Posted by jericho
Thu, 10 Aug 2006 07:33:36 GMT
On December 20, 2005, I posted a contest looking for the oldest documented vulnerability. This generated a lot of interest and was posted to the FunSec Mail List which generated even more interest and information. It also lead to me spending more time digging through my own notes and archives, something I had been meaning to do for ages. Even after all this time, the list of old papers and resources I have to track down is daunting. Since it is an ongoing project, I am overdue in posting about the winner of this contest. Not only did he eventually lead me to the documentation referencing what we call ”Multics System Text Editor Multiple Instance CTSS Password File Disclosure” (Jan 1, 1965), but during ongoing e-mail discussion we were able to uncover several more in 1972. For that, Ryan Russell is the winner of this contest. We’ll be sending him some OSVDB schwag in return for his time and research.
Stay tuned for the next contest!
Posted in OSVDB News | 3 comments
Posted by jericho
Wed, 09 Aug 2006 02:03:08 GMT
I keep telling myself, “keep it short!” since writing about a week in Las Vegas tends to be wordy. No promises!
Some 3000 people apparently showed for BlackHat briefings and it showed. Despite that much money coming in and the amount of warning Caesars/BH had before the con, it was extremely frustrating attending (or giving) talks/panels where the speakers didn’t even have chairs. Like previous years, having to decide between six different tracks makes it difficult to see everything you want. Given that the videos are not always released in a timely manner, some slides don’t do the talks justice, and the professional/official videos of talks cost money, you really end up missing out on a lot of good material despite the high price tag for entry. Also frustrating this year was the abundance of “technical” talks chosen because some BH staffers they are what draws people in. While often true, having so many tracks on SQL injection or Cross-Site Scripting gets old .. even with the various “new twists” or new methods for bypassing current protection schemes. I only mention this because I read several other proposals for talks that weren’t accepted, likely due to them being a bit less technical, even though they would have been in conjunction with new tools or information. If there will be six tracks next year, please consider keeping four of them for highly technical (but focused on new) presentations, and two for other presentations that are of interest to the security field.
Defcon’s big change was moving from the Alexis Park to the Riviera. On the up side, all indoors and air conditioned, bigger convention space, nifty skyboxes (underused though), more availability to quick food and drink in the hotel. On the down side, still ran out of room in some talks, couldn’t run across the road to as many restaurants and such, forced to deal with families / non convention types, many of the talks were either weak or previously done at BlackHat, they ran out of badges again (how many years before they print up an extra thousand), vendor area was cramped while the big room was underused, skyboxes were neat but most were empty all day even when it would have allowed dozens more to see a full talk, the talks couldn’t be piped to the hotel rooms like they were at Alexis and many other minor things.
All in all, I felt the cons were about average. Some good, some bad, not a whole lot really changed all said and done.
And finally, a lot of ’thanks’ are in order. In no particular order, sincere thanks goes out to: Mike Andrews and Foundstone for their detailed interviews with various folks involved in the security community. In return for an hour of my time talking about my involvement with OSVDB and Attrition.org, they gave me a chance to say a few things I felt important and kindly rewarded me with an excellent bag of schwag. iDefense, TippingPoint’s Zero Day Initiative and Microsoft (yes, I’m publicly thanking them!) for hosting excellent parties that allowed all sides of the industry to meet and talk. Steven and Bill of CVE as well as Jeffrey and Art from CERT.org (yes, I’m publicly thanking them!) for sitting down over beers to discuss vulnerability databases and related topics. I was a bit harsh on all of them but hopefully they know it’s because I care about the future of VDBs and want us all to provide a better service to our respective ‘customers’. William Knowles from InfoSecNews (ISN) for the offered sushi dinner I had to bail out on last minute as well as countless favors and advertising for OSVDB. Simple Nomad, Weasel and the fine folks at NMRC for a fun presentation and a steady stream of great research and information. Carole Fennelly and the rest of Hacker Court for another fun year of faux courtroom antics. Where else do you find an EFF lawyer mocking the EFF and a former DoJ lawyer defending hacker scum?! The Electronic Frontier Foundation (EFF) for stepping up and turning into the watchdog organization that we so desperately need. Pyr0 and the rest of 303 for skybox and party. Jake Kouns and Hooters for hosting the OSVDB Mangler Dinner. The Hilton Star Trek thingy for letting me finally get a replacement for the tribble I lost twenty years ago. To anyone I introduced to friends or colleagues as ”older than dirt”, for giving me a little faith that a few others have stuck around. Delchi for getting us into the Krave Lounge and spinning great music there (as well as the 303 party).
Posted in OSVDB News | 1 comment
Posted by jericho
Mon, 31 Jul 2006 15:28:04 GMT
Once again, many of the folks from OSVDB will be in Las Vegas this week, attending BlackHat Briefings and Defcon. Hopefully you can track one of us down for some OSVDB schwag and maybe have a beer while discussing the best way to get Jake to do the EFF dunk tank this year!
Posted in OSVDB News | no comments
Posted by jkouns
Mon, 24 Apr 2006 05:34:25 GMT
We are very pleased to report that OSVDB was selected for Google’s Summer of Code! This is great news as we hope to get some of the services and projects that have been on the back burner due to lack of development resources finally launched!
You can read about Google’s SoC here:
http://code.google.com/soc/
With our Summer of Code project work, we hope to make several exciting enhancements to OSVDB’s public services. We have provided a list of important projects we are currently planning for–however we are open to proposals for other projects and ideas.
You can read about OSVDB’s Project Ideas here:
http://www.osvdb.org/summerofcode.php
OSVDB has been working very hard to provide many additional types of a services to the community. Unfortunately, as mentioned due to lack of development resources we have been unable to make much of this happen. We now have an opportunity to possibly deliver on the OVSDB Portal and OSVDB Ethical Disclosure Framework commitments that we made when the project first opened.
You can read the public announcements with our intentions to provide OSVDB portal and disclosure services:
OSVDB Objectives
http://www.osvdb.org/OSVDB-Objectives.php
Vendor Dictionary Announcement
http://www.osvdb.org/news.php#vendorDictSiteUpgrade
Personally, I am absolutely thrilled that we may have the resources to develop the OSVDB Ethical Disclosure Framework. This has been one of the projects that I have been wanting for years and is validated as we see more and more issues with the disclosure process! I have believed all along that OSVDB can be the service that helps to improve, streamline and more importantly removes the mystery of the breakdowns in the process.
OSVDB has been handling one-off disclosures for researchers over the past 3-4 years and it is not an easy task. The amount of time it takes to handle a disclosure process is huge. We realized early on that a lot of the process needed to be automated in order to be successful and repeatable. Hopefully, there are some students out there that want to be apart of creating this service and we can get it launched by the end of the year!
We plan to post updates to the OSVDB blog as we get further in the process. If you have other ideas for projects that we should post please feel free to contact us at moderators@osvdb.org
Posted in OSVDB News | 1 comment
Posted by jkouns
Thu, 13 Apr 2006 05:19:10 GMT
The Open Source Vulnerability Database (OSVDB) has, from the beginning, been a database built and maintained for the community, by the community. In an effort to further that mission, the project has recently added the ability for security practitioners to comment on vulnerabilities in OSVDB.
There are mail list discussions, blogs, bug tracking systems and many other forums for clarifying vulnerability information. Such follow-up often adds information like affected versions, exploitation caveats and additional attack vectors. Unfortunately, this information is often spread out among many sources and remains mostly unknown to a large portion of the community that uses and relies on such details.
While OSVDB has made every effort to include such references in some fashion, we have always desired a better and more concise method for the community to add information about a vulnerability. To help facilitate this, OSVDB will now allow users to comment on specific vulnerabilities. The project hopes this will provide a place for additional information to be maintained in a consolidated location. All user submissions will be moderated to ensure the information is clear, concise and helpful to others.
As always, the OSVDB project thanks you for your support, and continues to look for additional volunteers to help update the content and develop new services. For more information on supporting OSVDB through volunteering or sponsorship, please contact moderators@osvdb.org.
Posted in OSVDB News | no comments
Posted by jkouns
Thu, 26 Jan 2006 06:18:06 GMT
The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the world’s security vulnerabilities, has had a challenging yet successful year. The project is fortunate to have the continued support of some devoted volunteers, yet remains challenged to keep up with the increasing number of vulnerability reports, as well as work on the back-log of historical information. Volunteers are continually sought to help us achieve our short and long-term goals.
Despite resource constraints, there have been many exciting successes in 2005:
* A major project goal of obtaining 501(c)3 non-profit status from the U.S. IRS was achieved. Obtaining non-profit status was critical to the long-term viability of the project. This status allows OSVDB to take charitable donations to help cover operating expenses, while providing a tax benefit to donor companies and individuals.
* The vulnerability database has grown to over 22,000 entries thanks to the dedicated work of Brian Martin, OSVDB Content Manager. At the end of December, over 10,000 of those vulnerabilities were worked on by volunteers to provide more detailed and cross-referenced information. Our volunteer "Data Manglers" and Brian have helped ensure OSVDB is the most complete resource for vulnerability information on the Internet.
* OSVDB started a blog in April, as a way for us to keep the public better informed on the project's status. Very quickly we realized the blog was a perfect place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry. If you have suggestions for topics, or would like to join the discussion, please visit the OSVDB blog.
We would like to also recognize our sponsors and thank them for their support. Digital Defense, Churchill & Harriman, Audit My PC, and Opengear have all provided important resources to OSVDB over the past year. We would also like to thank Renaud Deraison of the Nessus Project and HD Moore of the Metasploit Project for their support. Lastly, we of course want to thank our volunteers, and note that several of them have contributed to Nessus Network Auditing, available from Syngress Publishing.
We are very pleased with the progress and growth of OSVDB over the past year, but do not want to downplay the importance of recruiting new volunteers, as well as retaining our current ones, in order to get through the considerable back-log of vulnerabilities that need further work. This task is daunting, but will not only help retain valuable historical vulnerability information, but will also allow OSVDB to generate meaningful statistics for past and current years.
We have had a great year, and are looking forward to another one! We are of course still seeking assistance to help keep OSVDB successful–the project has many ideas in need of financial and volunteer support to implement. For more information on supporting OSVDB through volunteering or sponsorship, please contact moderators@osvdb.org.
Posted in OSVDB News | no comments
Posted by jericho
Mon, 19 Dec 2005 06:41:48 GMT
Ok, OSVDB is not really closing. But based on my experience with running and participating in projects and sites, the second you announce a valuable resource is going away, people come out of the woodwork to volunteer or support the project to keep it going. When the Attrition.org Defacement Mirror closed, I received several dozen mails asking, begging, even demanding that the project keep running. So why didn’t these same people help out for the years prior to the announcement? If a project or resource is that helpful and that valuable to you, why not support them?
Without going into a full rant or debate on the nature of open source (OS), one of the most prevalent arguments for OS is that the community can help. For OS code, it is argued that anyone can look at the source code and find bugs.. but they rarely do. For OS projects, it is argued that volunteers work on projects for the love of it, not because it’s a source of money for food and shelter.. but they often don’t.
That said, OSVDB could substantially benefit from one or two developers before any such closing. Ideally we need a couple folks with solid PHP coding experience, PostgreSQL database manipulation, and the willingness / desire / time to work on the project. We can promise you fortune and fame! Ok not really. What we can offer you:
- The ability to develop and enhance the project in a leadership role (we’ll even call you ‘god’ if you want)
- The chance to significantly change the vulnerability database landscape (yes, really)
- Work on a number of long term development projects (we have ideas, you have skills!)
- The freedom to work when and how you want, with little to no supervision (go wild)
Interested? Mildly curious? Know someone you want to subject to us? Contact us, or pass this info along please!
Posted in OSVDB News | no comments
Posted by jericho
Tue, 26 Jul 2005 21:24:47 GMT
Several project leaders and OSVDB volunteers will be attending Defcon later this week. If you would like to meet up, hang out, ask questions or pledge time (booze?!), feel free to track us down. Odds are we will be around the Alexis Park pool during the evening hours. We might even have some stickers to hand out (trade for booze?!)!
Posted in OSVDB News | no comments
Posted by jkouns
Sat, 09 Apr 2005 05:17:18 GMT
The Open Source Vulnerability Database, a project to catalog and describe the world’s security vulnerabilities, has continued to focus on improving database content and increasing services offered to the security community.
Since the official launch of OSVDB in March 2004, the vulnerability database has grown from 1000 to over 6700 complete entries. This rapid growth has far surpassed initial estimates, and the project’s many successes show that the open source community can truly deliver world-class security information.
OSVDB’s rapid success is directly attributed to the dedicated volunteers who help populate, maintain and enhance the database. Their hard work has already allowed OSVDB to exceed the amount of vulnerability information available in some databases. At the current rate of growth, the project is poised to surpass the other vulnerability databases by the end of 2005. “It will soon become mandatory for security professionals to use OSVDB if they want the most thorough information available,” says Brian Martin, one of the project leaders.
The OSVDB leadership team has been aggressively working to ensure the long term viability of the project. After improving content to be recognized as an industry leader, the team determined that incorporating as a non-profit organization was imperative to OSVDB’s future success. Founded to formally run the OSVDB project, the Open Security Foundation has been approved as a 501(c)3 non-profit organization under United States law. Jake Kouns, OSVDB project lead, says, “Achieving our non-profit status will allow us to seek funding and ensure free vulnerability information will be available for years to come.”
Two of the OSVDB project leaders, Brian Martin and Jake Kouns, will be presenting a talk called “Vulnerability Databases: Everything is Vulnerable” at cansecwest/core05 in May 2005. The presentation aims to provide an unbiased review of vulnerability databases, and addresses the value they should provide to security practitioners.
Posted in OSVDB News | no comments
Posted by jkouns
Tue, 31 Aug 2004 05:16:44 GMT
The Open Source Vulnerability Database, a project to catalog and describe the world’s security vulnerabilities, has expanded its offering and opened a vendor dictionary that serves as a centralized resource for vendor contact information for public use on 31 August 2004.
The OSVDB vendor dictionary is a resource through which the security community will be able to gather contact information for a desired vendor. The vendor dictionary is a list of vendors, indexed by name, which may be freely searched and utilized by all who wish to find both general and security contact information. The service also provides a way for vendors to keep their information current within the dictionary. With straightforward forms, OSVDB will be a concise and central repository for up-to-date, accurate vendor contact information– and it’s free.
“Vendors expect to be contacted when researchers find security holes– no matter what.” says Jake Kouns, project lead for OSVDB. “However, many vendors do not provide easy to locate contact information on their websites. This makes it challenging, time consuming and sometimes impossible for security researchers to follow responsible disclosure practices.”
OSVDB aims to make it simple for contact information to be shared between researchers and vendors. The vendor dictionary is essentially a giant phonebook of vendors with current contact information, interfaced directly with the OSVDB database. It is designed for vendors, security professionals, and the security community alike. Many security researchers that routinely practice ethical disclosure find themselves unable to do so, due to the fact that the vendor contact information required is sometimes too challenging to find. Alexander Koren, an OSVDB volunteer from Germany, explains, “There will no longer be a need to dig through web pages to hopefully find all the necessary information anymore.” OSVDB realizes the necessity for a current and free resource for this information, and has responded by developing the dictionary to fill this gap.
Even though anyone can help maintain the dictionary, OSVDB calls for all software and hardware vendors to visit the vendor dictionary and ensure that their contact information is accurate and complete. OSVDB also urges vendors to reassess the means through which a researcher may contact them with vulnerability research. While populating the dictionary, it was noticed that many vendors utilize web forms for a user to submit information, which is not always convenient or the preferred contact medium. OSVDB encourages vendors to follow RFC 2142 (section 4) guidelines and have a specific security email address available for use by researchers. This will facilitate the ability for vulnerability researchers to communicate with vendors, and to ensure vulnerability reports are not missed.
Brandon Shilling, a member of the OSVDB development team who worked extensively on the vendor dictionary, says, “The function of the dictionary is merely just a foundation for how OSVDB intends to revolutionize the way vulnerabilities are disclosed to the vendor.” The OSVDB dictionary is the first phase for additional upcoming services including assisting researchers with ethically disclosing vulnerabilities, helping to verify vulnerabilities, and the OSVDB vulnerability portal.
Posted in OSVDB News | no comments
