From dave at immunityinc.com Mon Dec 1 11:21:40 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 01 Dec 2008 11:21:40 -0500 Subject: [Dailydave] Denial of Service? Message-ID: <49340F14.8050508@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reading through today's list of kernel bugs from Ubuntu I noticed a lot of "denial of services". Are these really denial of services? Can we get an exploitability index explanation for these? :> - -dave """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" It was discovered that the Xen hypervisor block driver did not correctly validate requests. A user with root privileges in a guest OS could make a malicious IO request with a large number of blocks that would crash the host OS, leading to a denial of service. This only affected Ubuntu 7.10. (CVE-2007-5498) It was discovered the the i915 video driver did not correctly validate memory addresses. A local attacker could exploit this to remap memory that could cause a system crash, leading to a denial of service. This issue did not affect Ubuntu 6.06 and was previous fixed for Ubuntu 7.10 and 8.04 in USN-659-1. Ubuntu 8.10 has now been corrected as well. (CVE-2008-3831) David Watson discovered that the kernel did not correctly strip permissions when creating files in setgid directories. A local user could exploit this to gain additional group privileges. This issue only affected Ubuntu 6.06. (CVE-2008-4210) Olaf Kirch and Miklos Szeredi discovered that the Linux kernel did not correctly reject the "append" flag when handling file splice requests. A local attacker could bypass append mode and make changes to arbitrary locations in a file. This issue only affected Ubuntu 7.10 and 8.04. (CVE-2008-4554) It was discovered that the SCTP stack did not correctly handle INIT-ACK. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10. (CVE-2008-4576) It was discovered that the SCTP stack did not correctly handle bad packet lengths. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10. (CVE-2008-4618) Eric Sesterhenn discovered multiple flaws in the HFS+ filesystem. If a local user or automated system were tricked into mounting a malicious HFS+ filesystem, the system could crash, leading to a denial of service. (CVE-2008-4933, CVE-2008-4934, CVE-2008-5025) It was discovered that the Unix Socket handler did not correctly process the SCM_RIGHTS message. A local attacker could make a malicious socket request that would crash the system, leading to a denial of service. (CVE-2008-5029) It was discovered that the driver for simple i2c audio interfaces did not correctly validate certain function pointers. A local user could exploit this to gain root privileges or crash the system, leading to a denial of service. (CVE-2008-5033) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNA8UtehAhL0gheoRAjtRAJ9ESL9XKcnU9e8Js6ZHjYF8u6UHxACePgzM tlRWKYsPrKUXbmlFqWKrXRE= =ZCS4 -----END PGP SIGNATURE----- From don.bailey at gmail.com Mon Dec 1 13:12:28 2008 From: don.bailey at gmail.com (don bailey) Date: Mon, 01 Dec 2008 11:12:28 -0700 Subject: [Dailydave] Denial of Service? In-Reply-To: <49340F14.8050508@immunityinc.com> References: <49340F14.8050508@immunityinc.com> Message-ID: <4934290C.6090207@gmail.com> Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reading through today's list of kernel bugs from Ubuntu I noticed a > lot of "denial of services". Are these really denial of services? Can > we get an exploitability index explanation for these? :> > I've noticed a fairly strong trend over the past couple years for organizations to quickly classify kernel bugs as "denial of service" vulnerabilities. I've found the reason behind this isn't so much due to research proving that these bugs can only illicit a DoS, but due to a lack of due diligence or skill on the part of the researcher. Though I'm sure many of these analysts are skilled individuals, many times bugs are misclassified due to vectors not investigated. The NULL page technique is one such missteps. While I have not investigated these particular bugs, one would conjecture that the ability to remap a driver's memory page(s) would lead to more than a simple crash of the kernel. After researching several recent "zero day" bugs in Linux file system code, I'd suspect that the HFS+ bug can do more than crash the system as well. The SCM_RIGHTS bug sounds suspiciously like something a page injection strategy might be perfect for, though the researcher that analyzed the i2c driver seems to have considered NULL page injection. I think it's all in the flavor of the researcher you're dealing with since there's no real protocol or template for auditing code. I'm sure many of your readers can agree that while may give those with a bit of knowledge the edge, it leaves the general public often misinformed when it comes to who to trust with their 10,000+ line code audit. D From thomas at coseinc.com Tue Dec 2 07:17:16 2008 From: thomas at coseinc.com (Thomas Lim) Date: Tue, 02 Dec 2008 20:17:16 +0800 Subject: [Dailydave] Dates for SyScan'09 Message-ID: <4935274C.30308@coseinc.com> dear all There will be 4 SyScan'09 conferences next year in 4 different exciting countries in Asia. They are as follows: SyScan'09 Shanghai: 14th and 15th May 2009 SyScan'09 Hong Kong: 19th and 20th May 2009 SyScan'09 Singapore: 2nd and 3rd July July 2009 SyScan'09 Taiwan: 7th and 8th July 2009 Do keep a lookout for more information at www.syscan.org. We will be announcing the CFP very soon. -- Thank you Thomas Lim COSEINC Private Limited From dave at immunityinc.com Mon Dec 8 08:05:05 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 08 Dec 2008 08:05:05 -0500 Subject: [Dailydave] Faster, smashter. Message-ID: <493D1B81.2080702@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm in Denver, which is lovely - all mountains and soft-speaking midwesterners who snowboard an amount that can only be called obsequious. But Saturday, before I went, I sat on the beach and read this article by our very own John Markoff just below the fold in the New York Times. http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r=1 """ ... And there is more of it. Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the last half year. ... The United States government has begun to recognize the extent of the problem. In January, President Bush signed National Security Presidential Directive 54, establishing a national cybersecurity initiative. The plan, which may cost more than $30 billion over seven years, is directed at securing the federal government?s own computers as well as the systems that run the nation?s critical infrastructure, like oil and gas networks and electric power and water systems. ... ?This is always an arm race, as long as it gets into your machine faster than the update to detect it, the bad guys win,? said Mr. Schneier. ""' Faster, smashter. When I see 30 billion dollars, I can tell you what you're going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can't correlate what you can't see. You can't patch what you don't know about. Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it's because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don't work against 0day. I guess what I'm trying to say here is that at this point the attackers are just "reasonably competent". When it comes to offensive information security, we ain't seen nothing yet. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPRuBtehAhL0gheoRAmvjAJ9sCzpHZjSsNbmWTVAZYrJmTuED+wCeNmNv Pvr/b158e3Yj8meZQcmM9K0= =D+Gf -----END PGP SIGNATURE----- From dfisher at techtarget.com Mon Dec 8 14:38:37 2008 From: dfisher at techtarget.com (Fisher, Dennis) Date: Mon, 8 Dec 2008 14:38:37 -0500 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493D1B81.2080702@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> Message-ID: <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> I wrote a column last week along the same lines as what Dave has to say. Not coincidentally, the column was the result of a discussion with Dave and some others a couple of weeks ago. Dave suggested I post it here. http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci13408 84,00.html I expected readers to disagree pretty loudly with the premise, but the opposite happened. Still, Dave probably said it better in three sentences than I did in 800 words. Dennis Fisher Executive editor Information Security magazine/Searchsecurity.com -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel Sent: Monday, December 08, 2008 8:05 AM To: dailydave at lists.immunityinc.com Subject: [Dailydave] Faster, smashter. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm in Denver, which is lovely - all mountains and soft-speaking midwesterners who snowboard an amount that can only be called obsequious. But Saturday, before I went, I sat on the beach and read this article by our very own John Markoff just below the fold in the New York Times. http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r =1 """ ... And there is more of it. Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the last half year. ... The United States government has begun to recognize the extent of the problem. In January, President Bush signed National Security Presidential Directive 54, establishing a national cybersecurity initiative. The plan, which may cost more than $30 billion over seven years, is directed at securing the federal government's own computers as well as the systems that run the nation's critical infrastructure, like oil and gas networks and electric power and water systems. ... "This is always an arm race, as long as it gets into your machine faster than the update to detect it, the bad guys win," said Mr. Schneier. ""' Faster, smashter. When I see 30 billion dollars, I can tell you what you're going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can't correlate what you can't see. You can't patch what you don't know about. Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it's because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don't work against 0day. I guess what I'm trying to say here is that at this point the attackers are just "reasonably competent". When it comes to offensive information security, we ain't seen nothing yet. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPRuBtehAhL0gheoRAmvjAJ9sCzpHZjSsNbmWTVAZYrJmTuED+wCeNmNv Pvr/b158e3Yj8meZQcmM9K0= =D+Gf -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From michael at mastergeek.com Mon Dec 8 15:44:40 2008 From: michael at mastergeek.com (rauc) Date: Tue, 09 Dec 2008 09:44:40 +1300 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493D1B81.2080702@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> Message-ID: <1228769080.6131.4.camel@slim> "Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it's because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don't work against 0day." Whilst attackers do certainly use 0day, they also use the easiest mechanism they can to gain access or steal information. For example, why waste your valuable 0day when your target has an un-patched system, or their Citrix server has an admin password that is easily guessed? 0days are extremely important, but not at the expense of covering the known vulnerabilities. A sound patching practice may not help with the 0days, but it will certainly help with the easier stuff that has already been put into a tool for any monkey to use. 0days are a huge unknown in the enterprise. Even many of the largest of companies do not have the intellectual resources to address them, nor is it likely that they will ever get approval to increase headcount for something that is so intangible to management. (Governments being excepted. If they can afford huge bail-outs, they can afford this.) This being the case, a a non-government enterprise should consider the following to help protect from a 0day: 1) Ensure people in the security team are passionate about security, and do research in their own time, and stay active in the community. If they do not have a passion for it, they will never really help the company. I don't need a who will come to work at 9am and leave at 5pm, and not try to learn more on his own time. 2) Build your applications, networks, and systems with the realisation that they will be compromised. Try to contain the breach that could happen. 3) Partner with organisations that are doing the research. Only hire the best for a penetration test or code review. 4) Buy 0days 5) Baseline system and network behaviour. Analyse any abnormal behaviour. (Easier said than done. You may never see anything.) 6) Profit From dr at kyx.net Mon Dec 8 21:43:47 2008 From: dr at kyx.net (Dragos Ruiu) Date: Mon, 8 Dec 2008 18:43:47 -0800 Subject: [Dailydave] Faster, smashter. In-Reply-To: <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> Message-ID: On 8-Dec-08, at 11:38 AM, Fisher, Dennis wrote: > I wrote a column last week along the same lines as what Dave has to > say. > Not coincidentally, the column was the result of a discussion with > Dave > and some others a couple of weeks ago. Dave suggested I post it here. > http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci13408 > 84,00.html Dennis, go ahead and stop patching, but don't expect us all to follow.... :-P Also, I've noted a big discrepancy between the talk and bragging about having unpublished vulns (let's stop using that silly now meaningless 0day term shall we :) and the actual vulnerabilities and their severities that people have access to. How many times have I seen speakers at conferences talk up the FUD about some vulnerability that turned out to totally fizzle in practice? Uh, lots... IMHO the actual problems we see from unpublished vulnerabilities are few and far between. Fortunately, they aren't quite so common that they are thrown around carelessly - because to use an unpublished vuln is to run the risk of losing it. :-) When a new unpublished vulnerability is discovered in use it's usually big news (points to MS08-067). It also seems most of the malware can do just fine using the same old low hanging fruit they've always accessed. I would also note that it's misleading to say you should throw in the towel because one unpublished vuln can pop your box. There is more to it than that if you are doing your job right. Can they pop it without being discovered... for how long, and how often? And how good are your backups :-P ? So, I'm not with you in declaring efforts at security a waste of time. As a matter of fact I completely disagree with you, and think we have been making some slow progress.... note for instance the shift to low level vulns and application/client software as the OSes and network stacks get (slowly) hardened. These days remote pre-auth anything is a big deal - that certainly wasn't the case back when the one line patch to samba to make it an exploit tool for that SMB flaw was first circulating. So let's give those security teams at least a few deserved pats on the back instead of jumping on the "OMG we're doomed bandwagon." There is still a lot of work to be done, but throwing in the towel or trying to get others to isn't going to get any of it done. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 16-20 2009 http://cansecwest.com London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp From halvar at gmx.de Tue Dec 9 05:10:20 2008 From: halvar at gmx.de (Halvar Flake) Date: Tue, 09 Dec 2008 11:10:20 +0100 Subject: [Dailydave] Faster, smashter. In-Reply-To: References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> Message-ID: <493E440C.8010306@gmx.de> Hey all, It seems that discussions in ITsec are periodic -- the same discussions and same arguments come up again and again. 1. Of course attackers use new vulnerabilities. It is the nature of offense. Defense is done "to the maximum of current knowledge". Offense, by it's nature, has to expand on the status quo. 2. How do you simulate an attack with a new vulnerability if you don't have one ? Well, military folks do wargames all the time without actually using up the arsenal they have on the shelves. Network attacks should probably be done in a similar manner -- have an umpire, and give the attacking team a few "0day cards". With these cards they get high-probability code execution for a piece of software of their choice. The pentest then proceeds like a game, but can be conducted on the real network, too. But I am repeating myself ... Cheers, Halvar From dave at immunityinc.com Tue Dec 9 09:45:23 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 09 Dec 2008 09:45:23 -0500 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493E440C.8010306@gmx.de> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> Message-ID: <493E8483.2090305@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One technique we're doing this week with a client is taking an attack tree and marking it up with dollar values. I.E. if you wanted to buy an 0day in X component, how much would it cost? This then is a simple summation to produce a "how much is it to get into the internal network from the internet" which the business can use to help them decide yay/nay on the project as a whole depending on their own view of the threat and the value of the information they are protecting. - -dave Halvar Flake wrote: > Hey all, > > It seems that discussions in ITsec are periodic -- the same > discussions and same arguments come up again and again. > > 1. Of course attackers use new vulnerabilities. It is the nature of > offense. Defense is done "to the maximum of current knowledge". > Offense, by it's nature, has to expand on the status quo. > > 2. How do you simulate an attack with a new vulnerability if you > don't have one ? > > Well, military folks do wargames all the time without actually > using up the arsenal they have on the shelves. Network attacks > should probably be done in a similar manner -- have an umpire, and > give the attacking team a few "0day cards". With these cards they > get high-probability code execution for a piece of software of > their choice. > > The pentest then proceeds like a game, but can be conducted on the > real network, too. > > But I am repeating myself ... > > Cheers, Halvar _______________________________________________ > Dailydave mailing list Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc JRFeXEvy4EJeg5gkuXxC2ZU= =6PWU -----END PGP SIGNATURE----- From rafal at ishackingyou.com Tue Dec 9 10:14:54 2008 From: rafal at ishackingyou.com (Rafal @ IsHackingYou.com) Date: Tue, 9 Dec 2008 09:14:54 -0600 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> <493E8483.2090305@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> <493E8483.2090305@immunityinc.com> Message-ID: That's brilliant Dave - but where are you getting your numbers? Are you using a public source, are you using top-secret ImmunityInc research or...? I'd love to get that source if you're willing to share. It's all about real numbers! __ Rafal M. Los IT Security - Response | Mitigation | Strategy E-mail: rafal.atishackingyou.dotcom - Blog: http://preachsecurity.blogspot.com -------------------------------------------------- From: "Dave Aitel" Sent: Tuesday, December 09, 2008 8:45 AM To: Subject: Re: [Dailydave] Faster, smashter. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One technique we're doing this week with a client is taking an attack > tree and marking it up with dollar values. I.E. if you wanted to buy > an 0day in X component, how much would it cost? > > This then is a simple summation to produce a "how much is it to get > into the internal network from the internet" which the business can > use to help them decide yay/nay on the project as a whole depending on > their own view of the threat and the value of the information they are > protecting. > > - -dave > > > Halvar Flake wrote: >> Hey all, >> >> It seems that discussions in ITsec are periodic -- the same >> discussions and same arguments come up again and again. >> >> 1. Of course attackers use new vulnerabilities. It is the nature of >> offense. Defense is done "to the maximum of current knowledge". >> Offense, by it's nature, has to expand on the status quo. >> >> 2. How do you simulate an attack with a new vulnerability if you >> don't have one ? >> >> Well, military folks do wargames all the time without actually >> using up the arsenal they have on the shelves. Network attacks >> should probably be done in a similar manner -- have an umpire, and >> give the attacking team a few "0day cards". With these cards they >> get high-probability code execution for a piece of software of >> their choice. >> >> The pentest then proceeds like a game, but can be conducted on the >> real network, too. >> >> But I am repeating myself ... >> >> Cheers, Halvar _______________________________________________ >> Dailydave mailing list Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc > JRFeXEvy4EJeg5gkuXxC2ZU= > =6PWU > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From halvar at gmx.de Tue Dec 9 12:21:33 2008 From: halvar at gmx.de (Halvar Flake) Date: Tue, 09 Dec 2008 18:21:33 +0100 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493E8483.2090305@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> <493E8483.2090305@immunityinc.com> Message-ID: <493EA91D.30701@gmx.de> Hey all, > One technique we're doing this week with a client is taking an attack > tree and marking it up with dollar values. I.E. if you wanted to buy > an 0day in X component, how much would it cost? > > This then is a simple summation to produce a "how much is it to get > into the internal network from the internet" which the business can > use to help them decide yay/nay on the project as a whole depending on > their own view of the threat and the value of the information they are > protecting. Sounds quite reasonable. It's also one of the pro arguments for having (public) vulnerability markets: They provide planners with price information for attack tools, and thus allow more informed decisions. Cheers, Halvar PS: I am not advocating unrestricted OTC vulnerability trading with this, just pointing out that having pricing information publically available is very useful for planners From jericho at attrition.org Tue Dec 9 14:35:03 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 9 Dec 2008 19:35:03 +0000 (UTC) Subject: [Dailydave] Faster, smashter. In-Reply-To: <493E8483.2090305@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> <493E8483.2090305@immunityinc.com> Message-ID: : One technique we're doing this week with a client is taking an attack : tree and marking it up with dollar values. I.E. if you wanted to buy an : 0day in X component, how much would it cost? How do you come up with that dollar value? Is it based on estimated hours to develop a functional exploit in X component? The skill level of the attacker writing it? The value of the information/access gained if exploited? Probability of exploitation not being noticed and ability to further backdoor compromised machine/network? From jon.passki at hursk.com Tue Dec 9 14:55:07 2008 From: jon.passki at hursk.com (Jon Passki) Date: Wed, 10 Dec 2008 04:55:07 +0900 Subject: [Dailydave] Faster, smashter. In-Reply-To: <493E8483.2090305@immunityinc.com> References: <493D1B81.2080702@immunityinc.com> <337642BF269E9B4688AD6E36BDF700282286A22A@kyle.office.techtarget.com> <493E440C.8010306@gmx.de> <493E8483.2090305@immunityinc.com> Message-ID: On Tue, Dec 9, 2008 at 11:45 PM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One technique we're doing this week with a client is taking an attack > tree and marking it up with dollar values. I.E. if you wanted to buy > an 0day in X component, how much would it cost? > > This then is a simple summation to produce a "how much is it to get > into the internal network from the internet" which the business can > use to help them decide yay/nay on the project as a whole depending on > their own view of the threat and the value of the information they are > protecting. > > - -dave > > Care to share the generalized outcome? Perhaps something like the client chose a branch of 4 0days that had a value between $10,000 and $50,000? Assuming you had a way to state x, y, & z 0days exist (even if you didn't have access to them) with some level of certainty, then you probably have a very valid method of at least quantifying exposure. Heck, depending upon the level of certainty, I would pay you as a service to help me quantify my clients' exposures. Jon Passki pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081210/f3e7a93d/attachment.htm From sinan.eren at immunitysec.com Tue Dec 9 21:19:11 2008 From: sinan.eren at immunitysec.com (sinan.eren at immunitysec.com) Date: Tue, 9 Dec 2008 21:19:11 -0500 (EST) Subject: [Dailydave] Faster, smashter. (fwd) Message-ID: (moderator: retry from subscribed account) I have been thinking about a potential futures market model to hedge the risk of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that could be tied into Microsoft's exploitability index to determine the premium on the future contract ? Hedgers (companies, govermantal institutions, military etc.) could than purchase these contracts from speculators (these could be us) to tie their risk into a dollar amount. On the other hand researchers can sell these contracts if they feel strongly about a software or inversely, buy these contracts to cash in their 0day when it hits the public domain. We need a fair market place for 0day (outside of the 2 known players whose model benefits no one) and I believe futures market model is the way to go. After all if you can hedge your exposure to weather, why can't you hedge it against 0day ? It is not as crazy as it sounds .... I would appreciate ideas to tie the value of a vulnerability to a premium, any quants who do security as well ? -sinan On Tue, 9 Dec 2008, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One technique we're doing this week with a client is taking an attack > tree and marking it up with dollar values. I.E. if you wanted to buy > an 0day in X component, how much would it cost? > > This then is a simple summation to produce a "how much is it to get > into the internal network from the internet" which the business can > use to help them decide yay/nay on the project as a whole depending on > their own view of the threat and the value of the information they are > protecting. > > -dave > > > Halvar Flake wrote: > > Hey all, > > > > It seems that discussions in ITsec are periodic -- the same > > discussions and same arguments come up again and again. > > > > 1. Of course attackers use new vulnerabilities. It is the nature of > > offense. Defense is done "to the maximum of current knowledge". > > Offense, by it's nature, has to expand on the status quo. > > > > 2. How do you simulate an attack with a new vulnerability if you > > don't have one ? > > > > Well, military folks do wargames all the time without actually > > using up the arsenal they have on the shelves. Network attacks > > should probably be done in a similar manner -- have an umpire, and > > give the attacking team a few "0day cards". With these cards they > > get high-probability code execution for a piece of software of > > their choice. > > > > The pentest then proceeds like a game, but can be conducted on the > > real network, too. > > > > But I am repeating myself ... > > > > Cheers, Halvar _______________________________________________ > > Dailydave mailing list Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc > JRFeXEvy4EJeg5gkuXxC2ZU= > =6PWU > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dan at geer.org Tue Dec 9 22:40:48 2008 From: dan at geer.org (dan at geer.org) Date: Tue, 09 Dec 2008 22:40:48 -0500 Subject: [Dailydave] Faster, smashter. In-Reply-To: Your message of "Tue, 09 Dec 2008 09:14:54 CST." Message-ID: <20081210034048.A33D033D76@absinthe.tinho.net> "Rafal @ IsHackingYou.com" writes: -+-------------------------------- | That's brilliant Dave - but where are you getting your numbers? | Are you using a public source, are you using top-secret ImmunityInc | research or...? I'd love to get that source if you're willing to | share. It's all about real numbers! The Way to do price discovery is to have an auction... --dan From jericho at attrition.org Tue Dec 9 23:28:12 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Dec 2008 04:28:12 +0000 (UTC) Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: References: Message-ID: : I have been thinking about a potential futures market model to hedge the : risk of software vulnerabilities. Perhaps a modified : Black-Scholes-Merton model that could be tied into Microsoft's I know little to nothing about economics but got curious about this model. One assumption of this model is "There are no arbitrage opportunities" which I read on to mean "in simple terms, a risk-free profit." Since this entire topic revolves around risks of some sort, defining risk in this context is up for debate, but it seems like a player in the market could opperate with 'no' risk if they choose. It also assumes "All securities are perfectly divisible (i.e. it is possible to buy any fraction of a share)" which doesn't seem to fit with the idea of selling a vulnerability, unless you break it down to "description" versus "proof of concept" versus "functional exploit" versus "wormified exploit"? : exploitability index to determine the premium on the future contract ? : Hedgers (companies, govermantal institutions, military etc.) could than : purchase these contracts from speculators (these could be us) to tie : their risk into a dollar amount. On the other hand researchers can sell : these contracts if they feel strongly about a software or inversely, buy On a very simple level, this could be achieved with a simple market auction system, akin to wslabi [1]. Rather than trade in developed exploits, players could post a wish-list and exploit writers could cherry pick ones of interest. Actually, less like wslabi, more like RentACoder [2]. : these contracts to cash in their 0day when it hits the public domain. We : need a fair market place for 0day (outside of the 2 known players whose : model benefits no one) and I believe futures market model is the way to There are more than 2 known players first off. I assume based on public perception and reputation you refer to iDefense and ZDI/TP? If so there are other buyers out there that use different models for 'purchase' including Digital Armaments [3] and their point based system that lets you buy/trade for other 0-days (more a vuln sharing club, and shady to some), wslabi.com and the vulnerability auction house as well as others that don't advertise, but certainly aren't totally secret. : go. After all if you can hedge your exposure to weather, why can't you : hedge it against 0day ? It is not as crazy as it sounds .... Absolutely not. But it seems like there are just as many variables, if not more, than many other well established markets. So not only do you have variables, you have the immaturity of the market to overcome in establishing all of this. : I would appreciate ideas to tie the value of a vulnerability to a premium, any : quants who do security as well ? I'd recommend you pose these questions to the Security Metrics list. [4] jericho [1] http://wslabi.com/wabisabilabi/home.do? [2] http://www.rentacoder.com/RentACoder/DotNet/default.aspx [3] http://digitalarmaments.com/ [4] http://www.securitymetrics.org/content/Wiki.jsp?page=MailingList From marc at marcmaiffret.com Wed Dec 10 04:33:42 2008 From: marc at marcmaiffret.com (Marc Maiffret) Date: Wed, 10 Dec 2008 01:33:42 -0800 Subject: [Dailydave] Faster, smashter. In-Reply-To: <20081210034048.A33D033D76@absinthe.tinho.net> References: Your message of "Tue, 09 Dec 2008 09:14:54 CST." <20081210034048.A33D033D76@absinthe.tinho.net> Message-ID: <00b101c95aaa$658428f0$308c7ad0$@com> I remember when I first read an email from some people in ADM, I believe, whom were advocating that researchers should stop publishing vulnerabilities/exploits and start keeping things underground. To me it was as much a signaling to the last days of hacking as it was to the start of the vulnerability well drying up. The whole world was about to be breathing down Microsoft's neck over the next few years, Trustworthy Computing would be born, and Microsoft would end up being no longer the security laughingstock but the company most people would recognize as a leader by example for what companies like Adobe and others should be doing. Not to say they are by any means perfect :-) In the late 90's there were more zeroday vulnerabilities than anyone knew what to do with. Most of these exploits were not even that private and even floated on many security mailing lists for a very long time before they were ever patched. As the security industry started to boom in the early 00's a lot of researchers realized that vulnerabilities were of marketing value for both themselves and the companies that hired them. Security companies and researchers went absolutely nuts harvesting every vulnerability they could as quickly as possible. In parallel people wishing to break into systems or write worms never had to worry about finding vulnerabilities of their own as there was no shortage of vulnerabilities. But A good thing never lasts... After enough punches to the face Microsoft decided to finally do something about their security problem beyond marketing rhetoric and spend whatever amount of money required to solve this unsolvable problem. The combination of Microsoft doing everything it could to find and remediate its own vulnerabilities, along with researchers and security companies working in a frenzy to get credit for the next vulnerability, made for the drying of the well to happen even faster than most anyone could have anticipated. The well that so many people, for so many reasons, use to go to is continuing to dry up at a rapid pace. This has required things like zeroday vulnerabilities to become a reality again as a means not of being the biggest and baddest threat but of simple survival against a software giant that truly has been awoken. As we continue down this path of eroding vulnerabilities people will cling to their zeroday vulnerabilities even more, driving the price of zeroday vulnerabilities up but the usage of these vulnerabilities down. They will be worth too much to waste on the masses. Not that there won't be the unexplainable crazy attacker here or there. This for the most part is already the case now and even more so in the future. The biggest threat to the average computer user is not zeroday vulnerabilities but system misconfigurations and vulnerabilities within third party applications. Most organizations are only just starting to get a handle on patching Microsoft vulnerabilities let alone third party applications. This becomes even more apparent with consumers and small to medium sized businesses where they only have Windows Update and WSUS to depend on. There is simply no third party patching being done in these environments making it a LOT more likely for them to get owned with a 6 month old Adobe Acrobat vulnerability than some zeroday vulnerability. This is currently the lowest hanging fruit for attackers and does not require an attacker to have large sums of money to waste on buying zeroday attacks. Microsoft knows this is a bigger threat to their customers right now than zeroday vulnerabilities. Maybe they will finally do what they mentioned so many years ago and open Windows Update to third party vendors and continue to dry the well some more. Security to me is about vigilance, intellect and tenacity... Some people are simply not cut out for a race that has no finish line and many of the people who could make a difference are not willing to risk their egos and reputations to find solutions to problems we all repeat like broken records. But we can talk about all of this and why anti-virus sucks all over again next year or maybe all of us risk intellectuals can start taking some risks of our own. -Marc Maiffret From bees.inc at gmail.com Wed Dec 10 01:27:15 2008 From: bees.inc at gmail.com (BEES INC) Date: Wed, 10 Dec 2008 17:27:15 +1100 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: References: Message-ID: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> i have postgrad applied finance qualifications and this is not really practical. You need an open/free market on 0day before you could start writing futures/options contracts. to my knowledge this doesn't exist, and is unlikely to exist for a whole bunch of reasons. its more profitable for exploit writers and cheaper for buyers to keep the other side in the dark on going rates. i remember they tried something like this in fresno county with the sausage and spice prices there. though a little different from exploits its similar in that its a fairly small and niche market, and the supply was effectively controlled by a cartel, and pricing information was dubious at best. needless to say it didn't take off you would be better off writing insurance and collecting a premiums, and if something does happen the payout could go to covering costs of patching and recovery. i'm pretty sure ive read of something like this being already available. On Wed, Dec 10, 2008 at 1:19 PM, wrote: > > (moderator: retry from subscribed account) > > I have been thinking about a potential futures market model to hedge the risk > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that > could be tied into Microsoft's exploitability index to determine the premium on > the future contract ? Hedgers (companies, govermantal institutions, military > etc.) could than purchase these contracts from speculators (these could be us) > to tie their risk into a dollar amount. On the other hand researchers can sell > these contracts if they feel strongly about a software or inversely, buy these > contracts to cash in their 0day when it hits the public domain. We need a fair > market place for 0day (outside of the 2 known players whose model benefits no > one) and I believe futures market model is the way to go. After all if you can > hedge your exposure to weather, why can't you hedge it against 0day ? It is not > as crazy as it sounds .... > > I would appreciate ideas to tie the value of a vulnerability to a premium, any > quants who do security as well ? > > -sinan > > On Tue, 9 Dec 2008, Dave Aitel wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> One technique we're doing this week with a client is taking an attack >> tree and marking it up with dollar values. I.E. if you wanted to buy >> an 0day in X component, how much would it cost? >> >> This then is a simple summation to produce a "how much is it to get >> into the internal network from the internet" which the business can >> use to help them decide yay/nay on the project as a whole depending on >> their own view of the threat and the value of the information they are >> protecting. >> >> -dave >> >> >> Halvar Flake wrote: >> > Hey all, >> > >> > It seems that discussions in ITsec are periodic -- the same >> > discussions and same arguments come up again and again. >> > >> > 1. Of course attackers use new vulnerabilities. It is the nature of >> > offense. Defense is done "to the maximum of current knowledge". >> > Offense, by it's nature, has to expand on the status quo. >> > >> > 2. How do you simulate an attack with a new vulnerability if you >> > don't have one ? >> > >> > Well, military folks do wargames all the time without actually >> > using up the arsenal they have on the shelves. Network attacks >> > should probably be done in a similar manner -- have an umpire, and >> > give the attacking team a few "0day cards". With these cards they >> > get high-probability code execution for a piece of software of >> > their choice. >> > >> > The pentest then proceeds like a game, but can be conducted on the >> > real network, too. >> > >> > But I am repeating myself ... >> > >> > Cheers, Halvar _______________________________________________ >> > Dailydave mailing list Dailydave at lists.immunitysec.com >> > http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc >> JRFeXEvy4EJeg5gkuXxC2ZU= >> =6PWU >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From thorsten.holz at gmail.com Wed Dec 10 02:40:29 2008 From: thorsten.holz at gmail.com (Thorsten Holz) Date: Wed, 10 Dec 2008 08:40:29 +0100 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: References: Message-ID: On Dec 10, 2008, at 3:19 AM, sinan.eren at immunitysec.com wrote: > I would appreciate ideas to tie the value of a vulnerability to a > premium, any > quants who do security as well ? Rainer B?hme discussed the idea of exploit derivatives and cyber- insurances in a talk at CCC'05: http://events.ccc.de/congress/2005/fahrplan/events/801.en.html There is also a paper from the Workshop on the Economics of Information Security (WEIS 2005), in which B?hme discusses these ideas in more detail: http://infosecon.net/workshop/pdf/15.pdf Pretty interesting concept, but some obstacles need to be taken when implementing such a market (monoculture, correlation of attacks and such). Cheers, Thorsten From jon.passki at hursk.com Wed Dec 10 08:43:19 2008 From: jon.passki at hursk.com (Jon Passki) Date: Wed, 10 Dec 2008 22:43:19 +0900 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> Message-ID: I disagree. Give me N number of oracles that state they know x, y, z issue is exploitable (at some defined level of exploitability) and I'll give you an auction. The concept of an auction is from the perspective of the buyer, not the seller... If Oracle A, B, D, and F state that they have an exploit for vuln Alpha, then I have a ceiling cost and a basement cost for the exploit. If I only have one Oracle, I still have a ceiling cost. That's still a good number for worst-case attack tree discussions. On Wed, Dec 10, 2008 at 3:27 PM, BEES INC wrote: > i have postgrad applied finance qualifications and this is not really > practical. You need an open/free market on 0day before you could start > writing futures/options contracts. to my knowledge this doesn't exist, > and is unlikely to exist for a whole bunch of reasons. its more > profitable for exploit writers and cheaper for buyers to keep the > other side in the dark on going rates. > > i remember they tried something like this in fresno county with the > sausage and spice prices there. though a little different from > exploits its similar in that its a fairly small and niche market, and > the supply was effectively controlled by a cartel, and pricing > information was dubious at best. needless to say it didn't take off > > you would be better off writing insurance and collecting a premiums, > and if something does happen the payout could go to covering costs of > patching and recovery. i'm pretty sure ive read of something like this > being already available. > > On Wed, Dec 10, 2008 at 1:19 PM, wrote: > > > > (moderator: retry from subscribed account) > > > > I have been thinking about a potential futures market model to hedge the > risk > > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton > model that > > could be tied into Microsoft's exploitability index to determine the > premium on > > the future contract ? Hedgers (companies, govermantal institutions, > military > > etc.) could than purchase these contracts from speculators (these could > be us) > > to tie their risk into a dollar amount. On the other hand researchers can > sell > > these contracts if they feel strongly about a software or inversely, buy > these > > contracts to cash in their 0day when it hits the public domain. We need a > fair > > market place for 0day (outside of the 2 known players whose model > benefits no > > one) and I believe futures market model is the way to go. After all if > you can > > hedge your exposure to weather, why can't you hedge it against 0day ? It > is not > > as crazy as it sounds .... > > > > I would appreciate ideas to tie the value of a vulnerability to a > premium, any > > quants who do security as well ? > > > > -sinan > > > > On Tue, 9 Dec 2008, Dave Aitel wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> One technique we're doing this week with a client is taking an attack > >> tree and marking it up with dollar values. I.E. if you wanted to buy > >> an 0day in X component, how much would it cost? > >> > >> This then is a simple summation to produce a "how much is it to get > >> into the internal network from the internet" which the business can > >> use to help them decide yay/nay on the project as a whole depending on > >> their own view of the threat and the value of the information they are > >> protecting. > >> > >> -dave > >> > >> > >> Halvar Flake wrote: > >> > Hey all, > >> > > >> > It seems that discussions in ITsec are periodic -- the same > >> > discussions and same arguments come up again and again. > >> > > >> > 1. Of course attackers use new vulnerabilities. It is the nature of > >> > offense. Defense is done "to the maximum of current knowledge". > >> > Offense, by it's nature, has to expand on the status quo. > >> > > >> > 2. How do you simulate an attack with a new vulnerability if you > >> > don't have one ? > >> > > >> > Well, military folks do wargames all the time without actually > >> > using up the arsenal they have on the shelves. Network attacks > >> > should probably be done in a similar manner -- have an umpire, and > >> > give the attacking team a few "0day cards". With these cards they > >> > get high-probability code execution for a piece of software of > >> > their choice. > >> > > >> > The pentest then proceeds like a game, but can be conducted on the > >> > real network, too. > >> > > >> > But I am repeating myself ... > >> > > >> > Cheers, Halvar _______________________________________________ > >> > Dailydave mailing list Dailydave at lists.immunitysec.com > >> > http://lists.immunitysec.com/mailman/listinfo/dailydave > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081210/f9566435/attachment.htm From jmoss at blackhat.com Wed Dec 10 20:00:42 2008 From: jmoss at blackhat.com (jmoss) Date: Wed, 10 Dec 2008 17:00:42 -0800 Subject: [Dailydave] Black Hat: New Webinar, Japan audio now on-line. Message-ID: <000301c95b2b$e41e1d70$ac5a5850$@com> Daily Dave, the BH Japan audio is now online as well as a new webinar with Dave Litchfield coming up. Also the CFP is still open for D.C. and Amsterdam if you have something up your sleeve. Don't keep those 'sploits to yourself but set them free, like a butterfly. NEW FREE WEBCAST - Oracle Database Forensics Black Hat's webcast series continues with another powerful presentation from a popular Black Hat speaker. This month's presenter is David Litchfield of NGS software, speaking on Oracle database forensics, and he will be releasing a new tool called orablock which he describes this way: "Orablock allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate "stale" data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box." Please join us to learn about Oracle DB forensics from one of the innovators of the field, as well as learn about his new tool and to get your questions answered. The webcast will be held on December 18 at 1pm PST. The URL for registration is: http://w.on24.com/r.htm?e=122240&s=1&k=57F93C9128D5D1BBC64B8AE7177FB981 For more information about Black Hat's webcast series, including an archive of our previous webcasts in audio format: https://www.blackhat.com/webinars/webinars-index.html BLACK HAT JAPAN audio is now online! Encoded in .m4b format these audio files are tiny, as well as being bookmarkable and itunes friendly. https://www.blackhat.com/html/bh-japan-08/brief-bh-jp-08-archives.html UPCOMING BLACK HAT EVENTS The next big Black Hat event is Black Hat DC, scheduled for February 16-19 at the Hyatt Regency Crystal City in Arlington Virginia. The event is divide into two sections with two days of intense, hands-on Training Sessions followed by a two-day, four-track Briefings portion with a wide variety of exciting speakers and presentations. Black Hat DC is a unique information security event that places a special emphasis on the needs of security professionals who work in government service and infrastructure. And we think this one will be our best DC event yet. Even though the Black Hat DC Call for Papers doesn't close until January 1, but we've already confirmed some exciting Briefings presentations. - Crowd favorite Adam Laurie will return with a satellite-hacking presentation that is sure to be popular. - Database guru David Litchfield will present a powerful new database forensics tool. - Andrew Lindell's contribution is entitled "Making Privacy-Preserving data Mining Practical with Smartcards." - In the hardware hacking area we have a very interesting presentation from Travis Goodspeed on reverse engineering and exploiting wireless sensors. Our lineup of brand new training sessions includes a physical security training by Zac Franken and Adam Laurie entitled "RFID, Access Control and Biometric Systems", a Metasploit course called "Tactical Exploitation" by Metasploit creator HD Moore and a course on "Understanding and Deploying DNNSEC" by Paul Wouters and Patrick Nauber. As always, it's best to register early for the training of your choice to make sure there's a place for you - seats are limited. To learn more about all of our training courses, follow this link: https://www.blackhat.com/html/bh-dc-09/train-bh-dc-09-index.html REGISTER NOW Please keep in mind that the early bird rate that's in effect for the Briefings and the Training classes will end on January 1. To take advantage of those significant savings, please consider registering soon. The Black Hat Europe early bird rate ends February 1 - we'll have more details about that event in our next mailing. CFP OPEN FOR BLACK HAT DC AND EUROPE Another reminder is that Black Hat is still considering Briefings speaker applications for both Black Hat DC and Black Hat Europe, so if you have a strong, compelling and technical presentation to share, please let us know! To be considered for Black Hat DC, you'll need to have your work in our system by January 1. The deadline is February 1 for the Black Hat Europe CFP, the details for potential presenters are available online: https://cfp.blackhat.com/ GET INVOLVED WITH BLACK HAT! - Join the Black Hat LinkedIn group and participate in discussions and comment on news. http://www.linkedin.com/groups?gid=37658&trk=hb_side_g - Share your pictures of past events, or just check out ours: Yes it is just getting started, but please post your Black Hat pics. http://www.flickr.com/photos/30017677 at N05/ -Follow us on Twitter: https://twitter.com/blackhatusa2008 -Subscribe to our main RSS feed to get timely announcements that won't be in monthly newsletters: https://www.blackhat.com/BlackHatRSS.xml Thank you, Jeff Moss Director of Black Hat, CMP Media LLC From sinan.eren at immunitysec.com Wed Dec 10 17:21:05 2008 From: sinan.eren at immunitysec.com (sinan.eren at immunitysec.com) Date: Wed, 10 Dec 2008 17:21:05 -0500 (EST) Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> Message-ID: In response to both Jericho and Bees; I wasn't actually proposing a market place for 0days. My point was something like; index futures on products that is built on a model where 0day is a part of the equation (perhaps think of it as vega). for example, Exchange 2003 could be tied to an index and each index point could be assigned a dollar value. Theoretical value will than be calculated by a model and the rest will be left to the market forces to settle the premium. Hedgers can than take long or short positions (depending on how the model is formed) to offset their IT costs and possible damages from intrusions and other liabilities. Speculators can also take on counter or similar positions depending on their outlook. Yes, there is an obvious flaw which is the risk-free arbitrage by anybody who holds a 0day against Exchange 2003. But I believe this could be acceptable as part of the market at its infancy and since all or most arbitrage possibilities gets discounted by markets eventually, this model will lead to less outstanding 0day in underground/criminal circles, perhaps even more secure software eventually ? SDL versus the free market ? Which is more efficient ? Regards, -sinan VP of Vulnerability Arbitrage On Wed, 10 Dec 2008, BEES INC wrote: > i have postgrad applied finance qualifications and this is not really > practical. You need an open/free market on 0day before you could start > writing futures/options contracts. to my knowledge this doesn't exist, > and is unlikely to exist for a whole bunch of reasons. its more > profitable for exploit writers and cheaper for buyers to keep the > other side in the dark on going rates. > > i remember they tried something like this in fresno county with the > sausage and spice prices there. though a little different from > exploits its similar in that its a fairly small and niche market, and > the supply was effectively controlled by a cartel, and pricing > information was dubious at best. needless to say it didn't take off > > you would be better off writing insurance and collecting a premiums, > and if something does happen the payout could go to covering costs of > patching and recovery. i'm pretty sure ive read of something like this > being already available. > > On Wed, Dec 10, 2008 at 1:19 PM, wrote: >> >> (moderator: retry from subscribed account) >> >> I have been thinking about a potential futures market model to hedge the risk >> of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that >> could be tied into Microsoft's exploitability index to determine the premium on >> the future contract ? Hedgers (companies, govermantal institutions, military >> etc.) could than purchase these contracts from speculators (these could be us) >> to tie their risk into a dollar amount. On the other hand researchers can sell >> these contracts if they feel strongly about a software or inversely, buy these >> contracts to cash in their 0day when it hits the public domain. We need a fair >> market place for 0day (outside of the 2 known players whose model benefits no >> one) and I believe futures market model is the way to go. After all if you can >> hedge your exposure to weather, why can't you hedge it against 0day ? It is not >> as crazy as it sounds .... >> >> I would appreciate ideas to tie the value of a vulnerability to a premium, any >> quants who do security as well ? >> >> -sinan >> >> On Tue, 9 Dec 2008, Dave Aitel wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> One technique we're doing this week with a client is taking an attack >>> tree and marking it up with dollar values. I.E. if you wanted to buy >>> an 0day in X component, how much would it cost? >>> >>> This then is a simple summation to produce a "how much is it to get >>> into the internal network from the internet" which the business can >>> use to help them decide yay/nay on the project as a whole depending on >>> their own view of the threat and the value of the information they are >>> protecting. >>> >>> -dave >>> >>> >>> Halvar Flake wrote: >>>> Hey all, >>>> >>>> It seems that discussions in ITsec are periodic -- the same >>>> discussions and same arguments come up again and again. >>>> >>>> 1. Of course attackers use new vulnerabilities. It is the nature of >>>> offense. Defense is done "to the maximum of current knowledge". >>>> Offense, by it's nature, has to expand on the status quo. >>>> >>>> 2. How do you simulate an attack with a new vulnerability if you >>>> don't have one ? >>>> >>>> Well, military folks do wargames all the time without actually >>>> using up the arsenal they have on the shelves. Network attacks >>>> should probably be done in a similar manner -- have an umpire, and >>>> give the attacking team a few "0day cards". With these cards they >>>> get high-probability code execution for a piece of software of >>>> their choice. >>>> >>>> The pentest then proceeds like a game, but can be conducted on the >>>> real network, too. >>>> >>>> But I am repeating myself ... >>>> >>>> Cheers, Halvar _______________________________________________ >>>> Dailydave mailing list Dailydave at lists.immunitysec.com >>>> http://lists.immunitysec.com/mailman/listinfo/dailydave >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.6 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >>> >>> iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc >>> JRFeXEvy4EJeg5gkuXxC2ZU= >>> =6PWU >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Dailydave mailing list >>> Dailydave at lists.immunitysec.com >>> http://lists.immunitysec.com/mailman/listinfo/dailydave >>> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From lists at robertlemos.com Wed Dec 10 09:29:57 2008 From: lists at robertlemos.com (Robert Lemos) Date: Wed, 10 Dec 2008 09:29:57 -0500 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> Message-ID: On Dec 10, 2008, at 1:27 AM, BEES INC wrote: > you would be better off writing insurance and collecting a premiums, > and if something does happen the payout could go to covering costs of > patching and recovery. i'm pretty sure ive read of something like this > being already available. IANA financial analyst, but... Futures typically only work as a hedge for commodities, where quality is a constant and the supply-demand relationship is the only variable. Because the quality of vulnerabilities vary so widely, it would be hard to create a futures market around them. However, wine futures might be a good model to base this one. Wine futures typically are sold after the wine is casked, but before it is bottled. So you have some knowledge of the potential quality of the wine, but not of the finished product. I could imagine that trusted groups of researchers could indicate that they are working on finding vulnerabilities in a certain product and had found several of undetermined quality. They could sell the results on the open market, a few months to a few years before their research is finished. Of course, there are plenty of caveats to this analogy: 1) Wine is atoms, vulns are bits. 2) The researchers would have to take care or their sale could be (or at least appear to be) extortion. 3) You could argue that there is generally only one legitimate buyer -- the developer whose software you are auditing -- for the product, severely limiting the market. Likely, this would only work on the underground market, because of the point 3. In the legitimate market, the model would default to the "pay for a trusted auditor to audit your software" deal that is already in existence. -R | robert lemos | mail at robertlemos.com | twit: rlemos_security | | managing editor | securityfocus | www.securityfocus.com | | technology journalist | http://www.robertlemos.com | -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081210/9c55a885/attachment-0001.htm From cmiller at securityevaluators.com Wed Dec 10 10:28:34 2008 From: cmiller at securityevaluators.com (Charles Miller) Date: Wed, 10 Dec 2008 09:28:34 -0600 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: References: Message-ID: I wrote some about this too: http://weis2007.econinfosec.org/papers/29.pdf I like the idea of a derivative market. Its the only way I've heard where you can make money by dropping 0-days on full disclosure, for example. The drawback is that I know I can make 100k for my IE exploit, but I don't know how much I can make by buying the "IE sucks" derivative. There will only be so many people willing to buy the "IE is rock solid" one and once I start buying up the "IE sucks" one, it will be even harder to make a big score. Charlie On Dec 10, 2008, at 1:40 AM, Thorsten Holz wrote: > On Dec 10, 2008, at 3:19 AM, sinan.eren at immunitysec.com wrote: > >> I would appreciate ideas to tie the value of a vulnerability to a >> premium, any >> quants who do security as well ? > > > Rainer B?hme discussed the idea of exploit derivatives and cyber- > insurances in a talk at CCC'05: http://events.ccc.de/congress/2005/fahrplan/events/801.en.html > There is also a paper from the Workshop on the Economics of > Information Security (WEIS 2005), in which B?hme discusses these ideas > in more detail: http://infosecon.net/workshop/pdf/15.pdf > > Pretty interesting concept, but some obstacles need to be taken when > implementing such a market (monoculture, correlation of attacks and > such). > > Cheers, > Thorsten > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From jon.passki at hursk.com Thu Dec 11 02:59:21 2008 From: jon.passki at hursk.com (Jon Passki) Date: Thu, 11 Dec 2008 16:59:21 +0900 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: <748f2d520812102342j301bd682h6894335d958ebbd3@mail.gmail.com> References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> <748f2d520812102342j301bd682h6894335d958ebbd3@mail.gmail.com> Message-ID: Yeah, but I would not be the one to figure out the value. I would ask Immunity Sec if they had an exploit on ManOS that gave me, for example, local root access accessible from any user. If Immunity Sec did confirm a 0day that met my criteria, the next question is then asking them what my cost would be for the 0day. I now have a ceiling cost, even though the cost may be hugely inflated. I may never care whatsoever on purchasing that 0day from Immunity Sec. Also, they might not like me and change me a higher cost than someone else. If I have more oracles to contact, then I can gauge a better market value. Yes, there are details, with whatever devils hiding in there. There is also some nice properties, but with risk.. Immunity Sec need not expose the actual 0day. There's risk they may lie to me, though. The only exposure is that a set of given properties on some exploit may be publicly disclosed. >From Immutiy Sec's perspecitve, though, they now can analysis the number of queries across vendors and applications and see what the "public" cares about. Maybe 13% of all queries relate to some version of WebSphere on AIX 5.4 (shudder). They now have market intellegence that may drive research and development into platforms not perceived to be viable. So, that intelligence may definitely out weight the loss of size of their "market cap" on exploits. Other devils are in classifications. But, seriously, that's something I could see reasonably being taken care of overtime for most general exploits. Sure, some just won't be able to be classified. So what if a vast majority can. Perfection, enemy, good, blah blah blah. On Thu, Dec 11, 2008 at 4:42 PM, BEES INC wrote: > we are not talking about an auction though, we are talking about > derivatives. > > As the name implies the price of a derivate is derived from the price > of some underlying asset. With commodities or equities you have a > market where the last price something traded at is readily available. > You take that price and a few other things, plug them into black > scholes and you have your theoretical option price that may be above > or below the market price for the option depending on sentiment and > the usual supply/demand. > > Derivatives are also standardized, say an option on a share gets you 1 > share, it only works if every share is equal. Not all 0days are > created equal. For instance take an 0day in ManOs, an experimental > operating system used predominately by physicists. How do you value > it? What did the last 0day for manos go for? Is that a reliable > indicator of this 0days price? The last one could've been kinda lame > and have lots of preconditions for it to be successful, but maybe this > one has no such conditions, and consequently worth a lot more. The > same contract wont fit. > > It's probably safe to assume there is 0day for manos or exchange or > whatever, but pricing a derivative requires available access to the > pricing of the underlying and standardization of the terms. You could > classify the 0day in terms of severity and have different types for > that (like there are different types of oil contracts), and in general > I would agree an auction is probably the best way to gauge fair value, > but until you can get a fair value you're in a bit of a pickle (or > sausage) > > Liquidity would also be a big issue. You would need a reasonable > number of players to make the market work, otherwise people would get > stuck holding illiquid, tricky to value derivatives and you just have > to take a look at the subprime debt market to see how well that works > out. > > On Thu, Dec 11, 2008 at 12:43 AM, Jon Passki wrote: > > I disagree. Give me N number of oracles that state they know x, y, z > issue > > is exploitable (at some defined level of exploitability) and I'll give > you > > an auction. The concept of an auction is from the perspective of the > buyer, > > not the seller... If Oracle A, B, D, and F state that they have an > exploit > > for vuln Alpha, then I have a ceiling cost and a basement cost for the > > exploit. If I only have one Oracle, I still have a ceiling cost. That's > > still a good number for worst-case attack tree discussions. > > > > > > On Wed, Dec 10, 2008 at 3:27 PM, BEES INC wrote: > >> > >> i have postgrad applied finance qualifications and this is not really > >> practical. You need an open/free market on 0day before you could start > >> writing futures/options contracts. to my knowledge this doesn't exist, > >> and is unlikely to exist for a whole bunch of reasons. its more > >> profitable for exploit writers and cheaper for buyers to keep the > >> other side in the dark on going rates. > >> > >> i remember they tried something like this in fresno county with the > >> sausage and spice prices there. though a little different from > >> exploits its similar in that its a fairly small and niche market, and > >> the supply was effectively controlled by a cartel, and pricing > >> information was dubious at best. needless to say it didn't take off > >> > >> you would be better off writing insurance and collecting a premiums, > >> and if something does happen the payout could go to covering costs of > >> patching and recovery. i'm pretty sure ive read of something like this > >> being already available. > >> > >> On Wed, Dec 10, 2008 at 1:19 PM, wrote: > >> > > >> > (moderator: retry from subscribed account) > >> > > >> > I have been thinking about a potential futures market model to hedge > the > >> > risk > >> > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton > >> > model that > >> > could be tied into Microsoft's exploitability index to determine the > >> > premium on > >> > the future contract ? Hedgers (companies, govermantal institutions, > >> > military > >> > etc.) could than purchase these contracts from speculators (these > could > >> > be us) > >> > to tie their risk into a dollar amount. On the other hand researchers > >> > can sell > >> > these contracts if they feel strongly about a software or inversely, > buy > >> > these > >> > contracts to cash in their 0day when it hits the public domain. We > need > >> > a fair > >> > market place for 0day (outside of the 2 known players whose model > >> > benefits no > >> > one) and I believe futures market model is the way to go. After all if > >> > you can > >> > hedge your exposure to weather, why can't you hedge it against 0day ? > It > >> > is not > >> > as crazy as it sounds .... > >> > > >> > I would appreciate ideas to tie the value of a vulnerability to a > >> > premium, any > >> > quants who do security as well ? > >> > > >> > -sinan > >> > > >> > On Tue, 9 Dec 2008, Dave Aitel wrote: > >> > > >> >> -----BEGIN PGP SIGNED MESSAGE----- > >> >> Hash: SHA1 > >> >> > >> >> One technique we're doing this week with a client is taking an > attack > >> >> tree and marking it up with dollar values. I.E. if you wanted to buy > >> >> an 0day in X component, how much would it cost? > >> >> > >> >> This then is a simple summation to produce a "how much is it to get > >> >> into the internal network from the internet" which the business can > >> >> use to help them decide yay/nay on the project as a whole depending > on > >> >> their own view of the threat and the value of the information they > are > >> >> protecting. > >> >> > >> >> -dave > >> >> > >> >> > >> >> Halvar Flake wrote: > >> >> > Hey all, > >> >> > > >> >> > It seems that discussions in ITsec are periodic -- the same > >> >> > discussions and same arguments come up again and again. > >> >> > > >> >> > 1. Of course attackers use new vulnerabilities. It is the nature > of > >> >> > offense. Defense is done "to the maximum of current knowledge". > >> >> > Offense, by it's nature, has to expand on the status quo. > >> >> > > >> >> > 2. How do you simulate an attack with a new vulnerability if you > >> >> > don't have one ? > >> >> > > >> >> > Well, military folks do wargames all the time without actually > >> >> > using up the arsenal they have on the shelves. Network attacks > >> >> > should probably be done in a similar manner -- have an umpire, and > >> >> > give the attacking team a few "0day cards". With these cards they > >> >> > get high-probability code execution for a piece of software of > >> >> > their choice. > >> >> > > >> >> > The pentest then proceeds like a game, but can be conducted on the > >> >> > real network, too. > >> >> > > >> >> > But I am repeating myself ... > >> >> > > >> >> > Cheers, Halvar _______________________________________________ > >> >> > Dailydave mailing list Dailydave at lists.immunitysec.com > >> >> > http://lists.immunitysec.com/mailman/listinfo/dailydave > >> >> > > > -- Cheers, Jon Passki, Partner The Hursk Group, LLC "Obvia conspicimus, nubem pellente Mathesi." e: jon.passki at hursk.com ph: 651/222.3020 cal: http://www.google.com/calendar/hosted/hursk.com/embed?src=jon.passki%40hursk.com pgp: 1BB0 A946 927B 93C3 ED6A 0466 6692 6C2C 84BE 4122 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081211/b89f2f2b/attachment-0001.htm From mjw at cyberwart.com Thu Dec 11 00:37:55 2008 From: mjw at cyberwart.com (Matthew Wollenweber) Date: Thu, 11 Dec 2008 00:37:55 -0500 Subject: [Dailydave] Faster, smashter. (fwd) References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> Message-ID: Maybe I missed something in the original posting, but my understanding of the cost analysis isn't really similar to a market at all. It's more akin to the cost an adversary might pay a talented group of hackers to develop an exploit against some piece of a system. So given Immunity's back ground I imagine they're in a decent position to give rough estimates on that type of work. Therefore, it's less a market and more a pricing estimate by a reputable vendor. I've seen this type of analysis done in government circles, and I believe the actual numbers are less important than the relative values inside the analysis. Thereby, you discover which components of your software you need to apply additional security measures to relative to the other components. In my experience this type of job occurs on huge systems where the easiest attack vectors tend to stand out, and the particular threat the client is worried about is a motivated adversary that will do similar analysis when selecting components to target for exploitation. For example, the adversary has time and budget to fuzz/re/find-exploits-in X software components and they want to get the most bang for their buck. Therefore the defender wants to make sure the components are perceived as sufficiently expensive to exploit and that there are no clear weak points. Yes, much craziness can ensue and the flaws are easy to list. But again, it's similar to what an adversary might do and the Immunity folks are in a good spot to estimate cost to exploit various types of software. -- Matthew Wollenweber mjw at cybewart.com www.cyberwart.com/blog -----Original Message----- From: dailydave-bounces at lists.immunitysec.com on behalf of sinan.eren at immunitysec.com Sent: Wed 12/10/2008 5:21 PM To: dailydave at lists.immunitysec.com Subject: Re: [Dailydave] Faster, smashter. (fwd) In response to both Jericho and Bees; I wasn't actually proposing a market place for 0days. My point was something like; index futures on products that is built on a model where 0day is a part of the equation (perhaps think of it as vega). for example, Exchange 2003 could be tied to an index and each index point could be assigned a dollar value. Theoretical value will than be calculated by a model and the rest will be left to the market forces to settle the premium. Hedgers can than take long or short positions (depending on how the model is formed) to offset their IT costs and possible damages from intrusions and other liabilities. Speculators can also take on counter or similar positions depending on their outlook. Yes, there is an obvious flaw which is the risk-free arbitrage by anybody who holds a 0day against Exchange 2003. But I believe this could be acceptable as part of the market at its infancy and since all or most arbitrage possibilities gets discounted by markets eventually, this model will lead to less outstanding 0day in underground/criminal circles, perhaps even more secure software eventually ? SDL versus the free market ? Which is more efficient ? Regards, -sinan VP of Vulnerability Arbitrage On Wed, 10 Dec 2008, BEES INC wrote: > i have postgrad applied finance qualifications and this is not really > practical. You need an open/free market on 0day before you could start > writing futures/options contracts. to my knowledge this doesn't exist, > and is unlikely to exist for a whole bunch of reasons. its more > profitable for exploit writers and cheaper for buyers to keep the > other side in the dark on going rates. > > i remember they tried something like this in fresno county with the > sausage and spice prices there. though a little different from > exploits its similar in that its a fairly small and niche market, and > the supply was effectively controlled by a cartel, and pricing > information was dubious at best. needless to say it didn't take off > > you would be better off writing insurance and collecting a premiums, > and if something does happen the payout could go to covering costs of > patching and recovery. i'm pretty sure ive read of something like this > being already available. > > On Wed, Dec 10, 2008 at 1:19 PM, wrote: >> >> (moderator: retry from subscribed account) >> >> I have been thinking about a potential futures market model to hedge the risk >> of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that >> could be tied into Microsoft's exploitability index to determine the premium on >> the future contract ? Hedgers (companies, govermantal institutions, military >> etc.) could than purchase these contracts from speculators (these could be us) >> to tie their risk into a dollar amount. On the other hand researchers can sell >> these contracts if they feel strongly about a software or inversely, buy these >> contracts to cash in their 0day when it hits the public domain. We need a fair >> market place for 0day (outside of the 2 known players whose model benefits no >> one) and I believe futures market model is the way to go. After all if you can >> hedge your exposure to weather, why can't you hedge it against 0day ? It is not >> as crazy as it sounds .... >> >> I would appreciate ideas to tie the value of a vulnerability to a premium, any >> quants who do security as well ? >> >> -sinan >> >> On Tue, 9 Dec 2008, Dave Aitel wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> One technique we're doing this week with a client is taking an attack >>> tree and marking it up with dollar values. I.E. if you wanted to buy >>> an 0day in X component, how much would it cost? >>> >>> This then is a simple summation to produce a "how much is it to get >>> into the internal network from the internet" which the business can >>> use to help them decide yay/nay on the project as a whole depending on >>> their own view of the threat and the value of the information they are >>> protecting. >>> >>> -dave >>> >>> >>> Halvar Flake wrote: >>>> Hey all, >>>> >>>> It seems that discussions in ITsec are periodic -- the same >>>> discussions and same arguments come up again and again. >>>> >>>> 1. Of course attackers use new vulnerabilities. It is the nature of >>>> offense. Defense is done "to the maximum of current knowledge". >>>> Offense, by it's nature, has to expand on the status quo. >>>> >>>> 2. How do you simulate an attack with a new vulnerability if you >>>> don't have one ? >>>> >>>> Well, military folks do wargames all the time without actually >>>> using up the arsenal they have on the shelves. Network attacks >>>> should probably be done in a similar manner -- have an umpire, and >>>> give the attacking team a few "0day cards". With these cards they >>>> get high-probability code execution for a piece of software of >>>> their choice. >>>> >>>> The pentest then proceeds like a game, but can be conducted on the >>>> real network, too. >>>> >>>> But I am repeating myself ... >>>> >>>> Cheers, Halvar _______________________________________________ >>>> Dailydave mailing list Dailydave at lists.immunitysec.com >>>> http://lists.immunitysec.com/mailman/listinfo/dailydave >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.6 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >>> >>> iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc >>> JRFeXEvy4EJeg5gkuXxC2ZU= >>> =6PWU >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Dailydave mailing list >>> Dailydave at lists.immunitysec.com >>> http://lists.immunitysec.com/mailman/listinfo/dailydave >>> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081211/4a0d1af1/attachment.htm From bees.inc at gmail.com Thu Dec 11 02:42:22 2008 From: bees.inc at gmail.com (BEES INC) Date: Thu, 11 Dec 2008 18:42:22 +1100 Subject: [Dailydave] Faster, smashter. (fwd) In-Reply-To: References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> Message-ID: <748f2d520812102342j301bd682h6894335d958ebbd3@mail.gmail.com> we are not talking about an auction though, we are talking about derivatives. As the name implies the price of a derivate is derived from the price of some underlying asset. With commodities or equities you have a market where the last price something traded at is readily available. You take that price and a few other things, plug them into black scholes and you have your theoretical option price that may be above or below the market price for the option depending on sentiment and the usual supply/demand. Derivatives are also standardized, say an option on a share gets you 1 share, it only works if every share is equal. Not all 0days are created equal. For instance take an 0day in ManOs, an experimental operating system used predominately by physicists. How do you value it? What did the last 0day for manos go for? Is that a reliable indicator of this 0days price? The last one could've been kinda lame and have lots of preconditions for it to be successful, but maybe this one has no such conditions, and consequently worth a lot more. The same contract wont fit. It's probably safe to assume there is 0day for manos or exchange or whatever, but pricing a derivative requires available access to the pricing of the underlying and standardization of the terms. You could classify the 0day in terms of severity and have different types for that (like there are different types of oil contracts), and in general I would agree an auction is probably the best way to gauge fair value, but until you can get a fair value you're in a bit of a pickle (or sausage) Liquidity would also be a big issue. You would need a reasonable number of players to make the market work, otherwise people would get stuck holding illiquid, tricky to value derivatives and you just have to take a look at the subprime debt market to see how well that works out. On Thu, Dec 11, 2008 at 12:43 AM, Jon Passki wrote: > I disagree. Give me N number of oracles that state they know x, y, z issue > is exploitable (at some defined level of exploitability) and I'll give you > an auction. The concept of an auction is from the perspective of the buyer, > not the seller... If Oracle A, B, D, and F state that they have an exploit > for vuln Alpha, then I have a ceiling cost and a basement cost for the > exploit. If I only have one Oracle, I still have a ceiling cost. That's > still a good number for worst-case attack tree discussions. > > > On Wed, Dec 10, 2008 at 3:27 PM, BEES INC wrote: >> >> i have postgrad applied finance qualifications and this is not really >> practical. You need an open/free market on 0day before you could start >> writing futures/options contracts. to my knowledge this doesn't exist, >> and is unlikely to exist for a whole bunch of reasons. its more >> profitable for exploit writers and cheaper for buyers to keep the >> other side in the dark on going rates. >> >> i remember they tried something like this in fresno county with the >> sausage and spice prices there. though a little different from >> exploits its similar in that its a fairly small and niche market, and >> the supply was effectively controlled by a cartel, and pricing >> information was dubious at best. needless to say it didn't take off >> >> you would be better off writing insurance and collecting a premiums, >> and if something does happen the payout could go to covering costs of >> patching and recovery. i'm pretty sure ive read of something like this >> being already available. >> >> On Wed, Dec 10, 2008 at 1:19 PM, wrote: >> > >> > (moderator: retry from subscribed account) >> > >> > I have been thinking about a potential futures market model to hedge the >> > risk >> > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton >> > model that >> > could be tied into Microsoft's exploitability index to determine the >> > premium on >> > the future contract ? Hedgers (companies, govermantal institutions, >> > military >> > etc.) could than purchase these contracts from speculators (these could >> > be us) >> > to tie their risk into a dollar amount. On the other hand researchers >> > can sell >> > these contracts if they feel strongly about a software or inversely, buy >> > these >> > contracts to cash in their 0day when it hits the public domain. We need >> > a fair >> > market place for 0day (outside of the 2 known players whose model >> > benefits no >> > one) and I believe futures market model is the way to go. After all if >> > you can >> > hedge your exposure to weather, why can't you hedge it against 0day ? It >> > is not >> > as crazy as it sounds .... >> > >> > I would appreciate ideas to tie the value of a vulnerability to a >> > premium, any >> > quants who do security as well ? >> > >> > -sinan >> > >> > On Tue, 9 Dec 2008, Dave Aitel wrote: >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> One technique we're doing this week with a client is taking an attack >> >> tree and marking it up with dollar values. I.E. if you wanted to buy >> >> an 0day in X component, how much would it cost? >> >> >> >> This then is a simple summation to produce a "how much is it to get >> >> into the internal network from the internet" which the business can >> >> use to help them decide yay/nay on the project as a whole depending on >> >> their own view of the threat and the value of the information they are >> >> protecting. >> >> >> >> -dave >> >> >> >> >> >> Halvar Flake wrote: >> >> > Hey all, >> >> > >> >> > It seems that discussions in ITsec are periodic -- the same >> >> > discussions and same arguments come up again and again. >> >> > >> >> > 1. Of course attackers use new vulnerabilities. It is the nature of >> >> > offense. Defense is done "to the maximum of current knowledge". >> >> > Offense, by it's nature, has to expand on the status quo. >> >> > >> >> > 2. How do you simulate an attack with a new vulnerability if you >> >> > don't have one ? >> >> > >> >> > Well, military folks do wargames all the time without actually >> >> > using up the arsenal they have on the shelves. Network attacks >> >> > should probably be done in a similar manner -- have an umpire, and >> >> > give the attacking team a few "0day cards". With these cards they >> >> > get high-probability code execution for a piece of software of >> >> > their choice. >> >> > >> >> > The pentest then proceeds like a game, but can be conducted on the >> >> > real network, too. >> >> > >> >> > But I am repeating myself ... >> >> > >> >> > Cheers, Halvar _______________________________________________ >> >> > Dailydave mailing list Dailydave at lists.immunitysec.com >> >> > http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> > From rcs at cert.org Mon Dec 15 13:42:52 2008 From: rcs at cert.org (Robert Seacord) Date: Mon, 15 Dec 2008 13:42:52 -0500 Subject: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard In-Reply-To: References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> <748f2d520812102342j301bd682h6894335d958ebbd3@mail.gmail.com> Message-ID: informIT published an interview with me written by David Chisnall: http://www.informit.com/articles/article.aspx?p=1315064 David asked some interesting questions about security and the future of the C programming language. rCs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081215/7bea2d5b/attachment-0001.htm From rcs at cert.org Wed Dec 17 10:09:39 2008 From: rcs at cert.org (Robert Seacord) Date: Wed, 17 Dec 2008 10:09:39 -0500 Subject: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard In-Reply-To: <49490B1B.1080203@gmx.net> References: <748f2d520812092227m4537afb7j2c226eebfdb75e7c@mail.gmail.com> <748f2d520812102342j301bd682h6894335d958ebbd3@mail.gmail.com> <49490B1B.1080203@gmx.net> Message-ID: Marius, You can also look at www.securecoding.cert.org. This is a wiki, where we (CERT and the community) are developing secure coding standards for C, C++, and Java). We also have a project on secure design patterns, which is not public yet but will hopefully be made public early next year. Anyone can create an account and comment on any of the publically available coding standards. As I mentioned in the article, we are also working on a security annex for the next revision of the C standard. I would love to see more involvement from the security community in the evolution of the C programming language. In particular, I am planning to circulate a draft proposal for this annex in January. Thanks, rCs -----Original Message----- From: wishi [mailto:brouce at gmx.net] Sent: Wednesday, December 17, 2008 9:22 AM To: Robert Seacord Subject: Re: [Dailydave] Robert Seacord on the CERT C Secure Coding Standard Robert Seacord schrieb: > informIT published an interview with me written by David Chisnall: > > http://www.informit.com/articles/article.aspx?p=1315064 > > David asked some interesting questions about security and the future of the C programming language. > > rCs > Interesting article. I recently searched for detailed information regarding secure programming in C. I found (http://www.cert.org/secure-coding/) which focuses white papers or books by Gary McGraw and Robert Seacord. I personally think that secure coding, especially in C, is essential and extremely important, because ~60% of all exploits I see are buffer overruns. Which is a problem, that's not solving itself. Does anyone know where to find more information how to write secure code and how to develop "bulletproof program concepts"? I never found anything focusing this aspect on a pure technical level. Many courses, lots of material, teaches exploiting techniques. Most often this isn't very constructive, because the answers to these exploitations isn't better code. Firewalls i. e. are a network based answer to a pure software based problem ;). Thanks, Marius From dave.aitel at gmail.com Sat Dec 20 08:09:15 2008 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 20 Dec 2008 08:09:15 -0500 Subject: [Dailydave] Pen testing web servers In-Reply-To: <494C29F4.1010206@gmail.com> References: <494C29F4.1010206@gmail.com> Message-ID: So here's a story of a recent penetration test on a web server we did. Technically, it was 3 web servers - but let's run with it. So first, we did all the basic scanning against it. It's IIS 5, so you have to look for old buffer overflows you know aren't there. Then Bas got wrapped into webdav for some reason. He was playing with PROPFIND and got a directory listing of one of the server's /'s. Then, on a lark, he wrote up a tool that checked for PROPFIND listings on every other server and every directory - which, much to my suprise, found another one. So there we are, with some directory listings! Horray! But we wanted a shell. So I told him to check for PUT uploads, but at the same time, I told him they were a myth, like dragons or santa claus or dolphins. I'd heard about people seeing it, but I'd never in all my years of IIS 5 pen tests ever seen it. So he modified his script and checked to see if he could upload hi.html. And lo and behold on one lonely directory on one of the web servers, he could! So that was pretty cool. Now we can do XSS easily! Horray! But we wanted a shell. So he tried uploading hi.asp, an ASP Shell. But no go. So then he tried uploading hi.html and then using WebDav to copy it to hi.asp, which worked. Then we could request hi.asp and get a shell! So then the next step for us is to upload a MOSDEF callback and get a CANVAS node running. This failed. and froze the entire ASP process. So now no ASP files would run. It was very upsetting, as you can imagine. Remember to always use "start" to run programs that might freeze your ASP shell! Our next step was to think for a while, and then we uploaded an ASP.Net file that also got us a shell. Luckily for us this server also had ASP.Net support. So once that was done, we did some recon by having MOSDEF call back to us to a server outside our network on the real Internet (you need lots of infrastructure like this for penetration testing). We found that no TCP ports were allowed outbound from the target network by portscanning our external box from the target machine. :< This made us unhappy, as MOSDEF currently worked only over TCP. We tried pinging ourselves from the target, and that worked. So there was a way out! But .... we were not Admin or System yet, and the publicly available tools for ICMP tunneling required winpcap, which we don't want to install on a target even if we DO have admin. It's just more likely to crash the host than work properly. So we thought for a while, then Bas sat down and coded up an ICMP to TCP proxy for Windows that did not require Admin privs using the Windows ICMP API! Horray! Now we can get MOSDEF connectivity, kill our stuck process after running local roots, and so forth. Sadly, this machine had all its RPC interfaces already crashed which makes it hard to get local Admin using RPC exploits. As we're working, we notice someone from another country log onto the machine using the same webdav vulnerability (we assume). We clean up, and inform the client and are done. Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put into CANVAS, and now everyone has it. The end. -dave On Fri, Dec 19, 2008 at 6:10 PM, Kevin P Biggs wrote: > > What does everyone consider the best pen tool for testing web servers? > I have tried Nessus. > What tool(s) do you recommend? > > ------------------------------------------------------------------------ > This list is sponsored by: Cenzic > > Security Trends Report from Cenzic > Stay Ahead of the Hacker Curve! > Get the latest Q2 2008 Trends Report now > > www.cenzic.com/landing/trends-report > ------------------------------------------------------------------------ > From brett.moore at insomniasec.com Sat Dec 20 17:00:33 2008 From: brett.moore at insomniasec.com (Brett Moore) Date: Sun, 21 Dec 2008 11:00:33 +1300 Subject: [Dailydave] Pen testing web servers In-Reply-To: References: <494C29F4.1010206@gmail.com> Message-ID: <001501c962ee$653bb4c0$2fb31e40$@moore@insomniasec.com> Nice one... On a side note.. Propfind will return dir listings for folders that have directory browsing enabled, but have a default page which is shown. Not sure if this was the case, but it is something that should always be checked for. >Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put >into CANVAS, and now everyone has it. Another great addition. Brett -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel Sent: Sunday, 21 December 2008 2:09 a.m. To: Kevin P Biggs Cc: pen-test at securityfocus.com; dailydave Subject: Re: [Dailydave] Pen testing web servers So here's a story of a recent penetration test on a web server we did. Technically, it was 3 web servers - but let's run with it. So first, we did all the basic scanning against it. It's IIS 5, so you have to look for old buffer overflows you know aren't there. Then Bas got wrapped into webdav for some reason. He was playing with PROPFIND and got a directory listing of one of the server's /'s. Then, on a lark, he wrote up a tool that checked for PROPFIND listings on every other server and every directory - which, much to my suprise, found another one. So there we are, with some directory listings! Horray! But we wanted a shell. So I told him to check for PUT uploads, but at the same time, I told him they were a myth, like dragons or santa claus or dolphins. I'd heard about people seeing it, but I'd never in all my years of IIS 5 pen tests ever seen it. So he modified his script and checked to see if he could upload hi.html. And lo and behold on one lonely directory on one of the web servers, he could! So that was pretty cool. Now we can do XSS easily! Horray! But we wanted a shell. So he tried uploading hi.asp, an ASP Shell. But no go. So then he tried uploading hi.html and then using WebDav to copy it to hi.asp, which worked. Then we could request hi.asp and get a shell! So then the next step for us is to upload a MOSDEF callback and get a CANVAS node running. This failed. and froze the entire ASP process. So now no ASP files would run. It was very upsetting, as you can imagine. Remember to always use "start" to run programs that might freeze your ASP shell! Our next step was to think for a while, and then we uploaded an ASP.Net file that also got us a shell. Luckily for us this server also had ASP.Net support. So once that was done, we did some recon by having MOSDEF call back to us to a server outside our network on the real Internet (you need lots of infrastructure like this for penetration testing). We found that no TCP ports were allowed outbound from the target network by portscanning our external box from the target machine. :< This made us unhappy, as MOSDEF currently worked only over TCP. We tried pinging ourselves from the target, and that worked. So there was a way out! But .... we were not Admin or System yet, and the publicly available tools for ICMP tunneling required winpcap, which we don't want to install on a target even if we DO have admin. It's just more likely to crash the host than work properly. So we thought for a while, then Bas sat down and coded up an ICMP to TCP proxy for Windows that did not require Admin privs using the Windows ICMP API! Horray! Now we can get MOSDEF connectivity, kill our stuck process after running local roots, and so forth. Sadly, this machine had all its RPC interfaces already crashed which makes it hard to get local Admin using RPC exploits. As we're working, we notice someone from another country log onto the machine using the same webdav vulnerability (we assume). We clean up, and inform the client and are done. Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put into CANVAS, and now everyone has it. The end. -dave On Fri, Dec 19, 2008 at 6:10 PM, Kevin P Biggs wrote: > > What does everyone consider the best pen tool for testing web servers? > I have tried Nessus. > What tool(s) do you recommend? > > ------------------------------------------------------------------------ > This list is sponsored by: Cenzic > > Security Trends Report from Cenzic > Stay Ahead of the Hacker Curve! > Get the latest Q2 2008 Trends Report now > > www.cenzic.com/landing/trends-report > ------------------------------------------------------------------------ > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From don.bailey at gmail.com Fri Dec 26 03:28:32 2008 From: don.bailey at gmail.com (don bailey) Date: Fri, 26 Dec 2008 02:28:32 -0600 Subject: [Dailydave] FreeBSD 7/6x protosw kernel exploit Message-ID: <495495B0.3090000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > uname -rs FreeBSD 7.0-RELEASE > id uid=1001(donb) gid=1001(donb) groups=1001(donb),0(wheel) > grep ^root /etc/master.passwd grep: /etc/master.passwd: Permission denied > nm /boot/kernel/kernel | grep allproc c0bf26b8 B allproc c0bf2670 B allproc_lock > cc -o x x.c > ./x 0xc0bf26b8 euid=0 > id uid=1001(donb) gid=1001(donb) euid=0(root) groups=1001(donb),0(wheel) > grep ^root /etc/master.passwd root:$1$fuS6o3Qy$iFlUEpD9Y3ph7rOzMU/br1:0:0::0:0:Charlie &:/root:/bin/csh > Happy holidays, all! D -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklUla4ACgkQttfe3HwtctN/fgCeJDmmpOK8bn1dnssxOkTZXdUg idUAmwdyoMZnoEfnrR14TQlRDli9mv+j =Pixh -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: gift.c Type: text/x-csrc Size: 2150 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081226/6a4ae60f/attachment.c From alex at sotirov.net Mon Dec 29 10:08:40 2008 From: alex at sotirov.net (Alexander Sotirov) Date: Mon, 29 Dec 2008 10:08:40 -0500 Subject: [Dailydave] tubes clogged Message-ID: <20081229150840.GA2808@MacBook.local> I hereby grant the security community permission to freely speculate about the details of our latest research: http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html The best guess will win a special T-Shirt! Take care, Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081229/a109ed1e/attachment.pgp From jdemott at crucialsecurity.com Mon Dec 29 10:36:56 2008 From: jdemott at crucialsecurity.com (Jared DeMott) Date: Mon, 29 Dec 2008 10:36:56 -0500 Subject: [Dailydave] tubes clogged In-Reply-To: <20081229150840.GA2808@MacBook.local> References: <20081229150840.GA2808@MacBook.local> Message-ID: <4958EE98.7020507@crucialsecurity.com> Alexander Sotirov wrote: > I hereby grant the security community permission to freely speculate about the > details of our latest research: > > http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html > > The best guess will win a special T-Shirt! > > Take care, > Alex > An attack that leverages overrun routing queues to reroute traffic to a network of choice? From dailydave at digitaloffense.net Mon Dec 29 12:05:31 2008 From: dailydave at digitaloffense.net (H D Moore) Date: Mon, 29 Dec 2008 11:05:31 -0600 Subject: [Dailydave] tubes clogged In-Reply-To: <20081229150840.GA2808@MacBook.local> References: <20081229150840.GA2808@MacBook.local> Message-ID: <200812291105.31389.dailydave@digitaloffense.net> On Monday 29 December 2008, Alexander Sotirov wrote: > I hereby grant the security community permission to freely speculate > about the details of our latest research: > > http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html Less speculation and more justification for the secrecy: http://www.breakingpointsystems.com/community/ -HD From dave at immunityinc.com Mon Dec 29 12:24:59 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 29 Dec 2008 12:24:59 -0500 Subject: [Dailydave] Still relevant after all these years... Message-ID: <495907EB.70306@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Seems like it was just last year we were announcing the availability of D2's exploit pack, getting PINK ready for delivery, and wishing there was a remote on XP SP2. This year, of course, we will still be getting PINK ready for delivery, but we do have remotes on XP, finally, thanks to MS08-001 and (more reliably) MS08-067. Hooray for progress! Largely I track how hacking changes through coursework. It used to be that installing and using kernel rootkits would require quite a lot of explanation. Now it's double-click away. PHP web application exploits remain super-important as buffer overflows faded as a way to get onto Linux machines. Originally we used to spend a lot of time on shellcode, whereas now the shellcode libraries are big enough that there's something for almost every situation, usually wrapped in VisualSploit so I don't have to even go into how to use it from an API. Like every year, the best vulnerabilities were 0day that got discovered by someone not being careful enough, hackers are still relevant, and offense is still in a winning position. Happy New Year Everyone! - -dave (for those of you interested in actually USING VisualSploit to learn to write overflows...) Unethical Hacking Offering January 12-16, 2009: Duration: 5 days Cost: $5000 per person. Class taught at Immunity's Miami Beach HQ. Includes a CANVAS license. Email admin at immunityinc.com for more information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJWQfrtehAhL0gheoRAnQpAJ93HhUn+HnCxsYBGAqFHlkE/Z8AJwCdFb9H 2M2TY5/x2aAQJgflWSLRjUo= =uEn1 -----END PGP SIGNATURE----- From sil at infiltrated.net Mon Dec 29 12:06:20 2008 From: sil at infiltrated.net (J. Oquendo) Date: Mon, 29 Dec 2008 11:06:20 -0600 Subject: [Dailydave] tubes clogged In-Reply-To: <4958EE98.7020507@crucialsecurity.com> References: <20081229150840.GA2808@MacBook.local> <4958EE98.7020507@crucialsecurity.com> Message-ID: <20081229170620.GA77666@infiltrated.net> On Mon, 29 Dec 2008, Jared DeMott wrote: > Alexander Sotirov wrote: > > I hereby grant the security community permission to freely speculate about the > > details of our latest research: > > > > http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html > > > > The best guess will win a special T-Shirt! > > > > Take care, > > Alex > > > An attack that leverages overrun routing queues to reroute traffic to a > network of choice? I'm thinking an attack that causes BGP peers (glue of the internet) to go through a cascading flapping mechanism forcing them to continuously dampen each other till they keep breaking adjacency with each other. EG: R1 = 10.10.10.1 R2 = 10.11.12.1 R3 = 10.12.13.1 R1 is peered with R2 R2 is peered with R3 As R2 (spoofed): Fragment R1 randomly appearing as R2 R2 has the potential to flap, if it does flap and R1 is configured (im)properly, it will ignore R2 until it gets its act in order. During the initial flap a penalty is given which exponentially grows. During the time of R2's appearance of flapping, R3 if sending through R2 to get through to R1 will also ignore that path. http://www.ietf.org/rfc/rfc2439.txt http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-flap-damping.pdf Anyhow, so imagine a mesh of flapping routers all ignoring each other, one after the other. I thought about something like this a while ago and modified a lame tool a while back, but never put the theory to practice. Besides I didn't have an Internet to play with ;) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From lek at xs4all.nl Mon Dec 29 13:54:57 2008 From: lek at xs4all.nl (Petja van der Lek) Date: Mon, 29 Dec 2008 19:54:57 +0100 Subject: [Dailydave] tubes clogged In-Reply-To: <200812291105.31389.dailydave@digitaloffense.net> References: <20081229150840.GA2808@MacBook.local> <200812291105.31389.dailydave@digitaloffense.net> Message-ID: <49591D01.5090805@xs4all.nl> Drat! A JPEG image. We all know that censored documents are *supposed* to be created using the Acrobat mark up tool, right? It's not fair. But, guesses are free, so here's mine. "...their research required massive computational resources that had to be utilized within a specific window of time": indicates some form of brute-force cryptokey cracking. "a practical attack that affects the security of all Internet users": crypto technology in use by *all* Internet users would be SSL. So we'd likely be talking about HTTPS or possibly some (vendor specific) SSL-VPN implementation. "The main result of our proof of concept attack is that we are in the possession of...": indicates a disclosure vulnerability, rather than anything DoS-like. "Their research combined a known weakness in one area with a massive resource investment in another...": more clues, leading to the conclusion below. So, I'd say we're looking at some sort of transparent MITM SSL snooping attack. Traffic would be intercepted using your garden-variety BGP trickery, and some brute-force cracking is used to exploit an OpenSSH flaw or a vendor-specific SSL-VPN implementation bug. As proof, Alex and Jacob will be putting John Chambers' emails on display. Any points scored? Cheers, Lek. H D Moore wrote: > On Monday 29 December 2008, Alexander Sotirov wrote: > >> I hereby grant the security community permission to freely speculate >> about the details of our latest research: >> >> http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html >> > > Less speculation and more justification for the secrecy: > http://www.breakingpointsystems.com/community/ > > -HD > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081229/0ecd4db1/attachment.htm From rafal at ishackingyou.com Mon Dec 29 14:28:28 2008 From: rafal at ishackingyou.com (Rafal Los) Date: Mon, 29 Dec 2008 19:28:28 +0000 Subject: [Dailydave] Still relevant after all these years... In-Reply-To: <495907EB.70306@immunityinc.com> References: <495907EB.70306@immunityinc.com> Message-ID: First - Happy New Year all... Now, perhaps I'm over-stating the obvious but... it seems like every year that passes the exploits get easier and easier to execute. It's not that systems are necessarily easier to hack (or maybe they are?) but that the combination of the two things outlined below is making "hacking" sort of a low-effort activity... at least on the surface. Now, before someone writes back, I fully realize that there still have to be in-depth researchers actually investigating, and writing the hard-core proggies to do these fun point-and-exploit activities... but let me put it out here... Tools have evolved tremendously, and abstracted the heavy-lifting from the interface. This means that there's a GUI front-end on just about anything now, and MSF and others like CANVAS are making it exponentially simpler to execute an attackExploits have migrated up the stack... meaning, whereas hackers had to write actual buffer overflow code which took time to find, develop an exploit, and then test... now we've got SQLi which takes about 30 seconds to find/test/exploit... and it works universally whereas a buffer overflow or heap exploit worked on a specific target. This leads to a mass-exploitation being significantly easier, and almost a given. I can't wait to see what '09 and beyond brings... this community is dynamic and we're always finding new ways to exploit those willing to put features ahead of security. My prediction for 2009... more exploitation not of "code" but of standards (like what happened with ClickJacking). Again, Happy New Year, and a prosperous and healthy 2009 and beyond. Rafal (Ralph) M. Los IT Security - Response | Mitigation | Strategy E-mail: rafal at ishackingyou.com - Blog: http://preachsecurity.blogspot.com - LinkedIn:http://www.linkedin.com/in/rmlos > Date: Mon, 29 Dec 2008 12:24:59 -0500 > From: dave at immunityinc.com > To: dailydave at lists.immunityinc.com > Subject: [Dailydave] Still relevant after all these years... > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Seems like it was just last year we were announcing the availability > of D2's exploit pack, getting PINK ready for delivery, and wishing > there was a remote on XP SP2. This year, of course, we will still be > getting PINK ready for delivery, but we do have remotes on XP, > finally, thanks to MS08-001 and (more reliably) MS08-067. Hooray for > progress! > > Largely I track how hacking changes through coursework. It used to be > that installing and using kernel rootkits would require quite a lot of > explanation. Now it's double-click away. PHP web application exploits > remain super-important as buffer overflows faded as a way to get onto > Linux machines. Originally we used to spend a lot of time on > shellcode, whereas now the shellcode libraries are big enough that > there's something for almost every situation, usually wrapped in > VisualSploit so I don't have to even go into how to use it from an API. > > Like every year, the best vulnerabilities were 0day that got > discovered by someone not being careful enough, hackers are still > relevant, and offense is still in a winning position. > > Happy New Year Everyone! > - -dave > (for those of you interested in actually USING VisualSploit to learn > to write overflows...) > Unethical Hacking Offering > January 12-16, 2009: Duration: 5 days Cost: $5000 per person. Class > taught at Immunity's Miami Beach HQ. Includes a CANVAS license. Email > admin at immunityinc.com for more information. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJWQfrtehAhL0gheoRAnQpAJ93HhUn+HnCxsYBGAqFHlkE/Z8AJwCdFb9H > 2M2TY5/x2aAQJgflWSLRjUo= > =uEn1 > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave _________________________________________________________________ Life on your PC is safer, easier, and more enjoyable with Windows Vista?. http://clk.atdmt.com/MRT/go/127032870/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081229/e2c7f543/attachment.htm From canacar at gmail.com Mon Dec 29 15:13:38 2008 From: canacar at gmail.com (Can Erkin Acar) Date: Mon, 29 Dec 2008 12:13:38 -0800 Subject: [Dailydave] tubes clogged In-Reply-To: <20081229170620.GA77666@infiltrated.net> References: <20081229150840.GA2808@MacBook.local> <4958EE98.7020507@crucialsecurity.com> <20081229170620.GA77666@infiltrated.net> Message-ID: <9506dd40812291213m4321e8casb28f091118da6d39@mail.gmail.com> On Mon, Dec 29, 2008 at 9:06 AM, J. Oquendo wrote: > On Mon, 29 Dec 2008, Jared DeMott wrote: > >> Alexander Sotirov wrote: >> > I hereby grant the security community permission to freely speculate about the >> > details of our latest research: >> > >> > http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html >> > >> > The best guess will win a special T-Shirt! >> > >> > Take care, >> > Alex >> > >> An attack that leverages overrun routing queues to reroute traffic to a >> network of choice? Or perhaps something like this: http://marc.info/?l=openbsd-cvs&m=123049469504128&w=2 Since the attack was "tested" over the Internet, this may very well be related. Can From jess.kitchen at adjacentnetworks.net Mon Dec 29 15:36:46 2008 From: jess.kitchen at adjacentnetworks.net (Jess Kitchen) Date: Mon, 29 Dec 2008 20:36:46 +0000 (GMT) Subject: [Dailydave] tubes clogged In-Reply-To: <20081229170620.GA77666@infiltrated.net> References: <20081229150840.GA2808@MacBook.local> <4958EE98.7020507@crucialsecurity.com> <20081229170620.GA77666@infiltrated.net> Message-ID: > I'm thinking an attack that causes BGP peers (glue of the internet) > to go through a cascading flapping mechanism forcing them to > continuously dampen each other till they keep breaking adjacency > with each other. In my experience one bad path being penalised actually affects all paths for a particular prefix available for consideration- this is one reason why flap dampening became unfashionable as it potentially does more harm than good. I think your idea should only actually be applicable to multihop EBGP sessions, and even then I can't see how you would essentially flap the intermediate linknets to cause this (take a directly connected /30 or exchange point prefix- in many cases they aren't even carried in BGP as more specifics) The legal angle mentioned in the vague descriptions I've seen suggest that a major vendor (vendors?) has been reversed or fuzzed to good effect - one-packet session teardown perhaps- something to do with BFD? Throw in GTSM and uRPF on most sensible networks too and the attack won't get to the control plane, so.. I'm interested, that's for sure ;) Jess From fygrave at gmail.com Mon Dec 29 20:18:10 2008 From: fygrave at gmail.com (Fyodor) Date: Tue, 30 Dec 2008 09:18:10 +0800 Subject: [Dailydave] tubes clogged In-Reply-To: <49591D01.5090805@xs4all.nl> References: <20081229150840.GA2808@MacBook.local> <200812291105.31389.dailydave@digitaloffense.net> <49591D01.5090805@xs4all.nl> Message-ID: > "...their research required massive computational resources that had to be > utilized within a specific window of time": indicates some form of > brute-force cryptokey cracking. > the "specific window of time" bit makes me think of some sort of session keys, heh :) Also, somehow the "abusing the Internet" thing became synonymical to "abusing internet routing protocols" (otherwise why everyone is bringing up the BGP issue). Can't there be other things to be abused? like authentication certs, PKI infrastructures, authentication mechanisms to control domain naming, RIPE or other registrar databases ... ? Say, if you're able to manipulate registrar database, there are alot of things you could do without actually having to mock with protocols at low level. Computation-wise, in old days it was enough to crack a DES hash (queryable by anyone, crackable with rainbow tables) to control AS entries, and IMHO they haven't improved much since that time (md5 instead of des is still not a big deal if you have "massive computational resources"). From jess.kitchen at adjacentnetworks.net Mon Dec 29 22:13:08 2008 From: jess.kitchen at adjacentnetworks.net (Jess Kitchen) Date: Tue, 30 Dec 2008 03:13:08 +0000 (GMT) Subject: [Dailydave] tubes clogged In-Reply-To: References: <20081229150840.GA2808@MacBook.local> <200812291105.31389.dailydave@digitaloffense.net> <49591D01.5090805@xs4all.nl> Message-ID: On Tue, 30 Dec 2008, Fyodor wrote: > Also, somehow the "abusing the Internet" thing became synonymical to > "abusing internet routing protocols" (otherwise why everyone is > bringing up the BGP issue). Can't there be other things to be abused? > like authentication certs, PKI infrastructures, authentication > mechanisms to control domain naming, RIPE or other registrar databases > ... ? Indeed. A recursive delete of at least child route: objects of a maintainer for which you had gained the correct plaintext would be fairly brutal if executed say 30 minutes before Level(3) and co updated their filters in Europe. As I recall due to the hierarchy in RIPE and other derived IRR databases you cannot delete the maintainer itself, though it would I think be trivial to reverse the damage with cooperation from the IRR. Also due to the lack of appropriate filtering outside of the European space you would only garner partial or localised outages. Still though it's enough to piss on someones fire in the holiday season. That said rich text search for CRYPT-PW may still be fun for 500 results or so. Audit trail and limited footprint have stopped this from surfacing thus far I'd wager. From thorsten.holz at gmail.com Tue Dec 30 04:24:40 2008 From: thorsten.holz at gmail.com (Thorsten Holz) Date: Tue, 30 Dec 2008 10:24:40 +0100 Subject: [Dailydave] tubes clogged In-Reply-To: References: <20081229150840.GA2808@MacBook.local> <200812291105.31389.dailydave@digitaloffense.net> <49591D01.5090805@xs4all.nl> Message-ID: On 30.12.2008, at 02:18, Fyodor wrote: >> "...their research required massive computational resources that >> had to be >> utilized within a specific window of time": indicates some form of >> brute-force cryptokey cracking. >> > > the "specific window of time" bit makes me think of some sort of > session keys, heh :) > > Also, somehow the "abusing the Internet" thing became synonymical to > "abusing internet routing protocols" (otherwise why everyone is > bringing up the BGP issue). Can't there be other things to be abused? > like authentication certs, PKI infrastructures, authentication > mechanisms to control domain naming, RIPE or other registrar databases > ... ? The rumors I heard during 25C3 are that they broke a Root CA key that is included in major browsers. This would enable creating fake websites with a valid SSL-key, clearly a major threat... Unfortunately I already had to leave Berlin, but the live stream will be available in a couple of hours at mms://streaming-25c3.fem-net.de/saal1(15:15 CET) Cheers, Thorsten From adrien at kunysz.be Tue Dec 30 08:16:18 2008 From: adrien at kunysz.be (Adrien Krunch Kunysz) Date: Tue, 30 Dec 2008 14:16:18 +0100 Subject: [Dailydave] tubes clogged In-Reply-To: <20081229150840.GA2808@MacBook.local> References: <20081229150840.GA2808@MacBook.local> Message-ID: <20081230131618.GA11667@baltika> http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/ Presentation title is now ?MD5 considered harmful today: Creating a rogue CA certificate" It starts in one hour but the room is already full for the previous presentation. Live video stream is available (Saal 1, 15:15): http://events.ccc.de/congress/2008/wiki/Streaming From dan at geer.org Tue Dec 30 08:45:48 2008 From: dan at geer.org (dan at geer.org) Date: Tue, 30 Dec 2008 08:45:48 -0500 Subject: [Dailydave] tubes clogged In-Reply-To: Your message of "Tue, 30 Dec 2008 10:24:40 +0100." Message-ID: <20081230134548.BF07234162@absinthe.tinho.net> Some time ago, perhaps in 2005, I did an analysis of all the then-trusted Root Certs in the major browsers. As near as I could tell then, 25% of the companies whose certs were embedded had by that time gone out of business, and many of the certs present had 20+ year expiry times thus assuring that more certs would remain nominally valid even when the owning companies died. And, of course, there are national laboratories that have likely already done all this repeatedly. --dan From pmelson at gmail.com Tue Dec 30 09:48:57 2008 From: pmelson at gmail.com (Paul Melson) Date: Tue, 30 Dec 2008 09:48:57 -0500 Subject: [Dailydave] tubes clogged In-Reply-To: References: <20081229150840.GA2808@MacBook.local> <200812291105.31389.dailydave@digitaloffense.net> <49591D01.5090805@xs4all.nl> Message-ID: <40ecb01f0812300648x3f2941f3w2b086888158f5f02@mail.gmail.com> On Tue, Dec 30, 2008 at 4:24 AM, Thorsten Holz wrote: > The rumors I heard during 25C3 are that they broke a Root CA key that > is included in major browsers. This would enable creating fake > websites with a valid SSL-key, clearly a major threat... > > Unfortunately I already had to leave Berlin, but the live stream will > be available in a couple of hours at mms://streaming-25c3.fem-net.de/saal1(15:15 > CET) > > Cheers, > Thorsten Fresh from the Twitterverse: http://www.win.tue.nl/hashclash/rogue-ca/ PaulM From alex at sotirov.net Tue Dec 30 11:52:35 2008 From: alex at sotirov.net (Alexander Sotirov) Date: Tue, 30 Dec 2008 11:52:35 -0500 Subject: [Dailydave] MD5 Considered Harmful Today: Creating a rogue CA certificate In-Reply-To: <20081230131618.GA11667@baltika> References: <20081229150840.GA2808@MacBook.local> <20081230131618.GA11667@baltika> Message-ID: <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> Our research team, consisting of 7 researchers from the United States, Switzerland and the Netherlands, was able to execute a practical MD5 collision attack and create a rogue Certification Authority trusted by all common web browsers. This allows us to perform transparent man-in-the-middle attacks against SSL connections and monitor or tamper with the traffic to secure websites or email servers. The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function. More details: http://www.phreedom.org/research/rogue-ca/ Enjoy! Alex From dave at immunityinc.com Tue Dec 30 12:43:30 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 30 Dec 2008 12:43:30 -0500 Subject: [Dailydave] Questions about MD5+CA Message-ID: <495A5DC2.5020204@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So if someone was able to get a root CA for $20000 - shouldn't we remove the RapidSSL root CA from our browsers with the next browser update? I don't see why people think this would be hard to replicate and hasn't been done previously to RapidSSL. Is it because no one other than that one team can do math or buy PS3s? Microsoft's advisory on this is essentially defaulting to the "No one else has ever done this" position. This is weird. Trusted Roots that could have been used to sign these things need to get re-issued, right? What am I missing here? "You fail and are no longer trusted" seems like a viable option here that people are avoiding for some reason. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJWl3CtehAhL0gheoRAtDfAJ95tDB2CGQxWPsghOtFBlNpFBPWigCfTPNX weve1sPUh11d9s6LGN/OYTk= =1WL2 -----END PGP SIGNATURE----- From cmiller at securityevaluators.com Tue Dec 30 13:51:01 2008 From: cmiller at securityevaluators.com (Charles Miller) Date: Tue, 30 Dec 2008 12:51:01 -0600 Subject: [Dailydave] MD5 Considered Harmful Today: Creating a rogue CA certificate In-Reply-To: <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> References: <20081229150840.GA2808@MacBook.local> <20081230131618.GA11667@baltika> <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> Message-ID: <3BC59F96-DFAA-43F9-80F7-624E4ABA3E76@securityevaluators.com> That's great, but it doesn't answer the question we really care about... who won the T-shirt? On Dec 30, 2008, at 10:52 AM, Alexander Sotirov wrote: > Our research team, consisting of 7 researchers from the United States, > Switzerland and the Netherlands, was able to execute a practical MD5 > collision > attack and create a rogue Certification Authority trusted by all > common web > browsers. This allows us to perform transparent man-in-the-middle > attacks > against SSL connections and monitor or tamper with the traffic to > secure > websites or email servers. > > The infrastructure of Certification Authorities is meant to prevent > exactly > this type of attack. Our work shows that known weaknesses in the MD5 > hash > function can be exploited in realistic attack, due to the fact that > even after > years of warnings about the lack of security of MD5, some root CAs > are still > using this broken hash function. > > More details: > http://www.phreedom.org/research/rogue-ca/ > > Enjoy! > > Alex > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From tqbf at matasano.com Tue Dec 30 14:18:06 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Tue, 30 Dec 2008 13:18:06 -0600 Subject: [Dailydave] MD5 Considered Harmful Today: Creating a rogue CA certificate In-Reply-To: <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> References: <20081229150840.GA2808@MacBook.local> <20081230131618.GA11667@baltika> <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> Message-ID: <1df0a410812301118q459a61acv5d70bfcec14a849c@mail.gmail.com> So now that the details are (mostly) out, can you tell us who did what? Jeremy and I have think the RapidSSL serial number was you. On Tue, Dec 30, 2008 at 10:52 AM, Alexander Sotirov wrote: > Our research team, consisting of 7 researchers from the United States, > Switzerland and the Netherlands, was able to execute a practical MD5 collision > attack and create a rogue Certification Authority trusted by all common web > browsers. This allows us to perform transparent man-in-the-middle attacks > against SSL connections and monitor or tamper with the traffic to secure > websites or email servers. > > The infrastructure of Certification Authorities is meant to prevent exactly > this type of attack. Our work shows that known weaknesses in the MD5 hash > function can be exploited in realistic attack, due to the fact that even after > years of warnings about the lack of security of MD5, some root CAs are still > using this broken hash function. > > More details: > http://www.phreedom.org/research/rogue-ca/ > > Enjoy! > > Alex > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From tqbf at matasano.com Tue Dec 30 14:33:42 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Tue, 30 Dec 2008 13:33:42 -0600 Subject: [Dailydave] Questions about MD5+CA In-Reply-To: <495A5DC2.5020204@immunityinc.com> References: <495A5DC2.5020204@immunityinc.com> Message-ID: <1df0a410812301133g1b142f16sf092d0f31e5537de@mail.gmail.com> If you take everything in the paper at face value, a couple things mitigate this attack: * The research team had access not only to a cluster of PS3s but to a specially optimized MD5 collision-finding implementation, which they had because Lenstra's team has been playing with a PS3 cluster for awhile. * The research team had access to a currently-unpublished optimization to (presumably the birthday-bits search part of) the collision-finding algorithm, * The attack could be made impractical by randomizing the serial numbers for all future certs issued by RapidSSL (and, presumably, by banning MD5). On Tue, Dec 30, 2008 at 11:43 AM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So if someone was able to get a root CA for $20000 - shouldn't we > remove the RapidSSL root CA from our browsers with the next browser > update? I don't see why people think this would be hard to replicate > and hasn't been done previously to RapidSSL. Is it because no one > other than that one team can do math or buy PS3s? > > Microsoft's advisory on this is essentially defaulting to the "No one > else has ever done this" position. This is weird. Trusted Roots that > could have been used to sign these things need to get re-issued, > right? What am I missing here? > > "You fail and are no longer trusted" seems like a viable option here > that people are avoiding for some reason. > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJWl3CtehAhL0gheoRAtDfAJ95tDB2CGQxWPsghOtFBlNpFBPWigCfTPNX > weve1sPUh11d9s6LGN/OYTk= > =1WL2 > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From alex at sotirov.net Wed Dec 31 15:17:02 2008 From: alex at sotirov.net (Alexander Sotirov) Date: Wed, 31 Dec 2008 15:17:02 -0500 Subject: [Dailydave] MD5 Considered Harmful Today: Creating a rogue CA certificate In-Reply-To: <1df0a410812301118q459a61acv5d70bfcec14a849c@mail.gmail.com> References: <20081229150840.GA2808@MacBook.local> <20081230131618.GA11667@baltika> <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> <1df0a410812301118q459a61acv5d70bfcec14a849c@mail.gmail.com> Message-ID: <20081231201702.GA9111@MacBook.local> On Tue, Dec 30, 2008 at 01:18:06PM -0600, Thomas Ptacek wrote: > So now that the details are (mostly) out, can you tell us who did > what? Jeremy and I have think the RapidSSL serial number was you. This project was a collaboration, so I don't want to diminish anyone's contributions. We discussed everything among all members of the team and we all contributed to the success of this project. Most of the theory behind our attack was published in the "Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities" paper in 2007 by Marc Stevens, Benne de Weger and Arjen Lenstra. David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in 2008 and had the idea of flipping the CA bit to get an intermediate CA cert. Jake mentioned it to me at CanSecWest this year. After Dan broke DNS and SSL was the only think keeping the sky from falling completely, I decided to try to break that too. I talked to Jake and David about the MD5 attack in July and we realized that we need chosen-prefix collisions for it. We contacted the European researchers and they agreed to work together with us on this project. The RapidSSL timestamp and serial number work was indeed me (funny how some people have such a recognizable research "signature" :-) Marc Stevens did some very impressive work on improving the collision generation and ran the code on Arjen's PS3 cluster. Benne did the majority of the work on the paper and we all collaborated on the slides and presentation. Jake did a very good job at dealing with the press, getting us in touch with the EFF and convincing Mozilla to sign the NDA. He and David also did the MITM demo for our talk. I also want to thank the EFF for providing us with legal assistance and negotiating the NDA with Microsoft and Mozilla. Jennifer Granick is indeed awesome! We also had assistance from lawyers from CWI, TU/e and EPFL, as well as PR representatives from those institutions. Microsoft helped us notify the affected CAs and served as an intermediary between our team and the CAs. The MSRC were was generally very helpful and provided useful information about the full impact of the attack and possible countermeasures. This was the most difficult project to coordinate that I've ever been involved with, but I am personally very happy with the results. Take care, Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081231/0b070996/attachment-0001.pgp