Monthly Archives: March, 2008

Still time to submit an application for SoC 2008!

Google will continue to accept student applications until Monday, March 31, 2008! Please help spread the word and encourage all eligible students to apply to OSVDB or one of the other security related projects!

OSVDB: The Open Source Vulnerability Database: http://osvdb.org/blog/?p=231

OSSIM: Open Source Security Information Management: http://www.ossim.net/dokuwiki/doku.php?id=ideas

Nmap Security Scanner: http://nmap.org/GoogleGrants.html

The Electronic Frontier Foundation/Tor Project: https://www.torproject.org/volunteer.html.en#Projects

Umit: A Nmap Frontend: http://www.umitproject.org/?active=gsoc&mode=ideas

Freenet Project Inc: http://wiki.freenetproject.org/SummerOfCode2008

Organizations by programming language: http://eflow.org/wiki/index.php?Mentors_by_language

Organizations by category: http://genmapp.org/gsoc/mentors_by_category.htm

SoC Timeline: http://code.google.com/opensource/gsoc/2008/faqs.html#0.1_timeline

The purpose of tracking numbers.. (IBM)

First it was HP, then it was Sun. Not to be outdone, IBM steps up and gives VDBs a headache.

APAR IZ00988 is “sysrouted” to APAR IZ01121 and APAR IZ01122.

Really IBM, the amount of information common to all three pages is overwhelming. Do you really need a new APAR number issued for component name or level? Can’t you just list them all in one APAR and save us time? More importantly, do we need three APAR entries that say “a security issue has been fixed” and make us dig up the information?

OSVDB – Mar 25 Code Push

Public Enhancements:

  • Titles now prominently display “myth/fake” to help users mentally filter those when reading search results
  • New users signing up are subjected to a CAPTCHA to prevent abuse
  • Small re-design of vulnerability editing pages to improve screen real estate use
  • Front end now shows who is online

Behind the Scenes:

  • Bulk search enhancements, ultimately to better handle CVE matching
  • Remove some error conditions that could occur during vendor management

OSVDB Selected for Google Summer of Code 2008

OSVDB has been accepted for Google’s Summer of Code for 2008. Please help spread the word and encourage all eligible students to apply for an OSVDB project! Google will begin accepting student applications on Monday, March 24, 2008!

If you have any questions or would like some more details about our project ideas please get in touch with us!

“high price bug brokering market just isn’t viable”

On January 17, 2007, SnoSoft / Netragard LLC announced a new Exploit Acquisition Program designed to compete with iDefense, TippingPoint and others. Nothing special or different other than the suggestion that they would pay more for high end vulnerabilities. A little over a year later, and they announced they were shutting down the Exploit Acquisition Program. From their post:

We regret to say that its true, we’ve shut down the Exploit Acquisition Program. The reason for the shutdown was that it was taking our buyers too long to complete a single transaction and it wasn’t fair to the researchers. While we’d expect a single transaction to take no more than a month, the average transaction time for our buyer was 4 months. The last transaction that we attempted took 7 months at which point the issues were silently patched and the transaction was dead. As it stands right now, we can’t justify asking anyone to wait that long to move a single item. So until the end players learn how to move faster, the high price bug brokering market just isn’t viable.

No offense to SnoSoft / Netragard, but their competitors have proven that the market is viable. I guess the trick is how you ‘sell’ the information. For iDefense it is early warning for their customers in case the same vulnerability is being exploited by others. For TippingPoint it is early warning and IPS signatures. For WabiSabiLabi it is more like the SnoSoft program, where one buyer gets exclusive rights to the information, and it appears to be working to some degree.

It’s patch xxxday!

A while back, Microsoft announced they were moving to release patches on the second Tuesday of each month, lovingly called Patch Tuesday. Soon after, Oracle announced that they too would be moving to scheduled releases of patches on the Tuesday closest to the 15th day of January, April, July and October. Now, Cisco has announced they are moving to scheduled patches on the fourth Wednesday of the month in March and September of each calendar year.

In the attempt to make life easier on administrators and help avoid installing patches every few days, these scheduled releases are now causing organizations to enjoy life between monster patches.

Mar 11 – Microsoft
Mar 26 – Cisco
Apr 8 – Microsoft
Apr 15 – Oracle
May 13 – Microsoft
June 10 – Microsoft
July 8 – Microsoft
July 15 – Oracle
August 12 – Microsoft
September 9 – Microsoft
September 24 – Cisco
October 14 – Microsoft, Oracle
November 11 – Microsoft
December 9 – Microsoft

As you can see, October 14 promises to be a lot of fun for companies running Oracle products on Microsoft systems. While the scheduled dates look safe, I can’t wait until we see the ”perfect storm” of vendor patches.

March Code Push

Public Enhancements:

  • Improvements to the Watch List functionality
  • Improved the automated META keyword population
  • When mangling creditee, some errors caused the information not to add or update correctly – now fixed
  • Utility now checks ext-refs for 404s and auto-flags them as such
  • Technical Notes field had some editing issues – fixed
  • New reference type: milw0rm
  • Vulnerability editing – several fields now bigger to better use screen real estate

Behind the Scenes:

  • Removed some error conditions in bulk search
  • Bulk search now lists what wasn’t found
  • Bulk search now auto-links more fields
  • Can now copy products between entries
  • Removed more error conditions when managing vendors
  • Internal tool to better track advisory pages
  • Improvements to the reference migrator

OSVDB GSoC 2008 Project Ideas

Google Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/

OSVDB has submitted an application and has been accepted. With our Summer of Code project work, we hope to build off the release of OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here is this years list of ideas/important projects, however we are open to proposals for other projects and ideas.

OSVDB Port Listing Project – Preferred language is Ruby on Rails We are looking to create a project that will be a central repository for all known ports and protocols. This will be the foundation of many new features such as referencing ports/protocols to OSVDB IDs. This will then allow OSVDB vulnerabilities to be better mapped to firewall rules, IDS alerts and potential integrations to other security projects such as NMAP. -This project should detail all well known/default/registered ports -This project must have a automated feature that can import port information from iana.org as a baseline (PORT NUMBERS) -This project must allow users to submit updates/edits wiki style -This project needs to include fields for necessary tracking including: Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, Description

OSVDB Training Portal FrameworkPreferred language is Ruby on Rails This project is to create a flexible framework that can provide training on security issues. OSVDB is looking to not only provide information on vulnerabilities but be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications. -This project must be able to integrate with the existing OSVDB portal -This project must have an interface that allows users to create their own training material -This project must have an interface that allows users to create their own training quizzes -This project must have an interface to provide reports and track the results.
-A user needs to be able to creates a custom quiz or select from a list of OSVDB published quizzes. -A user needs to be able to send a quiz to multiple people by inputting email addresses. -The system will track the quiz and results based on the emails that are sent via the training portal. -This project should allow users to provide comments and coaching information in a wiki style to help educate -The project will ultimately cross reference OSVDB IDs: For example: when a user is viewing a specific vulnerability it will allow them to then take a training course and a quiz to test their knowledge

OSVDB Personal Edition Phase IIPreferred language is Ruby on Rails We released the OSVDB Personal Edition and it is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance. This project is intended to take the OSVDB Personal Edition to the next level. -This project will provide improvements and a seamless installation package -This project will include new search features -This project will include new features defined by you!

OSVDB Widgets and GadgetsPreferred language is open for discussion! OSVDB has a very strong online feature set but a user needs to be logged in to use the services. This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista -Should provide security news updates from multiple sources -Should provide alerts when new alerts from vendors are released -Should provide alerts for new vulnerabilities added to the OSVDB database -Should provide search capabilities for OSVDB -Must be able to support OSVDB API functionality

OSVDB Statistics ProjectPreferred language is Ruby on Rails This project is to create a flexible framework that can provide useful statistics on vulnerabilities from OSVDB. This project should take in consideration all of the fields and classifications in OSVDB. -Should create and generate standard/most popular graphs and charts each day and make available -Should create statistics that allows very flexible/detailed stats to be dynamically generated on demand by user -Some examples of statistics required: -# Vulns based on Disclosure Year -Detailed stats based on each vuln classification options (ALL OPTIONS) -# of vulns by Vendor -# of vulns by Product -# of vulns that do not have a solution (and by vendor) -Time from when a vuln was discovered and then disclosed -Create stats application that allows user to dynamically generate stats based on their own requirements. -Trend the number of vulns released per day

OSVDB Vulnerability Visual MappingPreferred language is open for discussion! This project is to create a visual mapping of all vulnerabilities in OSVDB. This will allow users to visually search the database and also to see the relationships between vulnerabilities. Have you ever seen music plasma? This could be pretty challenging but we have been wanting to see this project done for a long time!

Vulnerability and Patch Management PortalPreferred language is Ruby on Rails This project is to create a flexible framework that can provide organizations the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities but be a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization. -This project must be able to integrate with the existing OSVDB portal -Should allows users to manage life cycle of vulns and patches -Should allow user the ability selects vulnerabilities or patches based on OSVDB watchlist -Should create a lifecycle that will alert a user when a new vulnerabilities or patch is released and goes into the portal -User then can track their organizations progress including: Research, Test, Implementation, Closure -The project should allows an organization to show compliance with vulnerabilities and patches

Vulnerability Cross References and ScraperPreferred language is Ruby on Rails and open for discussion! OSVDB is a project that aims to have as many references to vulnerabilities as possible. Unfortunately, in most cases volunteers have to search by hand to find more information to add to an entry. The goal of this project to to create a module that can search multiple security resources and cross references OSVDB entries to other resources. -Cross reference OSVDB IDs and provide references that are missing -Search the following (all external references OSVDB uses) for a string: Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security Tracker, Snort -Search the resources based on user supplied check boxes for refined/targeted searches -Offer simple search, pull back just a summary of findings -Offer recursive search for some sites. If the entry at another site (for example CVE) is known then it should be an option to pull back all of the other references in that entry as well -Should be a framework that allows new security sites to be added when they become available -Should run once a night and look at all entries (even old ones) to see if there are more references that can be added.
-There should be some kind of approval process or a quick way that we can automatically add the references to the appropriate IDs.

New security project? New security scanner? New OSVDB feature? – Preferred language is open for discussion! -Have an idea for a new security scanning tool? -Have an idea for a new features that is missing from OSVDB? -Have an idea that can use information from our web sacnning database? -Have an idea for a security scanner that searches local server for vulnerable scripts?

Follow

Get every new post delivered to your Inbox.

Join 5,408 other followers