lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0C21D55.20C42%ltr@isc.upenn.edu>
Date: Fri, 23 Jun 2006 22:36:05 -0400
From: David Taylor <ltr@....upenn.edu>
To: Gadi Evron <ge@...uxbox.org>,
	<bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Amazon, MSN vulns and.. Yes, we know! Most
	sites have vulnerabilities


Not sure if I agree with the "Most sites don't fix them" comment but I agree
there are probably a lot of people that just don't get how serious the
report is about a vulnerability in their software.

What I am worried about for the moment is milw0rm. That site releases an
average of 6 or 7 zero day exploits a day.  It has increased the workload I
have letting our IT folks know about new threats. A lot of these
vulnerabilities are web/php based but pwn3d is pwn3d.  I would imagine it
feeds a lot of the zone-h.org defacement entries. I don't see as many full
disclosure zero-day postings as I do on milw0rm.

Sorry if this doesn't fit the entire subject matter of this post but just
had to throw it out there. It is getting hard to keep up with.


On 6/23/06 9:30 PM, "Gadi Evron" <ge@...uxbox.org> wrote:

> In this post I link to a blog entry by a guy (dcrab) who does some show
> and tell about Amazon and MSN. You gotta love Full Disclosure. Full
> Disclosure and why bugtraq is here is what I talk about. Just skip my text
> to the end for that information.
> 
> So, yes, we know. Thanks. Yes, we know. Most sites have
> vulnerabilities. Most sites don't fix them. All you have to do is pick one
> arbitrarily and find them after a second to a few minutes of search.
> 
> Recently I exchanged some words on exactly this subject with Scott Chasin
> (started bugtraq back in `93). This is why Full Disclosure was originally
> done and part of why bugtraq was originally created. People don't often
> remember why, and today attack the concept of Full Disclosure and say that
> it is irresponsible to disclose vulnerabilities that way.
> 
> On some levels, I agree, but nothing is black and white even if I often
> think it is.
> 
> Some companies take security seriously. Reporting to them works. Some
> companies (at BEST) ignore you. Back then most companies ignored. Back
> then Full Disclosure was THE silver bullet and THE solution. I recently
> had the chance to discuss this with Aleph1 as well. He who strongly
> believes in Full Disclosure agrees it's a different world now.
> 
> Today, the same situation is repeated with new fields. Game companies,
> critical infrastructure (such as with SCADA systems), etc. who now
> discover the world of vulnerability research don't know how to deal with
> it. It is interesting to watch how the world of security repeats its
> history.
> 
> When someone releases the information it is a fact that everyone goes and
> attacks the site or builds a POC. When someone provides only with the name
> of the site or skeleton details of vulnerabilities... everyone goes and
> looks for what they know is there.
> 
> Back a few months ago a kiddie tried to sell an Excel vulnerability on
> FD. Now, I am not sure if this is completely related but a few months
> after that Microsoft released several patches for Excel. This month we
> have had Excel 0days.
> 
> In the world of web security the situation is more extreme. Release the
> bug? Everyone will exploit it. Release the site name? Everyone will find a
> bug there TODAY.
> 
> The point is, though, that these vulnerabilities have always been there,
> and they have been exploited before. We just didn't know about them. And
> people are surprised when corporations and sites are broken into and their
> personal data is stolen?
> 
> Here is a blog post of a guy who got sick of reporting vulnerabilities,
> and after years of trying (look at the dates), finally made a small
> release about MSN and Amazon (although other interesting sites are listed
> there.
> 
> http://blogs.hackerscenter.com/dcrab/?p=19
> 
> Noam Rathaus recently wrote about a similar issue ("From Flaw to
> Exploit"):
> http://blogs.securiteam.com/index.php/archives/449
> 
> I contacted both Amazon and MS, but this is out there and once it's out
> there - it's, well; out there. Full disclosure, y'know.
> 
> Gadi Evron.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ