave mailing list archives
Re: Exploits matter.
From: security curmudgeon <jericho () attrition org>
Date: Thu, 8 Oct 2009 22:07:34 +0000 (UTC)
On Thu, 8 Oct 2009, Tom Parker wrote: : > Ten thousand or not, I cannot download the exploit from Immunity's web : > site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks : > that metric, that is flagged as 'rumored/private'. : : > Can our industry really put a numeric line on public vs private in the : > scenario you describe? Do 9,999 CANVAS customers = private, but 10,000 : > CANAVAS customers = public? : : While I understand the challenge of verifying the existence and nature : of commercial exploitation tools, down playing exploits by databases : like OSVDB is damaging to the industry and is creating a false sense of How exactly does OSVDB 'downplay' exploits using the current classification system? We're the only VDB to even say "an exploit likely exists, even though not public" which should be the opposite of downplaying. If you have a good answer to that, how can we improve the classification system to more accurately track such metrics, without causing a problem? : security amongst organizations - especially those who charge their : security programs to vanilla CISSP's. Case in point - large company runs : an automated scanner over their network on a monthly basis, which : regularly finds flaws. They prioritize remediation of findings based on : CVSS scores, which have been calculated in part through utilizing data : from OSVDB. Days, months, weeks later the organization is : attacked/audited by a group who paid/stole/borrowed a copy of : Canvas/Core/et al. Organization gets owned. First, we display CVSS scores as calculated by NVD if there is a CVE assignment. We will calculate our own scores if we a) disagree or b) have an entry w/o a CVE. Either way, I don't quite follow the logic above, as applies to how OSVDB (or any VDB) is doing wrong or contributing to the problem. : The past two VzB data breach reports have demonstrated a trend, that a : large number of compromises (around 70% if memory serves), resulted from : exploitation of vulnerabilities that at time of compromise had been : patched by the vendor for a year or more. I'm not sure how you would go : about obtaining this kind of data (or indeed how VzB gets their data), They get their data from their own clients, based on forensic examination post-compromise. : but it would be an interesting metric to see how many of those : known/vendor-patched issues had been neglected/de-prioritized due to : misconceptions about their level of exploitability. That would be a really neat addition to the report next year. : It would indeed be a good thing if Immunity et al would publish some : kind of unified database of their proprietary exploits, mapped to CVE-ID : etc, but I'm not sure if it's their responsibility to do so. IMO, the I'd love for them to use CVE or another VDB to do just that. They have absolutely zero responsibility to do it, and it has a bigger chance of hurting them than helping them (see my previous post about disclosing your 0-day). : scanning vendors, Qualys, Rapid7, nCircle etc are missing a trick if : they aren't buying themselves a copy of CANVAS and ensuring that when : their scanner finds a vulnerability supported by it [CANVAS], they are : providing users a CVSS score based on the fact that they have : independently verified the existence of robust exploit code for the : respective vuln. I believe many of these products have licenses that prevent reverse engineering. If a company like the ones you mention above were to obtain a copy, they would be violating the licensing and possibly the law. If a scanner had a consistent pattern of adding checks that mirrored an exploit framework, it would be pretty easy for them to be called out. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Exploits matter., (continued)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. Matthew Wollenweber (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 22)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Tom Parker (Oct 08)
- Re: Exploits matter. alexm (Oct 08)
- Re: Exploits matter. vincent hinderer (Oct 08)
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Ilfak Guilfanov (Oct 08)
- Re: Exploits matter. Alexander Sotirov (Oct 08)
- Re: Exploits matter. Jesse Gough (Oct 08)
- Re: Exploits matter. Aaron (Oct 08)