Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Things to do before vulnerability disclosure

From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Wed, 17 Jun 2009 21:29:47 -0400
Vulnerability disclosure is a powerful tool that hackers can use to force otherwise unwilling vendors to fix risks in their technology as opposed to just keeping the risks quiet and keeping customers ignorant. The truth is that without it software would still be very insecure and poorly written. The politics of it depend on the situation. 


On Jun 17, 2009, at 4:36 PM, Aarón Mizrachi wrote:


On Martes 16 Junio 2009 16:54:36 Jeremy Brown escribió:

That was an awfully strong "could", some (me) would even take as
"actually". Maybe you should use words and write sentences with more
character than FUD.
Ok, I agree, It _could_ be a violation of EULA sometimes. But depending on what vulnerability are, the company could assume or not that was reversed.
So whatever, the company are not in your computer, and without strong evidence 
that you reversed it, a sue is very difficult and useless.

-----------------------

Ethical issue:
- You as an ethical hacker will have a conduct to follow on full disclosures. There is well documented. (Report the bug, wait for patches or wait some time 
if aren't patched, and release, etc)
- The company have also ethical responsibilities. The first one is attend the bug. This ethical responsibility are with their customers, i said ethical because most eula's says that patching responsibility are not obligatory in time. Another ethical responsibility that resides on the company is to respect 
and agree the disclosure process without doubts and sues.
If the companies don't agree with disclosure process, the meaning of the disclosure process will be lost. Some people that choose to be ethical won't have benefits that ethical word imply, and also will be punished as a blackhat, but worst because they are exposing themselves trying to be ethical. The next step on the chain is that every bug found won't be reported and won't be fixed, and also more working zero days bugs could be sold on the "black market". That truly represents a huge risk. Specially when you consider that many countries 
don't have the infrastructure and the laws to prevent and catch it.
I remember you. The blackhat hackers who sold bugs could appear on every part of this world, not only in civilizations and countries with strong laws on 
hacking matter.

---------------------------
How can you report a bug by anonymous way and time ago claim your author rights on the bug? !!! I'm not sure if this technique are well documented yet 
!!!
If you fear that the company could take actions against you, you can use something like tor and a pseudonym to report it. I know that it could be "dark", but it works and helps to the community. REMEMBER: BE ETHICAL. FOLLOW 
THE PROCEDURE.
When the time to publish a bug comes (after alerts and when the patch is public available), you may use a pseudonym and put a signature (variable). This signature could be: SHA-512(big seed number+your name). (check for 
http://jssha.sourceforge.net/ if you need to check it)

By example, my name is Aarón Mizrachi, and i choose the number
2094857093485093478503897409573094875 (Randomy).
The text to SHA-512'it will be: 2094857093485093478503897409573094875Aarón 
Mizrachi

The signature will be:
Bug disclosed by (SHA512(big seed number+my name)):
3513c40e68f33275cefe18a471bf6b851d4f141283e1911b9d4d6d2d212a0ec440fc3ee4d5bcd27f477d7bbe36ae58b7029948a93c5d3b5e9d03c98106578fec
Your protection is that the hash could not be reversed, and also couldn't be faked (unless someone found a Collision on that). Then, you can prove that you 
are the author of this bug to who you want and when you want.



On Tue, Jun 16, 2009 at 4:10 PM, Giuseppe

Fuggiano<giuseppe.fuggiano () gmail com> wrote:

2009/6/16 Jeremy Brown <0xjbrown41 () gmail com>:

Is that the same principle as speaking implies you know what your
talking about? There are many other ways to find bugs, even finding
them by accident. Reverse engineering is only one of them. To say that 
finding bugs in software implies the researcher disassembled the
binary is ridiculous.


You should read again and more carefully what I wrote.

"Finding a bug _and_writing_an_exploit_ *could* imply
disassembly/debugging proprietary code."

There's NOTHING ridiculous in that statement.
Try to understand the meaning of what you're reading more deeply than 
you actually do.

Thanks for your reply.

--
Giuseppe


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board 

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a 
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1




        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: