lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 19 Jul 2012 16:31:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: About IBM: results

Hello guys!

In May I've wrote to the list about case of how IBM handle information about
vulnerabilities in their software. Here is the summary of my two months
conversation with IBM PSIRT and other employees of this company. I was
planning to end up this story on pessimistic note, but previous night, when
I was planning to write this letter to the list, I've received answer from
IBM, so the summary was updated ;-). And in result we have additional delay
in this process - IBM just can get enough. But I hope that this story will
end up optimistically.

Thanks for all participants of Full-Disclosure and WASC Mailing List, who
gave their thoughts on this matter. In the Full-Disclosure mailing list
these were Ferenc Kovacs, Jeffrey Walton, Thomas Richards, Bzzz, garthoid
and Leandro Meiners. I've answered privately to some of the people
concerning their thoughts and to some answered bellow. And in short, I
wanted to try to communicate with IBM, without fast full disclosures, to
solve these vulnerabilities, and would disclose them only synchronously with
IBM or after some time if they lamerly ignored them. As I've told to the
people, I'd write to the list about results of this epopee. At first I was
planning to write about this epopee in June, but it was delayed because of
IBM. Here is quick summary.

- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph :-). In result IBM employees just ignored.
- At 30.05, after recommendation from the list to contact directly, I've
contacted IBM PSIRT directly. They said they didn't received anything, not
from me via contact form, nor from support. The same as they didn't do
anything (no security audit of their software) to make this multiple
vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers, so wait please (until they will format their
brains to work faster).
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started (and I'll be informed about the date, the same as they told me at
31.05). OK, let's give them more time.

This story with IBM reminds me Santa Barbara TV series :-) (looks like they
love soap operas). So we'll be waiting for the fixes from IBM.

> security@....com should be monitored. I also suggest secure@....com

Ferenc and Jeffrey. Yes, there are different companies that use one of
above-mentioned email aliases for security purposes. But IBM uses other
e-mails - as admin of the site, as support employees, as IBM PSIRT (and
support and PSIRT monitor their mailboxes).

I've informed them by e-mail first (I had IBM webmaster/hostmaster e-mail),
but they ignored (later, when I've received other e-mails of IBM employees,
I've also used them). They like to not monitor this e-mail - it was
predictable, because the same was in case, when I've many times informed IBM
in 2008 about multiple vulnerabilities at their sites. I like to send
information exactly by e-mail (even if later I'll need to repeat it by
contact form), because I save all sent security related e-mails in Sent
Items folder for statistical purposes.

And it's IBM's duty to receive all e-mails, especially when it's about
security issues at their sites or software. And all serious people and
companies for sure receive my e-mails and those who is not lamer also fixes
the holes - I have large experience of informing admins of web sites and web
developers for last 7,5 years. And when I've contacted via contact form, IBM
employees answered, so at the least they monitor contact form. But they have
answered formally and ignored, and in results I was needed to contact PSIRT,
as you can see from the summary.

> Submitting to something like ZDI or Secunia may help in these cases.

Thomas, I've already been told (by Chintan Dave) about using Secunia or
other sites for releasing vulnerabilities and exploits. But I'm not planning
to release it before time (i.e. with immediate full disclosure), as I've
said above, I wanted to give IBM a chance to fix these holes (and of course
I gave enough time for my client - large Ukrainian bank - to try to handle
these issues with IBM).

Concerning ZDI, then from what I know about them, they don't work with such
holes. They work only with serious holes, not those which are not serious
enough, like these multiple Cross-Site Scripting, Information Leakage, Brute
Force, Insufficient Authentication, Cross-Site Request Forgery, Redirector
and HTTP Response Splitting vulnerabilities in IBM software. For this reason
I haven't contacted them.

When I've found some holes in IBM Lotus Domino in begging of 2008 (during
pentest of web sites of my German client), I hadn't informed IBM directly
about them. If my client wanted, they could do it by themselves (and some of
those holes were fixed at time of 2012). And I had no headache with it. When
this year I have found much more holes in different IBM software and
informed IBM, I have received a lot of headache and time wasting. The
moral - besides holes, IBM also produces headache ;-).

> IBM has a Security Incident Response team to handle (or ignore) issues

Garth, I've used your recommendation and contacted PSIRT (as there was no
effect from "contact form" employees). As you can see fro the summary.
Besides, from main contact form there is no mentioning of separate contact
(email or contact form) of IBM PSIRT or any mentioning of it at all. Only
"IT security" department in Message category field, which must mean exactly
their Security Incident Response Team.

The results of contacting PSIRT is not far from "contact form" employees
(but if those wasted half of month, then PSIRT already wasted more the 1,5
months with no results) - first it looked optimistically, then
pessimistically and in last moment optimistically again. We'll see how it'll
end up and will be any positive effect from IBM PSIRT, because "call me
maybe" employees (which handle contact form) are useless - in case of
security issues (at the least).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists