Posted by jericho
Tue, 25 Mar 2008 05:16:20 GMT
Public Enhancements:
- Titles now prominently display “myth/fake” to help users mentally filter those when reading search results
- New users signing up are subjected to a CAPTCHA to prevent abuse
- Small re-design of vulnerability editing pages to improve screen real estate use
- Front end now shows who is online
Behind the Scenes:
- Bulk search enhancements, ultimately to better handle CVE matching
- Remove some error conditions that could occur during vendor management
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 18 Mar 2008 01:06:41 GMT
OSVDB has been accepted for Google’s Summer of Code for 2008. Please help spread the word and encourage all eligible students to apply for an OSVDB project! Google will begin accepting student applications on Monday, March 24, 2008!
If you have any questions or would like some more details about our project ideas please get in touch with us!
Posted in OSVDB News | no comments
Posted by jericho
Wed, 05 Mar 2008 06:21:37 GMT
Public Enhancements:
- New reference type: milw0rm
- Vulnerability editing - several fields now bigger to better use screen real estate
Behind the Scenes:
- Internal tool to better track advisory pages
- Improvements to the reference migrator
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 04 Mar 2008 02:36:10 GMT
Google Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/
OSVDB has submitted an application and has been accepted. With our Summer of Code project work, we hope to build off the release of OSVDB 2.0 and develop new enhancements to OSVDB’s public services. Here is this years list of ideas/important projects, however we are open to proposals for other projects and ideas.
OSVDB Port Listing Project - Preferred language is Ruby on Rails
We are looking to create a project that will be a central repository for all known ports and protocols. This will be the foundation of many new features such as referencing ports/protocols to OSVDB IDs. This will then allow OSVDB vulnerabilities to be better mapped to firewall rules, IDS alerts and potential integrations to other security projects such as NMAP.
-This project should detail all well known/default/registered ports
-This project must have a automated feature that can import port information from iana.org as a baseline(PORT NUMBERS)
-This project must allow users to submit updates/edits wiki style
-This project needs to include fields for necessary tracking including: Keywords, Number, Transport (TCP, UDP, ICMP, etc), Application, Links, Description
OSVDB Training Portal Framework - Preferred language is Ruby on Rails
This project is to create a flexible framework that can provide training on security issues. OSVDB is looking to not only provide information on vulnerabilities but be a repository for training information that will help educate end users on how to avoid security risks and developers on how to avoid coding insecure applications.
-This project must be able to integrate with the existing OSVDB portal
-This project must have an interface that allows users to create their own training material
-This project must have an interface that allows users to create their own training quizzes
-This project must have an interface to provide reports and track the results.
-A user needs to be able to creates a custom quiz or select from a list of OSVDB published quizzes.
-A user needs to be able to send a quiz to multiple people by inputting email addresses.
-The system will track the quiz and results based on the emails that are sent via the training portal.
-This project should allow users to provide comments and coaching information in a wiki style to help educate
-The project will ultimately cross reference OSVDB IDs: For example: when a user is viewing a specific vulnerability it will allow them to then take a training course and a quiz to test their knowledge
OSVDB Personal Edition Phase II - Preferred language is Ruby on Rails
We released the OSVDB Personal Edition and it is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance. This project is intended to take the OSVDB Personal Edition to the next level.
-This project will provide improvements and a seamless installation package
-This project will include new search features
-This project will include new features defined by you!
OSVDB Widgets and Gadgets - Preferred language is open for discussion!
OSVDB has a very strong online feature set but a user needs to be logged in to use the services. This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals.
-Gadgets and Widgets should work for OSX and/or Vista
-Should provide security news updates from multiple sources
-Should provide alerts when new alerts from vendors are released
-Should provide alerts for new vulnerabilities added to the OSVDB database
-Should provide search capabilities for OSVDB
-Must be able to support OSVDB API functionality
OSVDB Statistics Project - Preferred language is Ruby on Rails
This project is to create a flexible framework that can provide useful statistics on vulnerabilities from OSVDB. This project should take in consideration all of the fields and classifications in OSVDB.
-Should create and generate standard/most popular graphs and charts each day and make available
-Should create statistics that allows very flexible/detailed stats to be dynamically generated on demand by user
-Some examples of statistics required:
-# Vulns based on Disclosure Year
-Detailed stats based on each vuln classification options (ALL OPTIONS)
-# of vulns by Vendor
-# of vulns by Product
-# of vulns that do not have a solution (and by vendor)
-Time from when a vuln was discovered and then disclosed
-Create stats application that allows user to dynamically generate stats based on their own requirements.
-Trend the number of vulns released per day
OSVDB Vulnerability Visual Mapping - Preferred language is open for discussion!
This project is to create a visual mapping of all vulnerabilities in OSVDB. This will allow users to visually search the database and also to see the relationships between vulnerabilities. Have you ever seen music plasma? This could be pretty challenging but we have been wanting to see this project done for a long time!
Vulnerability and Patch Management Portal - Preferred language is Ruby on Rails
This project is to create a flexible framework that can provide organizations the ability to track and manage vulnerabilities and patches. OSVDB is looking to not only provide information on vulnerabilities but be a service that can provide security professionals a way to track and ensure that vulnerabilities have been addressed at their organization.
-This project must be able to integrate with the existing OSVDB portal
-Should allows users to manage life cycle of vulns and patches
-Should allow user the ability selects vulnerabilities or patches based on OSVDB watchlist
-Should create a lifecycle that will alert a user when a new vulnerabilities or patch is released and goes into the portal
-User then can track their organizations progress including: Research, Test, Implementation, Closure
-The project should allows an organization to show compliance with vulnerabilities and patches
Vulnerability Cross References and Scraper - Preferred language is Ruby on Rails and open for discussion!
OSVDB is a project that aims to have as many references to vulnerabilities as possible. Unfortunately, in most cases volunteers have to search by hand to find more information to add to an entry. The goal of this project to to create a module that can search multiple security resources and cross references OSVDB entries to other resources.
-Cross reference OSVDB IDs and provide references that are missing
-Search the following (all external references OSVDB uses) for a string: Bugtraq, Bugtraq Mailing List, CVE, Full-Disclosure Mailing List, ISS X-Force, Nessus, OSVDB, Packetstorm, Secunia, Securiteam, Security Tracker, Snort
-Search the resources based on user supplied check boxes for refined/targeted searches
-Offer simple search, pull back just a summary of findings
-Offer recursive search for some sites. If the entry at another site (for example CVE) is known then it should be an option to pull back all of the other references in that entry as well
-Should be a framework that allows new security sites to be added when they become available
-Should run once a night and look at all entries (even old ones) to see if there are more references that can be added.
-There should be some kind of approval process or a quick way that we can automatically add the references to the appropriate IDs.
New security project? New security scanner? New OSVDB feature? - Preferred language is open for discussion!
-Have an idea for a new security scanning tool?
-Have an idea for a new features that is missing from OSVDB?
-Have an idea that can use information from our web sacnning database?
-Have an idea for a security scanner that searches local server for vulnerable scripts?
Posted in OSVDB News | no comments
Posted by jericho
Mon, 03 Mar 2008 06:25:53 GMT
Public Enhancements:
- Improvements to the Watch List functionality
- Improved the automated META keyword population
- When mangling creditee, some errors caused the information not to add or update correctly - now fixed
- Utility now checks ext-refs for 404s and auto-flags them as such
- Technical Notes field had some editing issues - fixed
Behind the Scenes:
- Removed some error conditions in bulk search
- Bulk search now lists what wasn’t found
- Bulk search now auto-links more fields
- Can now copy products between entries
- Removed more error conditions when managing vendors
Posted in OSVDB News | no comments
Posted by lyger
Wed, 27 Feb 2008 03:42:37 GMT
… that leads to your door will never disappear…
Sorry about The Beatles lyrics, but the last couple of months have seemed like a rather long and winding road as far as posting new vulnerabilities is concerned. Many hours (days/weeks/months) of combined effort went into making OSVDB 2.0 a reality. When that finally happened, we were faced with another new challenge: clear out what appeared to be a huge backlog of vulnerabilities stacked up in what we refer to as “NDM”, or the New Data Mangler queue. Cliffs Notes: the NDM queue is a backend stash of vulnerabilities that haven’t yet been added to the front-end database; those entries generally need basic information added such as disclosure dates, external references, and titles that clearly reflect the nature and impact of a vulnerability. At the time OSVDB 2.0 was released, we were looking at a queue of over 1,000 entries in the main NDM queue that each needed at least a couple of minutes of attention.
I’m taking a few minutes away from the NDM queue to type this post. When I started typing, the NDM queue was sitting at 331. As of this sentence, it’s now at 325 as Jericho works on pushing more vulns to “new” status. That doesn’t include the new vulnerabilities that come into NDM on a daily basis, so the drop of 700 vulns is NET, not gross. On or about January 5, 2008, OSVDB’s database gathered its 40,000th vulnerability. In the last 52 days, over 2,200 vulnerabilities have been added to the database. We would like to thank everyone who has supported OSVDB by taking their time to add references, vendors, credits, and descriptions, but we have a little surprise…
There’s another 2,000 vulnerabilities or so to go until we can say we’re “caught up”. We also have a very large stash of CVE-listed vulnerabilities dating back to at least 2002 that require data entry and inclusion into the database. For now, we’re focusing on getting the most recent vulnerabilities into the database, but we will DEFINITELY need more help going forward. If you’re interested in being involved, please let us know; OSVDB is a COMMUNITY project and we would like to have more people involved to help improve data quality, data quantity, and security awareness as a whole. For any questions or comments, please mail us at moderators@osvdb.org
back to ndm… down to 324… ;)
Posted in OSVDB News | 1 comment
Posted by jericho
Thu, 14 Feb 2008 05:21:40 GMT
This time, it happened to the OSVDB blog. Unfortunately, WordPress doesn’t have a very good track record on security. During the migration from the old OSVDB to 2.0, we noticed a problem with the blog and several ‘spam’ posts appearing. We attributed it to one of the many previous wordpress bugs. We cleaned out the tainted posts, upgraded to the latest wordpress, and went on our merry way.
Shortly after, a blog reader contacted us to point out that existing posts we made had “noscript” advertisements embedded in them. Our expansive development team (the overworked Dave) looked into it. He started looking through the files for any obvious signs of a compromise – checked the plugins, etc. All seemed normal. Next he checked the web logs and noticed chinese addresses POSTing to xmlrpc.php at various times throughout the day, most often at night. He then enabled xmlrpc logging inside of the script, cleaned out the database again, and noticed lots of just this:
2008-01-31 04:04:00 Input:
2008-01-31 05:01:43 Input:
2008-01-31 19:29:01 Input:
Posts continued to be altered during his investigation. Suspecting user account compromise, he checked the WordPress users, noticed a good chunk of new users had been added in recent months, mostly all obvious spam users. Spam users aren’t uncommon, but usually a small percentage. In the past few months, the vast majority of users were spam users.
When OSVDB 41136 came out, it all became clear. Since fixing the vulnerability, no posts have been edited.
I know this post is late, but we wanted to clear up any confusion and set the record straight on what occurred. We can definitely say this vulnerability was discovered in the wild.
Posted in OSVDB News | no comments
Posted by jericho
Tue, 12 Feb 2008 08:07:36 GMT
In a recent discussion on the security metrics mailing list, Pete Lindstrom put forth a rough formula to throw out a number of vulnerabilities that have been discovered versus undiscovered. One of the data points that he cited lead me to his page on “undercover vulnerabilities”, his term for “0-day” in a certain context. Since the term “0-day” has been perverted to mean many things, he clearly defines his term as:
Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by “above ground” security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.
In my reply challenging some of his numbers, I specifically said that “if we consider that your number 20 is off by at least half, and I would personally guess it’s more like a small fraction, how does this change your numbers?” Pete took this in stride and offered to buy me a case of beer if I could find half a dozen that he didn’t have. Not one to pass up free booze and vulnerability research (yes, i’m weird) I spent several hours Friday doing just that. I ended up with 24 vulnerabilities that seemed to match his definition, roughly half of them in his time frame (“in the last two years”).
Pete’s page got me wondering just how many vulnerabilities classified as ‘undercover’ by his definition. Further, I thought about another question he asked on his page:
I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?). Else, I’ll just periodically update as new vulns become available.
I cornered our lead developer Dave and said “make it so” while I mailed Pete asking if OSVDB could help in this effort. As a result, we now have a new classification that we call “Discovered In the Wild” that means the same thing as Pete’s “undercover vulnerability”. I have updated the 20 vulnerabilities listed on his page and added the flag to the ones I researched. This now shows 43 results which is good progress.
Not content with that, I asked a fellow geek who has a world more experience with IDS, NOC management and various devices that would be prone to catching such vulnerabilities “how many do you think were found this way last year”, to which she replied “at least 50”. So vulnerability researchers and OSVDB contributors, it’s up to you to help out! We’re looking for more instances of vulnerabilities being discovered “in the wild”, being exploited and subsequently disclosed (to mail list, vendor, whatever). Please cite your source as best as possible.
To see what we have so far:
- http://osvdb.org/search/advsearch
- Under “Vulnerability Classification” and “Disclosure”
- Check “Discovered in the Wild”
- Search
Thanks to Pete Lindstrom and the Security Metrics mailing list for the input and great idea for a new classification!
Posted in Vulnerability Disclosure, OSVDB News | no comments
Posted by d2d
Thu, 07 Feb 2008 08:16:09 GMT
We just introduced 3 new database export formats:
- SQLite
- MySQL (mysqldump)
- and CSV
The easiest of the three to download and dive into is SQLite, though the MySQL dumps take a close second. The CSV tarball also includes a SQL script to import the data into MySQL simply for reference. Perhaps someone can contribute a Postgresql CSV import script?
All of these are available at the database info page – along with an updated visual representation of the Schema. The old XML dumps are still there and continue to run, but the scripts used to process them are now officially deprecated. Simple reason being that they don’t work any longer, and given the above new methods of getting your hands on the data, the old scripts are obsolete anyways.
Also, as a sample of how one can utilize the new export formats, we’re releasing OSVDB Personal Edition. OSVDB Personal edition is a very small Ruby on Rails application that utilizes the SQLite database export to give you your own, albeit relatively feature-less, local OSVDB instance.
It’s quick and easy to setup (requires a few dependencies be installed, all documented in the README), and has been tested on Linux, Windows XP, Windows Vista, and Mac OS X Leopard. There are some minor issues running on Tiger, which are somewhat documented in the README.
OSVDB Personal Edition is not intended to really be a new offering by OSVDB, as aforementioned, it is primarily a way to showcase our new database exports. You can grab it from our tools section.
In less exciting news, the vendor dictionary has been rid of the annoying ajax popups, and the search engine has received some mild tweaking.
Posted in OSVDB News | no comments
Posted by d2d
Tue, 29 Jan 2008 02:39:40 GMT
We are looking for a few Ruby on Rails programmers to help us further the OSVDB project. The positions are volunteer, and we have little to offer outside of some interesting programming challenges, kudos, and satisfaction in helping to further a great resource for the community.
The requirements are that you have at least some experience with rails and subversion, as well as working with a team. If you’ve worked with STI, RESTful stuff, and all manner of XML parsing fun, that would be a plus.
We’re also looking for testers to help us hammer away at new code before pushing it live. The testing help is also volunteer, and requires very little time commitment. Essentially, when the developers need something tested, we’ll shoot out an email to the testing volunteers to hammer away at something specific.
If either of these are of interest, send an email to moderators@osvdb.org and let us know which role you’re interested in.
Posted in OSVDB News | no comments
