I always mean to post these more often, but I find myself bogged down in adding entries and putting off blog updates. Quite a few little blurbs and thoughts related to OSVDB content.
- I love vendors who maintain good changelogs. A good changelog has many attributes: version release with date, links to bugs/forums when appropriate, clear but concise language, categorize entries such as ‘security’ or ‘feature’, etc. Further, the changelog should be easy to find and stay updated. Rhinosoft (they maintain many other products as well) is a company that serves as a great example of this.
- On the flip side, I despise vendors with bad changelogs. One example is IBM who keeps these ridiculously large changelogs, mostly in CAPS with overly vague wording for many issues. As an example, check out this 1.4 meg changelog and try to pick out all the security issues.
Searching OSVDB – Our search engine got an overhaul a while back. While better overall, there are still a few bugs in it. Our dev is going to be available part time come Oct 1, so hopefully they will be knocked out in short order. Until then:
- If search results seem wrong, try using all lower case or exact case. Known bug that some searches seem to work with one, and not the other.
- We use keywords when appropriate. This can be useful for example, if you want to see all vulnerabilities in Zoller’s recent multi-browser disclosure. Search All Text for “one bug to rule them all”.
- Using references as a search field can be valuable. If you want to see all vulnerabilities in PHP (the core language), you can’t title search because of so many PHP applications littering the results. Instead, reference search “php.net” for a concise list.
- If you search for two terms, it will show results with both words. Searching with three terms will show results with any two words. Known bug! Until fixed, you can work around this by using “+one +two +three” search syntax, with a plus leading each keyword.
- OSVDB is also tracking vulnerabilities in electronic voting machines. While still in progress, we have scoured the excellent technical reports from the State of California on Premier Election Solutions (formerly Diebold) and have made good progress on Hart InterCivic. To see all of these vulnerabilities, search All Text for “Electronic Voting Machine”.
- I recently finished combing through the old Zardoz mail list archives. All of the vulnerabilities from that list, operated by Neil Gorsuch between 1989 and 1991, are now in the database. For those interested in historical vulnerabilities, reference search “securitydigest.org/zardoz” to see them. 63 vulnerabilities, only 7 of which have CVE references. Unfortunately, the mail list archive is not complete. If anyone has digests 126, 128, 206, 214, 305, 306, 308, 309, 310 or 314, please send them in!
- Similar to Zardoz, but already in OSVDB for over a year, you can reference search “securitydigest.org/unix” for the old Unix Security Mailing List disclosed vulnerabilities. There is some overlap with Zardoz here, but it should yield 57 results, 6 of which have a CVE reference.
- For crypto geeks, you can title search “algorithm” to get a good list of cryptographic algorithms, and when they were demonstrated to be sufficiently weak or completely broken. These go back to 1977 and the New Data Seal (NDS) Algorithm.
- I recently noticed another case of a vendor threatening mail list archives. Looking at the Neohapsis archive or the lists.grok.org.uk archive of a recent report on Inquira vulnerabilities, you can see each has redacted information. Mail list archives provide a valuable service and typically get little to no benefit for doing so. Despite that, it would be nice if they would post the actual legal threat letter when this occurs.
- The OSVDB vendor dictionary has been around for a while, but needs additional work. It is the first step in not only providing vendor security contact information, but building a framework for “vendor confidence”. This will eventually allow researchers to determine how cooperative a vendor is and if it is worth their time to responsibly disclose a vulnerability. As it stands, the Vendor Dictionary is primitive and needs to evolve quickly. One example of a problem we ran into, is a researcher submitted a case where they had a ‘bad dealing’ with a given vendor and it is included in the notes. The vendor contacted us, quite surprised to see it, and asked if we agreed with it. I responded that no, that was far from our own dealing with the vendor and that they had been great to work with in disclosing vulnerabilities, providing additional details or answering general questions. Reading our entry on the vendor doesn’t reflect that, and it should. Hopefully in the coming months, with a part time developer, we can begin to address this.
- When sanitizing takes its toll. BID 28219 has a link to an exploit that appears to have aggressively sanitized characters. Or did the researcher actually send that in? VDBs need to be mindful of this and add a note if they are displaying the submission as is.
Join OSF in Somerville, MA on September 19th, 2009 from 8am to midnight for Mangle-A-Thon, and help us mangle vulnerabilities into the Open Source Vulnerability Database (OSVDB), and mangle data loss incidents and primary sources into the DataLossDB.
The event, hosted by Midnight Research Labs Boston, is free and sponsored by Voltage Security, which will assist us in providing food and drink for attendees. OSF moderators will walk participants through the projects and teach participants how volunteers maintain the entirety of both data sets. Our goal is to get as much new and accurate data into both databases as possible, possibly add a couple of new recruits into the fold, and have a good time doing it.
Have suggestions regarding the projects? The lead developer (Dave) will be there, as will lead content guys for both projects (Kelly and Craig). You can actually see your suggestions implemented right there at the event… but only if you attend.
Midnight Research Labs Boston
30 Dane Street
Saturday, September 19th, 2009
8am to midnight
(three time slots: 8am – 1pm, 1pm – 6pm, 6pm – midnight, register for all or some)
Register via the “Register” link at: http://mangleathon.opensecurityfoundation.org/
The Open Security Foundation and OSVDB members will once again be in Vegas this year. However for some reason we are all a bit tired….. so this year will be pretty low key! While we do not have anything officially planned most of the crew will be around for Defcon…….. so If you want to meet up to talk life, vulns, dataloss and drink a couple beers drop us a line.
Like many nights, Jericho and I had a conversation. Unlike many nights, this one might actually be of interest to someone other than us (this pertains to how OSVDB gets new data into queue):
jericho (6/16/2009 8:48:48 PM): Original Advisory: FEDORA-2009-5368
Lyger (6/16/2009 8:48:57 PM): so just need to bump the scrape down a line
Lyger (6/16/2009 8:50:32 PM): takes an extra 10 seconds per vuln
Lyger (6/16/2009 8:50:39 PM): but multiply by 100
Lyger (6/16/2009 8:50:43 PM): adds up
jericho (6/16/2009 8:50:56 PM): yep
jericho (6/16/2009 8:51:09 PM): “only takes a second”
jericho (6/16/2009 8:51:16 PM): this was when i averaged 100 ndm a day
Lyger (6/16/2009 8:51:32 PM): 10 seconds, 20 vulns a day for me…
Lyger (6/16/2009 8:51:43 PM): three minutes per day
Lyger (6/16/2009 8:51:51 PM): 20 minutes a week
Lyger (6/16/2009 8:51:58 PM): 1.5 hours a month
Lyger (6/16/2009 8:52:00 PM): etc etc
Think about that: something that “only takes a second” seems somewhat insignificant in a single instance, but when you multiply it over days, weeks, months… years… the time adds up. To be honest, time is what we (OSF) have been fighting against for years. If we individually spend an extra ten seconds working on one vulnerability, just to add references or classifications, no big deal, right? But then you might see that if we work on 20 or 30 a day, that’s an extra 4 or 5 minutes a day, about an extra 30 minutes a week, around two hours a month, and approximately one day out of a year.
Personally, I’d like to have my day back (when I can get it, preferably somewhere in Hawaii and on the OSF dime).
For quite a while, we’ve been asking for volunteers to spend maybe even 15 minutes a week on this project. That would add up to an hour a month, and multiplying that by even 10 solid hardcore volunteers (or 50 occasional ones) would be amazing. They would get no pay and no benefits, but maybe a t-shirt, a “thank you”, and a feeling of giving something back to the security community. All for even 15 minutes a week…
Or about two minutes a day…
Open Security Foundation Wins the SC Magazine 2009 Editor’s Choice Award
Festivities in San Francisco wrapped up last night, and OSF was presented with SC Magazine’s 2009 Editor’s Choice Award. Thanks to everyone who has supported OSF in the past and present, and we definitely hope you’ll continue to support us in the future!
A few members of the Open Security Foundation will be at RSA for a couple days. If anyone is going to be there and would like to meet up please let us know. At this point, we have most of the day on Tuesday open. Also, if you have any free day passes to the conference let us know that as well! =)
We just recently noticed that OSVDB was discussed during a podcast called Faceoff started by Jade Robbins and Mark Sanborn. In Episode 5: Scaling to Hit it Big, at about 19:54, they talk about OSVDB for several minutes. They cover the project in general and also review several of the basic features of OSVDB and how someone can use the site. They speak about the search capabilities and even mention that OSVDB has a vulnerbaility from back in 1965. This was submitted by Ryan Russell as part of our oldest vulnerability contest and I can now say Ryan has finally received his OSVDB schwag….. only took a couple years for him to get it! =)
They also explain how in addition to the website that the OSVDB database itself can be downloaded and used as well. To clarify a point they discuss, once you create an account with OSVDB you can download the database as many times as you want. They also spend some time discussing our Watchlist feature which I thought was pretty cool that it was mentioned. For those that are not aware, when you create an account you can then setup two types of Watchlists.
The Vendor/Product Watch list
This watchlist will alert you to vulnerabilities for specific products that you subscribe to. Alerts are generated when a vulnerability is updated to include the product and vendor information. Soon, we may introduce a feature that will enable alerting as soon as the vulnerability is processed through our systems.
The Mailing List Aggregation Watch list
OSVDB allows you to subscribe to roughly 20 vendor advisory mailing lists. The advisory mailings are sent to OSVDB, we process them, and forward them on to you. That way, rather than managing 20 individual advisory subscriptions, you only need to manage one through OSVDB.
Thanks to the guys at Faceoff for their support and it is worth listening to the entire podcast. It did make us laugh a bit as they commented at one point that WordPress has all kinds of vulnerabities. Most of our dedicated readers know the ongoing WordPress issues we had and our eventually move away from it! =)
Thanks also to Ryan Heimbuch for suggesting OSVDB to be reviewed.
OSVDB can also now be followed on Twitter: http://www.twitter.com/osvdb
Welcoming in 2009
OSVDB would like to wish everyone a happy and hopefully prosperous new year! 2008 was pretty cool for us as far as enhancements and support of OSVDB 2.0 go, and we were very happy to add over 11,000 new vulnerabilities to the database in the last year. We currently have over 51,000 vulnerabilities in the database to start the new year, and would like to invite everyone to please consider adding to this resource, whether you have a user account or not. We can use (and will gladly accept) as much help and input as we can get, so if you’re lacking a new year resolution, maybe consider an hour a week to assist the security industry gather and share knowledge about vulnerabilities.
If you have any questions, comments, or ideas, please contact us at firstname.lastname@example.org
General information can be found at Opensecurityfoundation.org
Happy new year, everyone!
From time to time we take a moment as a team to reflect on the project. In most cases a major milestone occurs and gets us to think about OSVDB and the security industry. Today OSVDB went over 50,000 entries in the database. One must keep in mind that these are only vulnerabilities that the industry knows about or have been made public. It has been said before that until you can truly measure something and express it in numbers you have only the very beginning of understanding on the subject. OSVDB continues to promote a greater understanding by providing accurate, detailed, current, and unbiased technical information on security vulnerabilities.
Looking for Volunteer Rails Developers!
The Open Security Foundation is looking for a few good Ruby on Rails developers to help us on a volunteer basis in developing and enhancing osvdb.org, as well as datalossdb.org.
We need folks who are interested in security, with a background in Ruby on Rails development.
For helping on OSVDB, you really need to have a solid understanding in these areas:
- Single-table inheritance
Dataloss DB isn’t as complex. A volunteer needs only to be experienced with REST and have already worked on RoR projects, but also have knowledge and experience with SOLR to help with the learning curve!
Both projects require experience with Subversion, and decent written communication skills.
If you’re interested in helping out, we encourage you to email us at:
moderators[at]osvdb.org (for OSVDB work), or curators[at]datalossdb.org (for datalossdb.org work).
In your email, please send a quick and informal resume with links to Ruby on Rails work you’ve done in the past, or projects you’re currently working on.
It’s not a job… it’s an adventure (or a hobby, or just a way to do something important for the InfoSec community!)