We just recently noticed that OSVDB was discussed during a podcast called Faceoff started by Jade Robbins and Mark Sanborn. In Episode 5: Scaling to Hit it Big, at about 19:54, they talk about OSVDB for several minutes. They cover the project in general and also review several of the basic features of OSVDB and how someone can use the site. They speak about the search capabilities and even mention that OSVDB has a vulnerbaility from back in 1965. This was submitted by Ryan Russell as part of our oldest vulnerability contest and I can now say Ryan has finally received his OSVDB schwag….. only took a couple years for him to get it! =)
They also explain how in addition to the website that the OSVDB database itself can be downloaded and used as well. To clarify a point they discuss, once you create an account with OSVDB you can download the database as many times as you want. They also spend some time discussing our Watchlist feature which I thought was pretty cool that it was mentioned. For those that are not aware, when you create an account you can then setup two types of Watchlists.
The Vendor/Product Watch list
This watchlist will alert you to vulnerabilities for specific products that you subscribe to. Alerts are generated when a vulnerability is updated to include the product and vendor information. Soon, we may introduce a feature that will enable alerting as soon as the vulnerability is processed through our systems.
The Mailing List Aggregation Watch list
OSVDB allows you to subscribe to roughly 20 vendor advisory mailing lists. The advisory mailings are sent to OSVDB, we process them, and forward them on to you. That way, rather than managing 20 individual advisory subscriptions, you only need to manage one through OSVDB.
Thanks to the guys at Faceoff for their support and it is worth listening to the entire podcast. It did make us laugh a bit as they commented at one point that WordPress has all kinds of vulnerabities. Most of our dedicated readers know the ongoing WordPress issues we had and our eventually move away from it! =)
Thanks also to Ryan Heimbuch for suggesting OSVDB to be reviewed.
OSVDB can also now be followed on Twitter: http://www.twitter.com/osvdb
Welcoming in 2009
OSVDB would like to wish everyone a happy and hopefully prosperous new year! 2008 was pretty cool for us as far as enhancements and support of OSVDB 2.0 go, and we were very happy to add over 11,000 new vulnerabilities to the database in the last year. We currently have over 51,000 vulnerabilities in the database to start the new year, and would like to invite everyone to please consider adding to this resource, whether you have a user account or not. We can use (and will gladly accept) as much help and input as we can get, so if you’re lacking a new year resolution, maybe consider an hour a week to assist the security industry gather and share knowledge about vulnerabilities.
If you have any questions, comments, or ideas, please contact us at firstname.lastname@example.org
General information can be found at Opensecurityfoundation.org
Happy new year, everyone!
From time to time we take a moment as a team to reflect on the project. In most cases a major milestone occurs and gets us to think about OSVDB and the security industry. Today OSVDB went over 50,000 entries in the database. One must keep in mind that these are only vulnerabilities that the industry knows about or have been made public. It has been said before that until you can truly measure something and express it in numbers you have only the very beginning of understanding on the subject. OSVDB continues to promote a greater understanding by providing accurate, detailed, current, and unbiased technical information on security vulnerabilities.
Looking for Volunteer Rails Developers!
The Open Security Foundation is looking for a few good Ruby on Rails developers to help us on a volunteer basis in developing and enhancing osvdb.org, as well as datalossdb.org.
We need folks who are interested in security, with a background in Ruby on Rails development.
For helping on OSVDB, you really need to have a solid understanding in these areas:
- Single-table inheritance
Dataloss DB isn’t as complex. A volunteer needs only to be experienced with REST and have already worked on RoR projects, but also have knowledge and experience with SOLR to help with the learning curve!
Both projects require experience with Subversion, and decent written communication skills.
If you’re interested in helping out, we encourage you to email us at:
moderators[at]osvdb.org (for OSVDB work), or curators[at]datalossdb.org (for datalossdb.org work).
In your email, please send a quick and informal resume with links to Ruby on Rails work you’ve done in the past, or projects you’re currently working on.
It’s not a job… it’s an adventure (or a hobby, or just a way to do something important for the InfoSec community!)
The OSVDB team will definitely be in Vegas this year. If you would like to meet up then please drop a line to email@example.com and let us know. Typically we organize an OSVDB dinner but we have been a little slack in organizing it this year! If you are interested let us know and we will see what we can make happen…
Look forward to seeing everyone soon…
The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database – Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008.
Attrition.org’s Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project’s core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records.
DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. “We’ve worked hard to research, gather, and make this data open to the public,” says Kelly Todd, one of the project leaders for DataLossDB. “Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information.”
The Open Security Foundation’s DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. “For a data set as dynamic as this, it made sense to build it into a more user-driven format.”, states David Shettler, the lead developer for the Open Security Foundation. “With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers”.
The DataLossDB’s mail list will continue to be available to over 1,500 current subscribers and will accept new subscriptions under the Attrition.org banner until a migration to OSF has been completed. RSS feeds will also be available under the OSF banner for timely alerts about new and updated data loss events. We expect this transition to be completed in the coming months without impact to current subscribers.
Open Security Foundation’s DataLossDB is an open source community project that strives to provide a clear understanding of data loss issues and needs your support. Assistance can be provided through database updates, project leadership, word-of-mouth promotion, financial donations, and sponsorship to assist with the ongoing maintenance of the project. “The DataLossDB project provides a critical service that enables detailed analysis on the true impact of data loss.”, says Jake Kouns. “The Open Security Foundation is in a perfect position to support the expansion of the DataLossDB project.” Any entities interested in licensing the database for commercial ventures are encouraged to contact OSF.
Reported Phishing/Vulnerable Site! The web site http://www.google.com has been reported as a vulnerable site that may pose a threat to your web browsing. Vulnerable sites do not prioritize security and don’t care about their users and customers. These sites may pose a risk to you, exploit the trust between you and their site and may cause your computer to perform actions you did not approve.
To carry on the scary wording in the style of others; Some web sites are high profile and may seem trustworthy, but you shouldn’t trust them at all. They are full of buggy code, don’t care about protecting their users (that’s you!) and generally suck. Despite using their site as a virtual crutch, you should clearly stay away from them unless it is to send nasty mails or mock them. Again, do not trust Google’s web sites or search engine, because they have been known to be vulnerable. What assholes!
On a more serious note, if anyone at Google is reading this, I hope you pass this on to the jackasses that develop Google Toolbar or whatever hook they use to integrate with Firefox. Not only is it worse than malware (every piece of software tries to get me to install it), it uses misleading wording to scare customers from visiting perfectly safe and innocent web sites (namely this blog). While it caters to morons, it doesn’t give users a real opportunity to learn why a site was ‘blocked’ other than vague wording.
My only guess as to why this warning occurs was an incident earlier this year, in which the OSVDB blog fell victim to a zero-day exploit in WordPress. I blogged about the incident to make our readers aware of the incident and clear up any confusion. I assume that Google’s crawl of the this blog noted the script code and subsequently declared us an “attack site”, even though that is hardly the case.
The discouraging part is the “diagnostic page” says that Google visited ONE page in the last 90 days and 0 of those pages resulted in malicious software being downloaded. Google, if you are going to play Lord of the Browser, visit more than one page before you make that determination. To do anything less is a disservice to your users and a fast way to miss obvious malware. The third question mentions “intermediary” which is technically accurate as far as the script code that was injected in a few blog posts. However, the big red warning says nothing about ‘intermediary’ and explicitly labels us as some kind of malware hosting site with the intent of attacking people. That is libelous to say the least. Under ‘How did this happen’, Google mentions that sometimes third parties can inject such code, but doesn’t take the time to help clear this up. If the previous script injection issue is the cause of this, the fact that the script loaded content from a third party domain (in China no less) should be a good indication that WE did not host the malware. Sure, most users are dumb as a rock, but the few smart cookies that click for details should get just that.. details.
What Google Toolbar users may see when visiting this blog:
Finally, I opened the blog post calling Google’s search engine a threat, and I was serious. Google has a track record of vulnerabilities far worse than OSVDB does. Not only in their popular search engine, but their various products too. Besides, the mechanism for reporting potentially dangerous sites is a bit dubious to say the least.
Update: Ends up, we had another iframe injection into one of our posts (which is now removed), and the hunt for how this is happening now begins. That said, while Google’s warning that this site is “dangerous” may have been accurate, their mechanism for warning users in a vague manner (as shown in the image linked off ‘vague warning’) and not warning the site administrator is far from friendly. I can see that Google doesn’t care about warning sites of issues before warning the public, a far cry from ‘responsible disclosure’, something that Google pretends to care about:
This process of notifying a vendor before publicly releasing information is an industry-standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure.
Next time OSVDB is informed of a vulnerability that impacts Google products or services, I sure hope it doesn’t slip our mind to contact them. Perhaps the apparent race condition between the vague wording and the not-so-vague wording that users may see constitutes a bug. If they can read this blog, they can see the bug in action and then contact us if they have more questions.
Update 2: Google apparently tried to send mail to our domain: From: Google Search Quality
OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.
We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at: http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568
OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:
Jake Kouns, president of the Open Security Foundation, introduces the Open Source Vulnerability Database Project. David Maxwell, Open Source Strategist at Coverity, discusses the findings from Coverity’s analysis of over 55 million lines of open source code. Robert Charpentier from Defence Research Establishment Valcartier and Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia University present a summary of their research into providing security hardening for the C programming language. Frederic Michaud and Frederic Painchaud from Defence Research and Development Canada describe their evaluation of automated tools that search for security bugs. Key messages from Carleton University’s Stoyan Tanev’s recent presentation on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s presentation on building successful communities. Michael Geist, Canada’s Research Chair of Internet and E-commerce Law, explains why the proposed Bill C-61 does not address the rights of Canadians. Alan Morewood from Bell Canada provides an example of open source meeting a business need.
Next months editorial theme is “Accessibility” – contact the OSBR Editor if you are interested in a submission.
We are pleased to report that OSVDB has been provided three projects for 2008. We would like to thank everyone that applied and encourage students that were not selected to still consider getting involved with the project. We had quite a few great applications but were unable to accept any more due to our limited mentoring resources this summer and the large number of new organizations taking part in SoC this year.
Here are the projects that were selected:
Patch Management Portal by Ronny Yabar Aizcorbe, mentored by David Shettler The system will provide a way to define when a patch should be in development, testing or production status. And will allow users the ability to select vulnerabilities and patches based on the OSVDB watch list. The main components of the tool will be: Prioritization and scheduling, Testing, Implementation and Compliance.
OSVDB Widgets and Gadgets by Marc Augustin, mentored by Chris Newby This project is intended to utilize the OSVDB as the main data source but should be a security dashboard for professionals via Gadgets and Widgets.
OSVDB Training Portal Framework by Sergios Pericleous, mentored by Jake Kouns This project will create a training framework which will aim to integrate as much as possible with the existing OSVDB portal. The portal will allow specific admin users to create training material and quizzes for end-users, and it will also allow end-users to read this training material and make comments on it, take the quizzes and receive a score, and to track their progress using a progress report and graphs.
Congrats Ronny, Marc and Sergios and we look forward to another successful summer!
Dave pushed a new set of code changes today! Here is a very brief summary of some of the highlights:
- Browse now has: Browse by Top Creditee, Browse by Creditee Name [Remember, we need more entries at 100% to make this more accurate and complete. Mangle your own vulnerabilities and fill in the missing creditee!]
- Three new dates added to schema (Screenshot) [The new date fields won’t appear on the front end yet, as more changes are required, but we now have the capability to track a more thorough history of the vulnerability]
- Menu Changes and new pages in support of that.
- More diverse “Donation” options [Come on, donate 5 bucks and skip that fourth Latte!]
- General bug fixes/tweaks
- Vendor dictionary – change e-mail addresses to stop automatic harvesting
- New template for CSRF vulnerabilities
Behind the Scenes: