February Update: OSVDB Winter 2010 Fundraising Goal

Posted by lyger Mon, 01 Mar 2010 13:36:00 GMT

Back in early January, I issued a challenge to donate to OSF's Winter Fundraiser for every new vulnerability pushed into OSVDB. Two of the three months have come and gone, and even though January was a little more productive than February in terms of new vulnerabilities, the moderation team is still making good progress:

2010-02-01: 13 vulns pushed, 133 vulns updated
2010-02-02: 31 vulns pushed, 79 vulns updated
2010-02-03: 25 vulns pushed, 145 vulns updated
2010-02-04: 21 vulns pushed, 31 vulns updated
2010-02-05: 25 vulns pushed, 153 vulns updated
2010-02-06: 8 vulns pushed, 76 vulns updated
2010-02-07: 3 vulns pushed, 278 vulns updated
2010-02-08: 27 vulns pushed, 64 vulns updated
2010-02-09: 47 vulns pushed, 159 vulns updated
2010-02-10: 37 vulns pushed, 160 vulns updated
2010-02-11: 16 vulns pushed, 59 vulns updated
2010-02-12: 27 vulns pushed, 128 vulns updated
2010-02-13: 10 vulns pushed, 51 vulns updated
2010-02-14: 4 vulns pushed, 112 vulns updated
2010-02-15: 12 vulns pushed, 81 vulns updated
2010-02-16: 23 vulns pushed, 181 vulns updated
2010-02-17: 28 vulns pushed, 235 vulns updated
2010-02-18: 25 vulns pushed, 119 vulns updated
2010-02-19: 43 vulns pushed, 261 vulns updated
2010-02-20: 11 vulns pushed, 126 vulns updated
2010-02-21: 2 vulns pushed, 34 vulns updated
2010-02-22: 3 vulns pushed, 64 vulns updated
2010-02-23: 41 vulns pushed, 221 vulns updated
2010-02-24: 37 vulns pushed, 112 vulns updated
2010-02-25: 15 vulns pushed, 138 vulns updated
2010-02-26: 17 vulns pushed, 146 vulns updated
2010-02-27: 9 vulns pushed, 17 vulns updated
2010-02-28: 8 vulns pushed, 24 vulns updated

With 568 new vulnerabilities pushed in February, we're now up to 1,223 new entries for 2010; personally, I'd like to see that number hit at least 2,000 by the end of March (3,000 may be out of reach, but never say never), but that will depend on the time and efforts of our moderation team and the amount of vulnerabilities uncovered by our multiple reference sources. Please remember that I will donate $0.50 to OSF for every new vulnerability pushed into the database through April 1 (and no, there will not be an April Fools announcement saying that the challenge has been called off), and we're hoping to obtain some matching offers to help offset the costs of maintaining the database. A special "thank you" goes to all parties who have offered to match the challenge so far, and we hope others who find OSVDB to be a valuable resource can jump in and help us out as well.

31 more days for the challenge... and away... we... go.

Posted in ,  | no comments

Time to.. Track More Data

Posted by jericho Fri, 19 Feb 2010 06:06:00 GMT

Over the years, security practitioners have been interested in specific metrics related to vulnerability timelines. Certain dates, if present, can be used to extrapolate additional information related to the timeline and vulnerability handling.

Using Vendor Informed Date and Vendor Solution Date, we can extrapolate "time to patch". This is the amount of time between the vendor learning about a vulnerability, and providing a solution (i.e., patch, workaround, upgrade).

Using Exploit Publish Date and Vendor Solution Date, we can extrapolate "time of exposure". This is the amount of time between the publishing of exploit code and the vendor providing a solution. For these vulnerabilities, there is no doubt that an attacker could exploit the vulnerability and a target has no practical solution. While any vulnerability that has been disclosed may be exploited, lack of details may make it considerably difficult or raise the bar so that only dedicated attackers could use the information. This lack of information means the time of exposure is there, but the circumstances for exploitation are questionable.

In the past, eEye prominently displayed the vendor's time to patch on their advisories. eEye also began tracking "zero day threats" that also highlighted "days of exposure". The Zero Day Initiative (ZDI) tracks time to patch for upcoming advisories as well. Unfortunately for the industry, the time to patch information was tracked just for eEye and ZDI advisories.

OSVDB has made changes to better track both time to patch and time of exposure. First, the display of the related dates has been re-worked to present a more distinct timeline, with extrapolated times below it (e.g., http://osvdb.org/22582). Second, you can now quickly browse the worst offenders:

Time of Exposure - http://osvdb.org/browse/time_of_exposure

Time to Patch - http://osvdb.org/browse/time_to_patch

Know of any offenders that aren't on these lists? Feel free to mangle the entry and add missing dates, or simply contact us with a CVE identifier, OSVDB ID or information about the vulnerability.

Posted in ,  | no comments

Open Security Foundation - Advisory Board - Call for Nominations

Posted by jkouns Fri, 12 Feb 2010 21:24:00 GMT

The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board.   The Advisory Board will provide insight and guidance when developing future plans, an open forum for reviewing community feedback and a broader view when prioritizing potential new services.
 
OSF was founded in 2004 and has been operated by information security enthusiasts since its inception.  We exist to empower all types of organizations by providing knowledge and resources so that they may properly protect, detect and mitigate information security risks. We believe that security information and services should be easily accessible for all who have the need for such information.  We promote open collaboration between companies and individuals, provide unbiased information to uphold educated decision-making, and attempt to eliminate the need for redundant works while striving to improve organizations' overall security posture.

Prospective Advisory Board members should show an ability and willingness to:

-Participate actively in all meetings of the Advisory Board (2 times per year and as otherwise needed)
-Represent OSF and its mission to organizations and the general public
-Review and provide feedback for proposed OSF plans
-Chair and serve as members of committees
-Assist in locating and developing funding sources for OSF

If you are interested in volunteering please email us at officers@opensecurityfoundation.org and provide the following information:

Name:
Phone Number:
Email Address:
Area of Expertise:

If you know someone with senior leader experience who you believe could act in an advisory position please contact us at officers@opensecurityfoundation.org. 
 
The call for Advisory Board volunteers will be open until March 19, 2010.  We will review all submissions by March 31, 2010.

Posted in  | no comments

Open Security Foundation - State of the Union 2010

Posted by jkouns Sat, 06 Feb 2010 06:27:00 GMT

The Open Security Foundation (OSF) has grown from a humble beginning in 2004 to an internationally recognized 501(c)(3) non-profit public organization. Through the work of a small team of dedicated information security enthusiasts, the Open Source Vulnerability Database (OSVDB) and DataLossDB projects have provided organizations of all sizes with the knowledge and resources to accurately detect, protect and mitigate information security risks. OSF research is often cited throughout the security industry and the organization was honored by being named winner of the SC Magazine's Editors Choice award for 2009

 

To ensure the highest quality information that has become the trademark of OSF, a tremendous amount of effort is expended on a daily basis by OSF volunteers to process an ever increasing amount of data loss and vulnerability reports. Over the years, many volunteers have been involved in the projects, but for the most part the the heavy lifting has been the work of only a few very dedicated volunteers.  The "open source" approach to resourcing the projects has been successful to date but is now proving to be an unsustainable model.  With long-term sustainability and increased services as our goal, we have initiated a comprehensive review of our current operations, our existing approach to project funding and the creation of potential new services for the security community.

    
As a start, we plan to do a better job of sharing our view on the state of the information security industry and creating a mechanism to gain community feedback to better establish our vision for the OSVDB and DataLossDB projects. 
 
To that end I want to take a moment to share our initial plans for 2010.

The OSF officers and project leads have been dedicated to the daily operations required to make OSVDB and DataLossDB the recognized leader in vulnerability and data loss tracking. This focused dedication has left little time to take the pulse of the industry as it relates to our projects or to establish a clear long-term vision for the projects. To address this need, OSF will be creating an Advisory Board. The board will consist of three to five senior leaders capable of providing broad based perspective on information security, business management and fundraising. It is our hope that this will provide a sounding board when developing future plans, an open forum when reviewing community feedback and a broader view when prioritizing potential new services. Additional information along with an official call for Advisory Board nominations is planned for 2/12/2010.

Direct unfiltered feedback from both the security community as well as the organizations that benefit from our projects is critical. Over the next few weeks, we plan to post a public survey asking for feedback that will help shape our long-term vision and establish our near-term plans for OSVDB and DataLossDB.  Those of you who value the work that the OSF provides and/or consider yourselves friends and supporters of OSF are asked to help spread the word to maximize the feedback provided. 

Feedback from the survey will be the foundation for the OSF vision and 2010 plan. Our goal is to present a draft of both the vision and the 2010 plan to the newly formed Advisory Board by mid-April 2010. Once finalized, both documents will be shared with the information security community.
 
OSF has been recognized for providing a critical service to the information security community but our potential is much greater. We look forward to hearing your ideas on how OSF can further improve the state of security while building a stronger organization to deliver even higher quality research and additional services.

We appreciate your support and if you are interested in working with OSF please contact us at moderators@osvdb.org or curators@datalossdb.org.

 

Jake Kouns
Chairman, Open Security Foundation

 

Posted in  | no comments

January Update: OSVDB Winter 2010 Fundraising Goal

Posted by lyger Mon, 01 Feb 2010 05:19:00 GMT

Well, it's been almost a month since we issued our original challenge for the "OSVDB Winter 2010 Fundraising Goal". As mentioned in our initial post, we're pretty transparent about how much work we do on a daily/weekly/monthly basis. Thanks to Twitter, pico, and my /home/lyger/wtf-ever folder, we present January's results:


2010-01-01: 23 vulns pushed, 56 vulns updated
2010-01-02: 21 vulns pushed, 194 vulns updated
2010-01-03: 11 vulns pushed, 143 vulns updated
2010-01-04: 25 vulns pushed, 104 vulns updated
2010-01-05: 50 vulns pushed, 184 vulns updated
2010-01-06: 13 vulns pushed, 94 vulns updated
2010-01-07: 15 vulns pushed, 78 vulns updated
2010-01-08: 33 vulns pushed, 162 vulns updated
2010-01-09: 1 vulns pushed, 127 vulns updated
2010-01-10: 17 vulns pushed, 208 vulns updated
2010-01-11: 30 vulns pushed, 325 vulns updated
2010-01-12: 32 vulns pushed, 385 vulns updated
2010-01-13: 21 vulns pushed, 119 vulns updated
2010-01-14: 18 vulns pushed, 79 vulns updated
2010-01-15: 26 vulns pushed, 199 vulns updated
2010-01-16: 65 vulns pushed, 102 vulns updated
2010-01-17: 15 vulns pushed, 75 vulns updated
2010-01-18: 21 vulns pushed, 130 vulns updated
2010-01-19: 20 vulns pushed, 48 vulns updated
2010-01-20: 22 vulns pushed, 142 vulns updated
2010-01-21: 18 vulns pushed, 83 vulns updated
2010-01-22: 16 vulns pushed, 86 vulns updated
2010-01-23: 16 vulns pushed, 27 vulns updated
2010-01-24: 6 vulns pushed, 30 vulns updated
2010-01-25: 25 vulns pushed, 114 vulns updated
2010-01-26: 8 vulns pushed, 70 vulns updated
2010-01-27: 16 vulns pushed, 90 vulns updated
2010-01-28: 26 vulns pushed, 87 vulns updated
2010-01-29: 20 vulns pushed, 28 vulns updated
2010-01-30: 14 vulns pushed, 52 vulns updated
2010-01-31: 11 vulns pushed, 40 vulns updated

As of early morning February 1, we have pushed 655 new vulnerabilities into the database since the beginning of 2010. Please take a moment to look at the dates listed above; if you find a day missing from January, please let us know. Yes, we laid off on the 9th (Jericho made the save with OSVDB 61571 : EcShop /admin/integrate.php Multiple Parameter Arbitrary Command Execution), but the honest fact is that we generally work on OSVDB *every day* in some form. Some days are slower than others, sure... we still have families, friends, and other hobbies (believe it or not). Actually, the number of OSVDB moderators who own a Wii with the Fit Plus package is scary, but I digress.

So, about the challenge we presented... I'm still willing to put up $0.50 HARD U.S. DOLLARS for every new vulnerability we push from January 1, 2010 through April 1, 2010. I pushed it through April 1 and not just March 31 because a) April 1 is a much cooler day to end a contest, 2) February 29 is a special day and should never be left out of any year, so an extra day was warranted, and d) that's the period that Dave set up the end of the fundraising goal for, and we try to keep him happy so things don't randomly 500 when we do something like enter weird support tickets..

Any company or person who still wants to match my offer, please feel free to do so. Even though we're only at about 2/3 of our usual push rate, we're not intentionally laying back to keep the new vulnerability count lower. Coming off a holiday season takes time to get back in the groove, not only for us but our reference providers as well. Please mail us at our moderators@ address if you want to contribute.

Posted in ,  | no comments

Challenge: OSVDB Winter 2010 Fundraising Goal

Posted by lyger Tue, 05 Jan 2010 03:16:00 GMT

OSVDB has just announced its Winter 2010 Fundraising Goal , which currently hopes to raise $9,000 before April 1, 2010. Looking back over the last couple of years of advances in the project, it's easy to see not only how the project has evolved, but also how operational costs have increased to cover software development, content development, server hosting costs, and other assorted expenses to help keep OSVDB interesting, timely, and functional.

On an average, OSVDB has promoted 10,000 to 12,000 vulnerabilites per year for the last the last few years. Breaking that down to about 1,000 per month, the vulnerabilities in the database are gathered from a variety of sources, such as CVE, Secunia and various vendor changelogs and advisories. Keeping up a pace of about 1,000 newly listed vulerabilities per month hasn't always been easy... but it's about to get interesting.

I recently resigned my position as Chief Communications Officer with Open Security Foundation to focus more on the "content" aspect of OSVDB and DataLossDB. The extra time gained from giving up administrative duties will hopefully help the sites keep content fresh and accurate. Jericho, CJI, and I are going to keep working on new vulnerabilities as we can and keep the ball rolling.

With that said, I'm issuing a challenge: For every new vulnerability issued an OSVDB ID from January 1, 2010 through April 1, 2010, I will donate $0.50 (fiddy cents) of my own money to the OSVDB fundraiser. I challenge anyone who feels that OSVDB is a valuable resource to the security community to match my donation.

To make a few points clear:

1. I am no longer an OSF officer. My donation comes out of my own pocket, not the OSF coffers, and I will accept no compensation from OSF for this offer. If I have to sell a kidney, I hear you only need one anyway.

2. Since Jericho, CJI, and I are the ones who generally push new vulnerabilities to "live" status, there will be no slacking to save my bank account. If anything, I'll be more motivated to push the potential donations higher and they'll be motivated to watch me suffer on April 2. That's how we roll.

3. At an average of 1,000 vulnerabilities a month, over three months I expect to donate $1,500. It may be less, it may be more. There will be a maximum cap of $2,500 donated by myself and anyone who matches it. If we can push 5,000 vulns in three months, something is either very wrong or very great. YMMV.

4. If five other people and/or groups take me up on the challenge and we meet our average, OSF will meet its goal. We still hope everyone else will contribute not only time but *effort* to help the project.

5. This is not a gimmick. It's not smoke and mirrors. You can see what OSVDB pushes on a daily basis on our Twitter page and on our contributors page. We will push all legitimate vulnerabilities just as we have been doing for years. If we're slow for a few days, don't worry. We'll catch up.

So, that's the challenge. If anyone wants to play and match my offer, please contact us at moderators[at]osvdb.org. I'm going back to work now.

Posted in  | no comments

OSVDB 2009 Q4 Changelog

Posted by jericho Tue, 08 Dec 2009 22:50:00 GMT

I always mean to post changes more frequently, but apathy and other tasks seem to win the day. Here is a brief list of OSVDB change highlights over the past few months.

Content: Search: Other:
  • New menu system (top and left nav)
  • Twitter feed more actively used for project updates
  • Twitter feed displays on front page
  • 'About' page is updated, expect more static pages to be updated to better reflect project status soon
  • CVSSv2 scoring support added, including:
    • CVSS scoring history (historically track NVD, OSVDB and other sources)
    • Anyone can submit scores for entries without CVE/NVD (over 13,000)
    • Updating CVSS scores for entries without are worth .25 points for now, to encourage mangling
    • Moderation system in place for submitted CVSS scores
  • Creditee system overhaul (http://blog.osvdb.org/2009/11/21/creditee-system-overhauled)
  • "Vulnerabilities in OSVDB disclosed by type by quarter" graphs added to front page
  • More fixes to continue support for IE6. Don't expect this to last!

Creditee System Overhauled

Posted by jericho Sat, 21 Nov 2009 23:00:00 GMT

Thanks to Dave, we now have a completely re-written creditee system. For years, we operated off a four field system (name, email, company, url) for tracking vulnerability researchers. While we tracked that information, it was not flexible and led to serious problems with data integrity. Even worse, it didn't allow for long term tracking of a researcher's disclosure history. There were several cases where the system couldn't handle proper data tracking, for example:

  • If John Doe works for CompX and discloses a vulnerability, that becomes set in stone as associated with his name. This is problematic if John Doe goes to CompZ and discloses additional vulnerabilities.
  • The above scenario is even more problematic if John Doe then releases a vulnerability through a program such as iDefense or ZDI.
  • If two researchers shared the same name, there was no way to differentiate them.

While creating a creditee system to track this may seem straightforward, it is surprisingly difficult. After a lot of brainstorming and trying to determine where the system may fall short, we came up with something. What we are now referring to as "creditee v2" will be used with a clean set of data. All previous creditee data entered is labeled (internally) as "v1" and will only display if there is no v2 data.

The new creditee system is a bit more complex, but allows for one individual to be associated with multiple e-mail addresses, companies or organizations. We can also now track the country of the researcher and company separately to account for multi-national companies. With a better data set, we can now do a lot more analysis and generate interesting statistics for vulnerability researchers. As an example of the new system, you can now easily see all vulnerabilities associated with your name, e-mail addresses and affiliations. Clicking on the affiliation will show all researchers and the vulnerabilities disclosed by a given organization.

Even better, this system allows for one click access to your prior vulnerability disclosures. This could be useful for resumes, web page bios and more. We fully encourage you to "ego mangle" to help us fill in the data. Create an account, find your vulnerabilities in the database and fill in the details associated with that disclosure. Note: we are tracking the information associated with the disclosure, not necessarily your current e-mail or affiliation. If you can't find your vulnerability in the database, mail moderators[at]osvdb.org with details. We'll help you find it or add it in case it is missing. We're still working out several bugs in the system, but this is a great overhaul and a foundation of another long term feature enhancement: "researcher confidence".

Posted in  | Tags , ,  | no comments

Search Filters & Custom Exports

Posted by jericho Mon, 09 Nov 2009 19:59:00 GMT

Last week, OSVDB enhanced the search results capability by adding a considerable amount of filter capability, a simple "results by year" graph and export capability. Rather than draft a huge walkthrough, open a search in a new tab and title search for "microsoft windows".

As always, the results will display showing the OSVDB ID, disclosure date and OSVDB title. On the left however, are several new options. First, a summary graph will be displayed showing the number of vulnerabilities by year, based on your search results. Next, you can toggle the displayed fields to add CVE, CVSSv2 score and/or the percent complete. The percent complete refers to the status of the OSVDB entry, and how many fields have been completed. Below that are one click filters that let you further refine your search results by the following criteria:

  • Reference Type - only show results that contain a given type of reference
  • Category - show results based on the vulnerability category
  • Disclosure Year - refine results by limiting to a specific year
  • CVSS Score - only show entries that are scored in a given range
  • Percent Complete - filter results based on how complete the OSVDB entry is

Once you have your ideal search results, you can then export them to XML, custom RSS feed or CSV. The export will only work for the first 100 results. If you need a bigger data set to work with, we encourage you to download the database instead.

With the new search capability, you should be able to perform very detailed searches, easily manipulate the results and even import them into another application or presentation. If you have other ideas of how a VDB search can be refined to provide more flexibility and power, contact us!

Posted in ,  | Tags ,  | no comments

More powerful searches, by looking at what's NOT there..

Posted by jkouns Fri, 30 Oct 2009 05:41:00 GMT

Sometimes when I read our past blog posts it seems like OSVDB moderators are a broken record.  We seem to always say that we had these ideas a long time ago.... We seem to frequently say that VDBs need to evolve....... We say that we would love to do something about it but need resources........ Times are changing for OSVDB.  As you have seen over the past couple weeks, we are extremely thankful for our lead developer Dave as he is making a lot of these ideas happen!

OSVDB has publicly stated several times (e.g., SyScan04 , CanSecWest 2005 and OSBR) that we felt it was important to achieve active integration with security tools to streamline the process of identifying and setting priorities for the creation of vulnerability checks.  Our goal is for OSVDB to assist tool developers to identify vulnerability checks or signatures that are not already represented in their products, and will provide a way to identify the high-priority vulnerabilities for immediate attention.

Today we took our first huge step forward to make this happen thanks to yet another improvement in our search engine.  A couple days ago I was discussing this idea again with Jericho and the possibility of trying to finally bring it to life.  To make it really happen we agreed we would need the search engine to function in a way it hasn't yet done.... it would need to search for things that are NOT in OSVDB, and need to search based on CVSS scoring / criteria.  After spending some time chatting with Jericho he said...... it may be complicated to implement.   Well, he definitely underestimated Dave's ninja development skills as this was knocked out in several hours over two days!

What is the big deal about this feature anyways?

What if for example.... 

    ...you were wondering which vulnerability scanner / IDS / IPS has the best coverage?

    ...you were trying to figure out which check you should write for your favorite scanner / IDS / IPS?

    ...you were trying to figure out what are the most important vulnerabilities missing from a scanner?

OSVDB can now show you a listing of all vulnerabilities with certain characteritics that are missing a reference as well. Even more powerful, the ability to search by CVSSv2 score or specific attribute.

For example, we can have OSVDB show a listing of all vulnerabilties that have the following:

    -CVSS score between 9 to 10

    -are for Microsoft

    -can be exploited from remote/network

    -and do NOT have a Metasploit reference

Check out the results from OSVDB for the example above.

This search shows that there are 175 entries in OSVDB that Metasploit is missing a check for, that have a high impact.  Perhaps this list would be useful to HD and the folks over at Metasploit to determine which exploits need to be included next.  As you can see there is a lot more you can do with it.  Check out the OSVDB Advanced Search and play with it a bit!

As mentioned this is just the first step and is what we believe will be the basis for much more to come. OSVDB is positioned to be the central source to help review and determine the completeness of commercial security solutions.  We believe that OSVDB has an extremely high coverage of all disclosed vulnerabilities and will be able to provide insight into what vulnerabilities are covered (or missing) from a given scanner or tool.  We will be able to show the gaps and even provide guidance to users as to which scanner or tool would be best for their organization.  Instead of listening to a sales pitch that says "trust us we cover the most vulnerabilities!", OSVDB will have real data to show that Product X has more coverage than Product Y.  We will be in a position to allow a security practitioner to ensure that the products that are critical to their organization are covered in the scanner they are potentially purchasing.  As shown above, we can show which vulnerabilities do not have checks (Metasploit, Nessus, Snort, etc) for critical vulnerabilities. 

You know... when we find some time it would be a great idea for OSVDB to conduct a bake off on coverage between the top vulnerability scanners and IDS/IPS products. This of course relies on having vendors that are open and share their vulnerability mappings in a format that can be imported into OSVDB. So far, Nikto, Metasploit and Tenable's Nessus have provided us with these mappings. Another upcoming feature will be a system that allows these vendors to automatically upload updated mappings to keep OSVDB current. Three vendors down, who will be the next to step up?

Some day.

 

Posted in , , ,  | 1 comment