Slashdot Mirror

Not illegal in the slightest, there are many companies that are actively and publicly purchasing 0day.

Why would it be unethical to research and sell 0day to your own government? Governments need cyber armaments as well as physical ones. Are tank manufacturers unethical?

Supposedly Verisign's iDefense labs will pay for IE exploits. Have a great retirement.

What can you morally do otherwise but blow the whistle?

You could sell it, responsibly.
If you sell the exploit to something like the Zero Day Initiative or iDefense you won't have to deal with the vendor, they will. And they are far more experienced at that as well. That way you'll get rid of your current problem, the issue is dealt with properly and you might even earn a few bucks in the process.

This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP (http://labs.idefense.com/vcp/) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they decied not to buy). Having a third party running an auction/fixed price sell will hopefully bring out the legitimate market for this kind of research. On the flip side, their is a large can of ethics laden worms being opened up and again I will be interested to see in a years time if the WabiSabiLabi marketplace is still operating successfully. Here is an interesting paper on The Legitimate Vulnerability Market : http://weis2007.econinfosec.org/papers/29.pdf

...but my opinions are purely my own and I speak for myself, not my employer.

Anyone "in the industry" already knows about iDefense and their Vulnerability Contribution Program, so you obviously are not. iDefense isn't the only company that posts challenges or pays for vulnerabilities. Perhaps you should read up at http://labs.idefense.com/vcp/

It is not a marketing ploy or publicity stunt. The iDefense business is about selling internet intelligence, not pushing anyones software. This is an initiative to discover critical vulnerabilities in those applications so that they can be patched. Nothing more. If you believe that BlackHats aren't already looking for vulnerabilities in those applications then you need to get a clue stick and start whacking yourself over the head with it. The VCP gives WhiteHats (and GreyHats) incentive to find them first, so that they can be dealt with responsibly rather than end up a zero-day exploit.

The applications chosen are old and considered robust. That's why they form the backbone of the internet in the first place. And also why a critical bug in them could bring the internet to its knees. Any QA engineer worth their salt will tell you that the first place to look for a bug is in software that has shown itself to be buggy - and that applies at whatever level you want to consider - block, function, class, library, application or suite. sendmail anyone? Bind? If you believe that there are no more bugs to be found then you are likely mistaken. I think iDefense will (gladly) pay out on more than one of these applications during this challenge.

The terms to the challenge are fairly standard and non-onerous, and I think you're reading too much into them. The version restriction is purely because no-one is interested in vulnerabilities in Apache 1.4, nor IIS 5 anymore. The additional software clause is again non-onerous. Your example isn't valid as a vulnerability in e.g. vBulletin would be a vulnerability in vBulletin, not a vulnerability in apache itself. Now if you could make a well configured mod_php fall over and clobber the box without requiring badly written php pages installed, then I think they'd be interested in that. The term about having not previously reported it is so that the vulnerability can be labelled iDefense-exclusive, adding value to the intelligence report.

Ask yourself where the iDefense business model is if there were no vulnerabilities in any software. The entire business is built on the premise that there are vulnerabilities and that there are customers willing to pay for intelligence reports about them, and vendors willing to receive notifications about them. iDefense would love to pay out on all of those prizes.

iDefense do not sell any software, so there is no reason to say "We're more secure than those other guys". They sell actionable internet intelligence. http://www.verisign.com/Resources/Managed_Security _Services_Tours_&_Demos/security-threat-video.html shows one way that this intelligence is used.

Frankly, maybe you should stick to Walmart as you don't seem to know much about the internet security business. I doubt that you could make a living in it. You should get your patch installed.. :)

(BTW - for all the slashdot VeriSign haters out there - after over a decade in the workforce with multiple employers, I can honestly say that I have never worked for a company so committed to helping customers solve problems. Every engineer I work with is dedicated to making the internet a better, faster, safer internet, and I work among extremely smart people who have respect, integrity and drive.
So the company implemented a RFC1034- and RFC1035- compliant service a few years back before pulling it after customer feedback. Get over it already.)

Clearly, a highly skilled blackhat could have found the same vulnerability as you. But the moment you go public, a highly skilled blackhat will have 'found' the same vulnerability as you.

Sure, it could take a while for the vulnerability to be fixed. But shouting publicly about it isn't necessarily going to get it fixed any quicker. That is the nature of software development - some fixes are non-trivial and need extensive engineering and testing. And if you honestly believe that companies can stop using vulnerable software then you know jack about the way the World works. Name me a database without any vulnerabilities, and I'll gladly laugh at you. Want to see how well the World gets on without databases?

I think that you misunderstood though. The vulnerability isn't disclosed loudly and publicly, but is disclosed to customers willing to pay for it. You might want to read that FSISAC (www.fsisac.com) uses critical alerts from iDefense to inform its customers (the banks that look after your hard earned cash) about critical vulnerabilities. So your bank has a chance to mitigate critical vulnerabilities before the black hats are told of their existence and start trying to hack your account details. I wouldn't like to speculate who else may be an iDefense customer, but I bet they've got budgets.

You might also want to note the disclosure policy at the bottom of http://www.idefense.com/legal.php. If the vendor is non-responsive then iDefense will go public with an advisory.

As to your IDS conundrum...
Inform the vendor of the daemon and hope that they fix it. Inform iDefense, get paid, and know that every attempt will be made to get the vendor to fix it whilst organisations that most need to know about it are informed. Go public and tell the black hats too.

Your choice.

One more data point of note - Even after a vendor releases a fix, systems don't patch themselves. Black hats have been exploiting this fact of life. The recent Microsoft MS06-040 vulnerability saw more trojans released immediately after the fix was made available than before. That tells me that black hats really do respond to public disclosure.

Responsible Disclosure: I work for VeriSign. My opinions are my own and not those of VeriSign.

It was released about 4/25, but doesn't show up when you look for dtrace - its works great in Linux/UNIX environments for tracing errors through different packages / libraries.

great job theif!

-Iridium

You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.

Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.

It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.

There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.

Correct - "Only the initial submission for a given vulnerability will qualify for the reward. "
http://labs.idefense.com/labs.php?show=21#a21

Michael Sutton
Director, iDefense Labs

The Vulnerability COntributor Program (VCP) has actually been around for nearly four years. The program was launched in the summer of 2002. http://www.idefense.com/intelligence/vulnerabiliti es/ Michael Sutton Director, iDefense Labs

Some how I don't think this will last long.

It's already been around for a year and a half, according to the dates on this page. In case you're skeptical of the source, those dates do seem about right - I remember seeing their announcements on the major security lists (it generated a bit of derisive controversy on full disclosure, as I recall), and 2 summers ago sounds about right.

When I first came across the lynxcgi: settings in lynx.cfg, I was amazed such a "feature" even existed. IMHO, if you get screwed over because you had lynxcgi enabled, you deserve what you get.

No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!

Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.

As others have pointed out in more esteemed fora, this is not the first attempt to establish some sort of double-blind auction for 0day exploits - iDefense have been trying it for a long time. To paraphrase Halvar (I think it was?) "we don't trust them, either." (Which is a shame really as they've released some good software to the community - iDefense that is - but the lame "sell us your 0day" programme lost them probably more cred than the software earned them.

iDefense (recently acquired by VeriSign) has been doing this years.

iDefense (recently acquired by VeriSign) has been doing this years.

It is not exactly a failure of the secure sandbox environment. If you were running a standalone Java application or a Java Web Start application in the sandbox this hole wouldn't apply. This hole applies to the _C_ code that manages the Java plug-in.

Folks, you should check out this Sun Java Plugin Arbitrary Package Access Vulnerability

iDEFENSE's advisory is at http://www.idefense.com/application/poi/display?id =155&type=vulnerabilities&flashstatus=fals e (bypassing their silly Javascript).

Actually wait it's the entire security industry!
Many people sell 'sploits these days, get over it.
Oddly MS is the only one here who *isn't* selling them. Look at the article again and try to get past the first few paragraphs.
First, " the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement". Yes you have to be a customer but it includes mom and pop shops as well.
Second IF you read the last few paragraphs you'll likely notice this line:
"At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available."
CERT is someone you wouldn't expect to sell information about vulnerabilities. but wait.. it gets much better
iDefense has built an entire business model over this. They sell information about vulnerabilities to their client roster. If you've ever seen an advisory from iDefense there is a timeline at the bottom. The disclosure always starts with the vendor, then it's client list, then the public.

Here is an example from an IBM fault injection advisory
VIII. DISCLOSURE TIMELINE

04/21/2004 Exploit acquired by iDEFENSE
05/05/2004 iDEFENSE clients notified
05/05/2004 Initial vendor notification
05/07/2004 Initial vendor response
06/23/2004 Public disclosure

Let's see now, clients notified 5/5 and public notified 6/23!

Actually wait it's the entire security industry!
Many people sell 'sploits these days, get over it.
Oddly MS is the only one here who *isn't* selling them. Look at the article again and try to get past the first few paragraphs.
First, " the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement". Yes you have to be a customer but it includes mom and pop shops as well.
Second IF you read the last few paragraphs you'll likely notice this line:
"At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available."
CERT is someone you wouldn't expect to sell information about vulnerabilities. but wait.. it gets much better
iDefense has built an entire business model over this. They sell information about vulnerabilities to their client roster. If you've ever seen an advisory from iDefense there is a timeline at the bottom. The disclosure always starts with the vendor, then it's client list, then the public.

Here is an example from an IBM fault injection advisory
VIII. DISCLOSURE TIMELINE

04/21/2004 Exploit acquired by iDEFENSE
05/05/2004 iDEFENSE clients notified
05/05/2004 Initial vendor notification
05/07/2004 Initial vendor response
06/23/2004 Public disclosure

Let's see now, clients notified 5/5 and public notified 6/23!

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

• Redirect response codes
  
• Meta redirect tags
  
• Frames
  
• iframes
  
• Javascript popups

The vulnerability was first discovered in Opera, and was later found to also exist in Konqueror of KDE fame. Since Safari is based on the Konqueror code, that's probably where it came from.

The heap overflow vulnerability mentioned here only applies to the Windows version of the Quicktime player, not the Mac OS version.

See here (section IV), or here, or here.

This is completely off-topic. I know this and am willing to accept the moderation and hit on my karma. But Slashdot will not report it, in leiu of a bunch of positive fluff Linux pieces intended to counter that silly soundcard article. There is a clear agenda at play with regards to how flaws in Windows and flaws in Linux are reported. I'll let you decide for yourself. I'm not an anti-OSS troll (as a matter of fact I run FreeBSD on my laptop), I just depise blatant biased reporting and a bunch of people falling for it.

From IexBeta today:

Security researchers are warning of a buffer overflow security flaw in the Linux kernel that can be exploited to lead to privilege escalation attacks.

According to an advisory issued by iDEFENSE, the vulnerabilities affect Linux Kernel 2.6.x; Linux Kernel 2.5.x and Linux Kernel 2.4.x.

"Successful exploitation may allow arbitrary code execution with root or kernel level privileges," the company warned.

The company found that affected versions of Linux kernel performed no length checking on symbolic links stored on an ISO9660 file system, a problem that allows a malformed CD to perform an arbitrary length overflow in kernel memory.

"Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge' extension to the standard format. The vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO file system, or attempting to access a file via a malformed symlink on such a file system. Many distributions allow local users to mount CDs, which makes them potentially vulnerable to local elevation attacks," according to the security alert.

iDEFENSE Advisory

The timeline of the vulnerability tells us that Microsoft was informed November 12, 2003. Now, they got 4 months to find a patch and release their security bulletin. Couldn't they find out that it was more critical in the 24*30*4 hours before?

From MS04-009:
Reason for Major Revision
Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the "Outlook Today" folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of "critical" to reflect the expanded attack vector.

What the heck? Does the severity of a bug depend upon how much people are affected?

Does a local root depend upon the number of people who are potentially affected? Ask someone who has lost money via such a local root.

Another interesting posting is available on full-disclosure mailing list, covering Microsoft's understanding of "security" (the Author, Nick FitzGerald, is a helpful and understanding regular poster on full-disclosure)

/been using pine since 1996...

Better update it so that you don't [open] a specially crafted email sent by an attacker.

"It would be trivial for this exploit to be fashioned into a worm, targeting e-mail addresses found in any readable text files (inbox, etc.)."

A big middle finger to all of the idiots that don't belive in full disclosure:

Cisco IOS Exploit

You can also easily create the exploit using hping2.

1) iDEFENSE discovers a bug in an open source software project, sits on it for a month, reports it and it gets fixed immediately. (Actually, it appears it wasn't iDEFENSE who discovered the vulnerability. It was an unnamed "contributor.")

"The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information emerges during development of the advisory."

Let's not forget the way things *used* to be. A few years back, the rule was that a small cadre of elite people knew about the vulnerability before the rest of the world. This caused lots of problems, which was one of the reasons for rfp to push for responsible full disclosure in the first place.

The ISS policy represents a regression back to the old way of doing things, except now the cadre of people "in the know" are the ones who can afford to pay ISS for advanced vulnerability information. Presumably the rest of the world has to suffer and get hacked. Support companies and organizations who TRULY practice responsible full disclosure -- don't support companies trying to make a quick buck off this kind of extortion.

Can be found here. Sorry if this duplicates anyone else's post. I don't have time to read everything.

-Guanno

...as is the case with register.com (and possibly other registrars), there will always be backdoors into their systems so long as people write code, seeing as how people still make mistakes. See also: putting a $100K firewall in front of a system that you never bother applying ACLs to. It'd be apples and oranges if this all didn't repeat itself so often.

Check out these fruitcakes they're quoting:

"It's something the intelligence, law-enforcement and military communities are really struggling to deal with," Ben Venzke of the cyberintelligence company iDEFENSE told the paper. "

ok, head on over to www.idefense.com, browse a bit, find some speeches, dig out the tasty quotes:


"We already know that some 30 countries are working on offensive information warfare programs and the principal target for each is the United States. We know, too, that if a US business buys hardware or software from such countries as Russia, China and France, there is a very good chance that they will be infected by bugs or various kinds. We also know that every day hundreds of American companies are attacked through cyberspace and that billions of dollars are lost through theft and blackmail.
"

"
For example, no American intelligence agency effectively mines open source data and shares it across federal agencies and with the private sector. Yet open source data could be a huge national asset. Real reform might mean the creation of a Central Analytical Agency that could collate and analyze all open source data and distribute it via the web to its customer base in the private and public sectors. Only secret intelligence would be the responsibility of the existing intelligence community. Not only would this create a significant and profitable national asset, but it would eliminate wasteful duplication in the intelligence community."


Read the whole thing, it's beautiful.

They even get to speak before congress now and then.

Good thing they don't have a vested interest in the whole thing.

At least they got hacktivist right.

Check out these fruitcakes they're quoting:

"It's something the intelligence, law-enforcement and military communities are really struggling to deal with," Ben Venzke of the cyberintelligence company iDEFENSE told the paper. "

ok, head on over to www.idefense.com, browse a bit, find some speeches, dig out the tasty quotes:


"We already know that some 30 countries are working on offensive information warfare programs and the principal target for each is the United States. We know, too, that if a US business buys hardware or software from such countries as Russia, China and France, there is a very good chance that they will be infected by bugs or various kinds. We also know that every day hundreds of American companies are attacked through cyberspace and that billions of dollars are lost through theft and blackmail.
"

"
For example, no American intelligence agency effectively mines open source data and shares it across federal agencies and with the private sector. Yet open source data could be a huge national asset. Real reform might mean the creation of a Central Analytical Agency that could collate and analyze all open source data and distribute it via the web to its customer base in the private and public sectors. Only secret intelligence would be the responsibility of the existing intelligence community. Not only would this create a significant and profitable national asset, but it would eliminate wasteful duplication in the intelligence community."


Read the whole thing, it's beautiful.

They even get to speak before congress now and then.

Good thing they don't have a vested interest in the whole thing.

At least they got hacktivist right.

Check out these fruitcakes they're quoting:

"It's something the intelligence, law-enforcement and military communities are really struggling to deal with," Ben Venzke of the cyberintelligence company iDEFENSE told the paper. "

ok, head on over to www.idefense.com, browse a bit, find some speeches, dig out the tasty quotes:


"We already know that some 30 countries are working on offensive information warfare programs and the principal target for each is the United States. We know, too, that if a US business buys hardware or software from such countries as Russia, China and France, there is a very good chance that they will be infected by bugs or various kinds. We also know that every day hundreds of American companies are attacked through cyberspace and that billions of dollars are lost through theft and blackmail.
"

"
For example, no American intelligence agency effectively mines open source data and shares it across federal agencies and with the private sector. Yet open source data could be a huge national asset. Real reform might mean the creation of a Central Analytical Agency that could collate and analyze all open source data and distribute it via the web to its customer base in the private and public sectors. Only secret intelligence would be the responsibility of the existing intelligence community. Not only would this create a significant and profitable national asset, but it would eliminate wasteful duplication in the intelligence community."


Read the whole thing, it's beautiful.

They even get to speak before congress now and then.

Good thing they don't have a vested interest in the whole thing.

At least they got hacktivist right.

I have to agree completely that the Net is the New Jerusalem according to this iDefense article:
Middle East Tensions Spill Online.