So the last post that I wrote, and Aviram’s follow on post really got me thinking, unless you know where to sell software vulnerabilities or exploits, finding places isn’t really that easy at all. I knew about ZDI and VPC, but that was it really, and it took me ages to remember VPC.

So I spent some time Googling, and well that didn’t help me much to me honest. So I’ve decided to compile a list on here, with a subject that’s easy enough to search for.

So what I’m asking all our readers is that if you know of anywhere that buys software vulnerabilities legitimately, please let me know by leaving a comment and I’ll update the list here accordingly.

So without any further ado, here’s the definitive list of where you can sell those exploits and vulnerabilities that you worked so hard on discovering and writing.

Beyond Security

Zero Day Initiative (Tippingpoint)

Vulnerability Contributor Program (iDefense)

Global Vulnerability Partnership

Xyberpix described how difficult it is to disclose vulnerabilities to ZDI and iDefense. But even after you sold it, the process is just beginning. Sure, the researcher gets paid and he is free to resume his work, but the work us, the vulnerability coordinator, just begins.

We recently received 2 disclosures to our SecuriTeam Secure Disclosure program for Sonicwall and google vulnerabilities. We received sponsors for both vulnerabilities which means there is a commercial organization out there that was willing to pay the researcher for their efforts. That part ended well for the researchers.

Now both organizations want the vendors to patch up. Sounds easy, right? We are giving Sonicwall and google free information about security holes in their products, and want nothing in return except for them to fix it.

Well, it’s damn difficult.

Google is always difficult when it comes to security. When I reported an information disclosure vulnerability in google calendar they ignored me, then sent their PR person to say “it’s a feature”, then silently fixed it claiming it was never there. Dealing with google on security issues is like talking to a girl that speaks a foreign language. But more on that later - lets start with Sonicwall.

Wouldn’t you be expect security vendors to be more aware of security problems in their products? Well, for the last few weeks we’ve tried to bang every door, calling in personal favors to tell Sonicwall (for free, let me remind you) about a security hole in their product.
Why bang every door? Because they won’t talk to us since “we’re not Sonicwall customers”. We can’t open a support ticket and they won’t give “us” support. security@sonicwall? yeah, right. Even good friends couldn’t help. The system will not accept a report from non-customers.

I guess our only course of action is to pay Sonicwall money to let them know about their vulnerabilities. I wonder if that’s Sonicwall’s long term strategy for profit? BTW, if you work for Sonicwall and can help, please contact me - but keep in mind paying Sonicwall for telling them about their own security issues is not a part of our plan.

Back to google. The story there is simple and boring. It’s not a bug, it’s a feature. In fact, every browser has this problem, errm I mean feature. In fact, it’s been proven you can execute javascript on the chrome user’s browser so we’ll leave this open as well. If the stupid web app developers can’t solve this we certainly aren’t going to help them.
But why am I boring you with the broad strokes, go read the discussion:
http://code.google.com/p/chromium/issues/detail?id=46795. Nothing we haven’t seen with previous google security bug handling, just ask this guy.

Yes, it is 2010, and we are still talking about Vulnerability Disclosure to vendors. I guess next we’ll be arguing if heap overflows are exploitable.

Update: We were contacted by Sonicwall and the bug will be looked at. Hopefully security@sonicwall will start accepting submissions from non-customers.

So I’ve been sitting on an Apple vulnerability for over a month now, and I’m really starting to realise that maybe just sending the details to the Full-Disclosure mailing list and Exploit-DB.com is the right way to go about disclosing vulnerabilities and exploits.

I initially contacted ZDI to see if they would be at all interested in buying the exploit off of me, as I spent a lot of time researching and finding this one, and I’d like to get something for my efforts. I am a firm believer in the No More Free Bugs movement, I understand and appreciate what ZDI are doing, but the fact that it took them just under a month to get back to me, is really not good enough to be very honest. If they don’t have the researchers, then advertise worldwide, instead of just US only. I know I for one, would be happy validating bugs all day, and this is the the type of work that can be remotely.
Yesterday I also submitted the same information to iDefense Labs Vulnerability Contributor Program (VCP), who claim to get back to me within 48 hours, so we’ll see how that goes. I will update this post as and I when I know more.

I also took the off chance of mailing Apple directly, and asking if they offer any rewards for vulnerabilities that have been found, and if so what they would be. I don’t have high hopes on Apple offering anything, but to be honest, I would prefer to  disclose this one directly to Apple. They however  have paid staff to do this work on a full time basis on all their products, so why aren’t they doing it properly, and I feel that anyone else finding bugs for them, should be compensated appropriately. However, I e-mailed them yesterday and recieved an automated response, so we see how long it takes them to respond to me as well.

This may end up being a rather long post, but let’s see. I’m also expecting to see quite a few interesting comments on this post as well, so come on people.

UPDATE 30/06/2010:

Received a response from iDefense last night,and a request for more info. So just over 24 hour response time, which is brilliant, I’m really impressed so far.

Recieved a response from Apple, and if I would like any reward (aside from credit for the find), then I was informed that I should go through ZDI or iDefense.

Great news, Backtrack now has funding to move ahead with scheduled releases, and a roadmap moving forward up to Backtrack 5. You can view the roadmap here. It seems that the worlds leader in penetration testing training, namely Offensive Security is going to be funding the BackTrack Linux distribution’s development going forward. No need to worry though, BackTrack is still going to remain an Open Source distro.

Other news on this front is that the Exploit Database now has new EDB Research and Development teams that are actively working on vulnerability discovery and development, so watch this space for more news and good things to come. It’s also very worthwhile checking out the Exploit Database Blog.

The first ever HITB Security conference will be help in Amsterdam on the 1st and 2nd July, so apologies for only posting this now, but there’s still time to register.

The full conference agenda can be found here.

Some of the talks listed are:

- Breaking Virtualization by Switching to Virtual 8086 Mode

- Attacking SAP Users Using sapsploit

- Fireshark – A tool to Link the Malicious Web

- Having Fun with Apple’s IOKit

So all in all, it looks like it’s going to be an interesting couple of days.

Leave a comment if you’re going, it’d be good to hook up.

So the other day I was conducting a penetration test, and compromising the host in question was easy enough, but I wanted something that would make a bit more of an impact in the report, rather than the standard, used Metasploit with X exploit and a reverse shell. So I spent some time looking through my little bag of tricks and came across DNScat. Now I’ve been wanting to use this tool for a while now, as it just seems like it’d make a nice high impact paragraph to have in a report, with a bit of a different swing on it.

For those of you who haven’t heard of DNScat before, here’s the blurb taken directly from the web site, which can be found here.

“DNScat (pronounced “D-N-S cat”) is a “swiss-army knife” tool to tunnel traffic through DNS servers. It provides a bi-directional communication through DNS servers, and in conjunction with PPP, can be used to set up a virtual private network (VPN).
DNScat, like a swiss army knife can be used for a variety of purposes, including:
- penetration testing of networks behind firewalls
- sending messages though firewalled networks
- setting up a VPN though firewalled networks
- learning how to detect covert channels through DNS servers
- and more… ”

So lo and behold, I finally got a chance to play with DNScat, and the look on the security managers face when he read the report was priceless, he words were something along the lines of. “We made sure to secure everything we could think of, but DNS, really?”

For those of you that do professional penetration testing, if you haven’t used DNScat yet, take the time to have a look at it, and learn how to use, it’s a decent tool and a lot of fun!

Like freedom of the press, ultimately, net neutrality is going to be reserved for those who own one.

Well, we’re getting closer.

Consider the case of cell/mobile phones.  The device is basically useless for communications, unless you have service through a provider.  They have the cell towers, and link through to the public telephone network.  You have to pay them, and they get to manage how calls are made.

(Just as a side issue, the more people who are subscribers in a given location, the worse chance you have of getting to make a call.  You get to be a victim of their [the telco’s] success.)

Now, consider.  Cell phones are getting smarter all the time.  Already they can connect with (and via) wifi.  And we can build applications for them.  Recently I didn’t have Internet access for my laptop, and someone with an Android phone was able to set up a wireless access point for me, through his phone, and give me that connection.

OK, lets extend the routing a bit.  We’ve developed a lot of good routing protocols from building the Internet.  Let’s extend those to handle hops from phone to phone.  And, using voice over IP, and a few other technologies, pretty soon we can make calls without hitting a cell tower.

(And, bearing in mind technologies such as CDMA2000, note that, in opposition to the cell tower contention model, the *more* cell phones we put into an area under this model, the *better* our coverage and bandwidth is going to be.  The closer the devices are to each other, the faster [more bandwidth] they can talk to each other.)

Latency may be a problem.  Security (in terms of confidentiality) will definitely need to be addressed.  Long distance transmission will be a concern (although it’s rather amazing how many ideas start popping up as soon as those issues are raised).

Basically, any form of communication will follow from the same model.  With a bunch of cell phones where your only cost is the initial cost of the phone itself (no subscription, no usage cost, no long distance charges) it won’t take long for landline phones to be phased out.  Data communications, for any “store and forward” model (basically, anything other than streaming) will be even more efficient.  Maybe there will still be a place for the telcos: if you want faster service for real time streaming of content.  Of course, they’d have to be willing to set the price point for unlimited data low enough to be attractive …

However, we would now seem to be nearer the end than the beginning.  It’s mostly a matter of which platform to start with.  Google has demonstrated that it *can* term off applications, but, in this case, why should it?  Apple might want to jump in on the ground floor, but they turn off a lot more apps, and, in any case, it probably isn’t best to start with a phone where you have to hold your tongue (or your hand) just right to get it to work.

There is no possible way this could potentially go wrong, right?

Doesn’t the phrase “Identity Ecosystem” make you feel all warm and “green”?

It’s a public/private partnership, right?  So there is no possibility of some large corporation taking over the process and imposing *their* management ideas on it?  Like, say, trying to re-introduce the TCPI?

And there couldn’t possibly be any problem that an identity management system is being run out of the US, which has no privacy legislation?

The fact that any PKI has to be complete, and locked down, couldn’t affect the outcome, could it?

There isn’t any possible need for anyone (who wasn’t a vile criminal) to be anonymous, is there?

By the way, in non-Sonne-erous G8/20 news, our government(s) have spent a billions dollars on security for a couple of days of meetings.  Even given the degraded value of the American billion, that’s a lot of money.

Part of it was used to buy sound cannons.  (The police don’t like you saying that: they prefer the term “long range sonic control devices.”)  These sound cannons generate noise at 130 decibels, which the civil liberties folks are concerned will damage human hearing.

That’s the same level of noise a vuvuzela makes.

So, look, why didn’t we save the billion dollars, go down to Canadian Tire, and, for a hundred bucks (possibly in Canadian Tire money) equip the entire riot squad with vuvuzelas?

Now that Apple has released IOS 4 there are a couple of funky security features that you can make use of, namely Data Protection and strong passcodes.

“Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments. Third-party applications can use the data protection APIs in iOS 4 to further protect application data.”

For more information on how to enable this feature, please see the Apple article HT4175.

Stong passcodes means that you can finally do away with the standard 4 digit PIN to lock your iPhone and you can now set up complex passwords instead. To enable this, go into Settings->General->Passcode Lock and then turn off Simple Passcode.

The 5th IEEE International Conference on Malicious and Unwanted Software (Malware 2010) to be held at the Grand Hotel De La Reine, Nancy, France, Oct. 20-21, 2010.

The conference is designed to bring together experts from industry, academia, and government to present and discuss, in an open environment, the latest advances and discoveries in the field of malicious and unwanted software. Techniques, economics and legal issues surrounding the topic of Malware, and the methods to detect and control them will be discussed.

This year’s conference will pay particular attention to (and will also be extensively discussed in a panel session) the pressing topic of “Malware and Cloud Computing”. As low-cost Netbooks become popular, Google’s Chrome OS enters the mainstream, and social networks (Facebook, YouTube, Twitter, LinkedIn, and so forth) become ubiquitous, the security dangers associated with the new computing paradigm increase exponentially. In effect, “Cloud Computing”, Multi-tenant, Single Schema, Single Server Platforms (C2S3P) increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical/sensitive/private information is at risk, and very much like previous technology adoption trends, such as wireless networks, the dash for success is trumping the need for security

Thus, the organizers of Malware 2010 solicit original written contributions addressing these issues and research questions. Manuscripts focusing on the security properties of Cloud Computing, the risks associated with the deployment of such networks, and the analysis of real incidents where a breach has occurred will be particularly welcomed.

The Call for Papers is still open, you are welcome to hand it in at: http://malware2010.org/

We’ve got a new law coming up in Canada: C-32, otherwise known as DMCA-lite.

Lemme quote you a section:

29.22 (1) It is not an infringement of copyright for an individual to reproduce a work or other subject-matter or any substantial part of a work or other subject-matter if
[…]
(c) the individual, in order to make the reproduction, did not circumvent, as defined in section 41, a technological protection measure, as defined in that section, or cause one to be circumvented.

Now, of course, if you want to examine a virus, or other malware, you have to make a copy, right?  So, if the virus writer has obfuscated the code, say by doing a little simple encryption, obviously he was trying to use a “technological protection measure, as defined in that section,” right?  So, decrypting the file is illegal.

Of course, it’s been illegal in the US for some years, now …

If there are any tools that you currently use that aren’t already in the Backtrack 4 Linux distribution, then now is your chance to get them added to the next Backtrack release.

The guys over at Offensive Security have set up a page where you can submit your requests. I urge everyone to make use of this if there is anything that you think the Backtrack community could benefit from, and make your lives easier.

The link to submit requests can be found here.

So I’m in the store with my grandson, preparatory to taking him (and his sister) for ice cream.  We’re buying cheese.  One of the varieties of the cheese we want to buy is wasabi.

“We should get some of that for Grama,” he says.

(His father gave him a wasabi pea, once, and he has never forgotten it.)

“Ha!” says I, “Maybe we should forget this ice cream idea.  We shouldn’t get you ice cream, for you are an evil child!”

Most children of eight would object.  Both to the potential loss of ice cream, and to any insinuation that they are evil.  “I’m not bad!” they would whine.

But not my grandson.  He doesn’t batt an eye.  Without a second’s pause, he fires back with “Ah!  But you haven’t yet heard my plan for taking over the world!”

Maybe he takes after his grandfather too much …

For those of you that have never read the online publication (IN)SECURE, now really is a good time to start. The latest issue is now available online here.

This issue covers the following topics:

• PCI: Security’s lowest common denominator
• Analyzing Flash-based RIA components and discovering vulnerabilities
• Logs: Can we finally tame the beast?
• Launch arbitrary code from Excel in a restricted environment
• Placing the burden on the bot
• Data breach risks and privacy compliance: The expanding role of the IT security professional
• Authenticating Linux users against Microsoft Active Directory
• Hacking under the radar
• Photos: Infosecurity Europe 2010
• Securing the office in your pocket
• iPhone backup, encryption and forensics
• The growing problem of cyber bullying
• Secure collaboration: Managing the inside threat posed by trusted outsiders
• SMS spamming
• A new scalable approach to data tokenization.

For all of those who have been eagerly awaiting the release of Maltego 3, it’s now available to download here.

There are new versions of the community and commercial editions, and I have to say that it really is worthwhile getting the commercial version if you can afford it.
I have to say that this is one of the most fascinating tools around at the moment, for those of you who have never heard of Maltego or what it’s capable of, here’s the blurb from Paterva’s web site.

What is Maltego?

With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your “environment” is not always clear or complete. In fact, most often it’s not what we know that is harmful - it’s what we don’t know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based?

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet - whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.

What does Maltego do?

• Maltego is a program that can be used to determine the relationships and real world links between:
  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
• These entities are linked using open source intelligence.
• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

• Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
• Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
• Maltego provide you with a much more powerful search, giving you smarter results.
• If access to “hidden” information determines your success, Maltego can help you discover it.