Posted by jkouns
Tue, 27 Jul 2010 23:33:00 GMT
The Open Security Foundation, providing independent, accurate, detailed, current, and unbiased security information to professionals around the world, announced today that it has launched Cloutage (cloutage.org) that will bring enhanced visibility and transparency to Cloud security. The name Cloutage comes from a play on two words, Cloud and Outage, that combine to describe what the new website offers: a destination for organizations to learn about cloud security issues as well as a complete list of any problems around the globe among cloud service providers.
The new website is aimed at empowering organizations by providing cloud security knowledge and resources so that they may properly assess information security risks related to the cloud. Cloutage documents known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources.
“When speaking with individuals about the cloud, to this point it has been a very emotional conversation. People either love or hate the cloud,” says Jake Kouns, Chairman, Open Security Foundation. “Our goal with Cloutage is to bring grounded data and facts to the conversation so we can have more meaningful discussions about the risks and how to improve cloud security controls.”
Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud solution providers are listed on the website and the community can provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organizations focused on the secure advancement of cloud computing.
“The nebulous world of cloud computing and the security concerns associated with it confuses many people, even IT and security professionals," says Patrick McDonald, a volunteer on the Cloutage project. "We want a clearinghouse of information that provides a clear picture of the cloud security issues."
Posted in OSVDB News, General Security | no comments
Posted by jkouns
Fri, 30 Oct 2009 05:41:00 GMT
Sometimes when I read our past blog posts it seems like OSVDB moderators are a broken record. We seem to always say that we had these ideas a long time ago.... We seem to frequently say that VDBs need to evolve....... We say that we would love to do something about it but need resources........ Times are changing for OSVDB. As you have seen over the past couple weeks, we are extremely thankful for our lead developer Dave as he is making a lot of these ideas happen!
OSVDB has publicly stated several times (e.g., SyScan04 , CanSecWest 2005 and OSBR) that we felt it was important to achieve active integration with security tools to streamline the process of identifying and setting priorities for the creation of vulnerability checks. Our goal is for OSVDB to assist tool developers to identify vulnerability checks or signatures that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.
Today we took our first huge step forward to make this happen thanks to yet another improvement in our search engine. A couple days ago I was discussing this idea again with Jericho and the possibility of trying to finally bring it to life. To make it really happen we agreed we would need the search engine to function in a way it hasn't yet done.... it would need to search for things that are NOT in OSVDB, and need to search based on CVSS scoring / criteria. After spending some time chatting with Jericho he said...... it may be complicated to implement. Well, he definitely underestimated Dave's ninja development skills as this was knocked out in several hours over two days!
What is the big deal about this feature anyways?
What if for example....
...you were wondering which vulnerability scanner / IDS / IPS has the best coverage?
...you were trying to figure out which check you should write for your favorite scanner / IDS / IPS?
...you were trying to figure out what are the most important vulnerabilities missing from a scanner?
OSVDB can now show you a listing of all vulnerabilities with certain characteritics that are missing a reference as well. Even more powerful, the ability to search by CVSSv2 score or specific attribute.
For example, we can have OSVDB show a listing of all vulnerabilties that have the following:
-CVSS score between 9 to 10
-are for Microsoft
-can be exploited from remote/network
-and do NOT have a Metasploit reference
Check out the results from OSVDB for the example above.
This search shows that there are 175 entries in OSVDB that Metasploit is missing a check for, that have a high impact. Perhaps this list would be useful to HD and the folks over at Metasploit to determine which exploits need to be included next. As you can see there is a lot more you can do with it. Check out the OSVDB Advanced Search and play with it a bit!
As mentioned this is just the first step and is what we believe will be the basis for much more to come. OSVDB is positioned to be the central source to help review and determine the completeness of commercial security solutions. We believe that OSVDB has an extremely high coverage of all disclosed vulnerabilities and will be able to provide insight into what vulnerabilities are covered (or missing) from a given scanner or tool. We will be able to show the gaps and even provide guidance to users as to which scanner or tool would be best for their organization. Instead of listening to a sales pitch that says "trust us we cover the most vulnerabilities!", OSVDB will have real data to show that Product X has more coverage than Product Y. We will be in a position to allow a security practitioner to ensure that the products that are critical to their organization are covered in the scanner they are potentially purchasing. As shown above, we can show which vulnerabilities do not have checks (Metasploit, Nessus, Snort, etc) for critical vulnerabilities.
You know... when we find some time it would be a great idea for OSVDB to conduct a bake off on coverage between the top vulnerability scanners and IDS/IPS products. This of course relies on having vendors that are open and share their vulnerability mappings in a format that can be imported into OSVDB. So far, Nikto, Metasploit and Tenable's Nessus have provided us with these mappings. Another upcoming feature will be a system that allows these vendors to automatically upload updated mappings to keep OSVDB current. Three vendors down, who will be the next to step up?
Some day.
Posted in General Vulnerability Info, Vulnerability Statistics, OSVDB News, General Security | 1 comment
Posted by jkouns
Sat, 21 Jun 2008 16:24:09 GMT
OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.
We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at:
http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568
OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:
Jake Kouns, president of the Open Security Foundation, introduces the Open
Source Vulnerability Database Project.
David Maxwell, Open Source Strategist at Coverity, discusses the findings
from Coverity’s analysis of over 55 million lines of open source code.
Robert Charpentier from Defence Research Establishment Valcartier and
Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia
University present a summary of their research into providing security
hardening for the C programming language.
Frederic Michaud and Frederic Painchaud from Defence Research and
Development Canada describe their evaluation of automated tools that search
for security bugs.
Key messages from Carleton University’s Stoyan Tanev’s recent presentation
on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s
presentation on building successful communities.
Michael Geist, Canada’s Research Chair of Internet and E-commerce Law,
explains why the proposed Bill C-61 does not address the rights of
Canadians.
Alan Morewood from Bell Canada provides an example of open source meeting a
business need.
Next month’s editorial theme is “Accessibility”–contact the OSBR Editor if you
are interested in a submission.
Posted in OSVDB News, General Security | no comments
Posted by jkouns
Fri, 19 Oct 2007 20:23:42 GMT
There has been a pretty good buzz about MP3 spam in the past couple days……… Some folks at GFI sent us the following and thought it would be worth sharing….
Spammers are back with a new trick, this time round sending messages with MP3 attachments that contain the latest pump-and-dump stock scams. One sample identified this morning by GFI, was a heavily distorted 30-second MP3 file. A synthetic female voice was used to promote a particular stock. This voice is distorted to avoid filtering approaches based on the file signature. Once again, spammers are taking advantage of the fact that the MP3 format is one of the most common in use today, another attempt at social engineering
GFI Software have uploaded a sample on their website, if you want to listen to it, click here. For further details read GFIs mp3 spam roundup.
Posted in General Security | no comments
Posted by jericho
Thu, 29 Mar 2007 18:42:21 GMT
Check out this article/report by OmniNerd, which tested various operating systems for security. They performed a base line vulnerability scan during installation, after installation and after
patches had been applied. Each installation was done to mimick as close to a ‘default install’ by clicking ‘next’ when
possible. While one can argue various points of this test, they did a good job defining the operating system, configuration and resulting open ports, along with corresponding vulnerabilities. The only questions that immediately come to mind are if the Solaris install included Update 3 and why they didn’t have any charts or graphs summarizing the information.
This is hands down one of the most fair and unbiased tests I have seen in a while, based on the information in the article.
Posted in Vulnerability Statistics, General Security | no comments
Posted by jericho
Thu, 14 Dec 2006 14:56:13 GMT
http://blog.php-security.org/archives/61-Retired-from-securityphp.net.html
Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.
The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the
times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin (http://www.suhosin.org/).
For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.
Stefan has a history of providing well written and very technical attacks against the PHP language. If he was one of the few (only?) people that cared about security, this doesn’t bode well for PHP.
Posted in General Security | no comments
Posted by jericho
Tue, 23 May 2006 05:05:40 GMT
http://attrition.org/security/rant/z/keysigning.html
Social Implications of Keysigning
Raven & Jericho
Tue May 23 01:41:20 EDT 2006
The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses.
One foundation of reliable encryption is trust. The use of encryption between two or more people relies on you being sure that the message you sent is properly encrypted to and able to be decrypted solely by the intended recipient. When using a friend’s GPG key, you must be sure that the key was created by and belongs solely to your friend. Otherwise, you may send mail that your friend cannot read (if they don’t have the key you encrypted to), or worse, mail that some other party can read (if that party does have the key you encrypted to).
[..]
Posted in General Security | no comments
Posted by jericho
Tue, 14 Mar 2006 08:38:16 GMT
Maybe I am immature but does anyone else find the Hitachi Incident Response Team logo a bit amusing?
Pink hearts, yellow XSS, orange SQL, blue DoS and green overflows!
Posted in General Security | no comments
Posted by jericho
Wed, 07 Dec 2005 01:03:19 GMT
Just over ten years ago (95-09-15) Hobbit wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. Hobbit was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld’s version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat’s use and distribution.
Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, “is that to say that SYM bought a company known then for offering naughty things?” Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository.
Also amusing are Symantec’s “technical details” for this “hacker tool”:
Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation.
When Hacktool.NetCat is executed, it performs the following actions:
1. Transmits data across network connections.
Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as “Hacktool.TCPIP” and label it a “High Risk Impact” if found on a system.
Posted in General Security | 2 comments
Posted by jericho
Thu, 01 Dec 2005 05:14:00 GMT
November 30th was National Computer Security Day. It came and went .. did you notice? I previously blogged about National Cyber Security Awareness Month, calling into question the value of awareness months of any kind. Awareness days are no different. As William Knowles said, ”might have been national kick a penguin day, I wouldn’t have known any differnce..”
Posted in General Security | 1 comment
