Domain: first.org
Stories and comments across the archive that link to first.org.
Comments · 6
-
Re:I don't think I'd call this remote
This certainly fits the standard definition of "remote", so what you'd prefer to call it is rather immaterial.. Any "visit a link and get owned" browser attack is considered remotely exploitable.
"Remote" here means as opposed to "local", where you would need ordinary access to the system to execute the attack. From the CVSS: "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
Some ways you could execute a browser attack:
- Send a malicious link to your target.
- Attack visitors to a site you own or otherwise control the content of. (Or distribute through an ad network.)
Neither of the cases require any particular access to the machine, and the user does not need to do anything that would normally confer privileges, like e.g. executing an email attachment would. (Phishing is still remote, it's just not an exploit.) -
Clarifications to cve-2011-0414 ....
(reference https://www.isc.org/software/bind/advisories/cve-2011-0414)
* As Larissa pointed out, this security advisory used ISC's phased disclosure process (see http://www.isc.org/security-vulnerability-disclosure-policy). The US CERT advisory stated they notified ISC on 2011-01-24. This is reversed. US CERT and all other National CSIRT Teams were notified at the same time (Feb 15th). We just recently added the step in our disclosure process to notify all National CSIRT Teams listed on first.org.
* US-CERT threw in the "2011-01-24" thinking the discovery of the vulnerability matched the time we asked for our next batch of CVE numbers. In this case, this vulnerability was discovered by Neustar, who found the initial defect, and JPRS, who built the feasible lab exploits. That was all in Feb 2011, not Jan 2011.
* The "high severity" is based on the CVSS _BASE_ Score of 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C). Network operators would use this CVSS base score and then run the Environmental and Temporal Score to get a CVSS actionable score. This is why you saw a low score from US CERT so low. They used their proprietary full metric, which scored it lower. Vendors are encouraged to use CVSS so the operator then takes accountability to gauge the risk specific to their environment.
Check out http://www.first.org/cvss/ for more information on CVSS. ISC has recently started using CVSS for all our security advisories (see http://www.isc.org/announcement/iscs-has-adopted-cvss-our-security-advisories).
* DNS Operational Risk and Reaction to any DNS issue is best addressed via DNS-OARC. If your DNS is critical, I recommend, as a minimum, to sign on to the public BIND forums (see https://lists.isc.org/mailman/listinfo) and the public DNS-OARC forums (see https://www.dns-oarc.net/oarc/services). -
Re:Even the courts aren't this daftI actually found a few links that should be useful in cases like this:
- FBI NATIONAL COMPUTER CRIME SQUAD (May be outdated)
- FBI Tampa Cyber Crime squad (you may have your own local version of this)
- Internet Crime Complaint Center (IC3)
- CERT
- Forum for Incident Response and Security Teams
- Swedish IT incident Center (sitic at pts dot se)
So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real.
:-) -
Re:think beforethat feature is reserved for the innovation list in 2007, right after linux-for-the-desktop
(All jokes aside, I'd like to use this point to put some attention on my dismissed submission about the legalized hacking by the german government that has passed voting in one of germany's states.
Instead of having to go through the tedious formalities of requesting access to a suspects house and confiscating any computers there, a law enforcement agency will be able to remotely access and monitor a suspects machine.)
-
Reminds you of the CVSS right?
This makes me think of the CVSS http://www.first.org/cvss/ and how inaccurate it also is.
Most vendors will downrank/ignore/contest vulnerabilities. Then they will try to make comparisons between themselves and their competitors off a biased vulnerability score, impact, etc.
Software vendors should have no part in acknowledging/ranking the legitimacy of vulnerabilities, once the security community has properly identified them, and repeated results, apart from sending a Thank you note to the security gurus that found the flaws. -
Re:Two questions
AFCERT (Air Force Computer Emergency Response Team) is an AF group that Taosecurity has made references to for a number of years. Besides, AFCERT is not the only organization of its kind, there is also an Army (ACERT) and Navy (NCIRT) version as well, all of which have similar MO's. Of course, there is also the DOD-CERT, Joint Task Force for Computer. Network Defense (JTF-CND) and other alphebet soup network security forces for the US Govt. This isn't anything really interesting, just a new "phrase" that probably took them the better part of the last 20 years to officially approve for organizations they have had for years.