Time to Re-think Vulnerabilities Disclosure

Public disclosure of vulnerabilities has always bothered me and I wasn’t able to put a finger on the reason until now. As a person whom has been involved personally in vulnerabilities disclosure I am highly appreciative for the contribution security researchers on awareness and it is very hard to imagine what would the world be  like without disclosures. Still the way attacks are being crafted today and their links to such disclosures got me into thinking whether we are doing it in the best way possible. So I twitted this and got a lot of “constructive feedback”:) from the team in the cyber labs at Ben-Gurion of how do I dare?

 

So I decided to build my argument right.

Vulnerabilities

The basic fact is that software has vulnerabilities. Software gets more and more complex within time and this complexity usually invites errors. Some of those errors can be abused by attackers in order to exploit the systems such software is running on. Vulnerabilities split to two groups, the ones which the vendor is aware of and the ones whom are unknown. And it is unknown how many unknowns are there inside each piece of code.

Disclosure

There are many companies, individuals and organisations which search for vulnerabilities in software and once they find such they disclose their findings. They disclose at least the mere existence of the vulnerability to the public and the vendor and many times even publish proof of concept code example which can be used to exploit the found vulnerabilities. Such disclosure serves two purposes:

  • Making users of the software aware to the problem as soon as possible
  • Making the vendor aware of the problem so it can create and send a fix to their users

After the vendor is aware to the problem then it is in their responsibility to notify the users formally and then to create an update for the software which fixes the bug.

Timelines

Past to Time of Disclosure – The unknown vulnerability waiting silently and eager to be discovered.

Time of Disclosure to Patch is Ready – Everyone know about the vulnerability, the good and the bad guys, and it is now on production systems waiting to be exploited by attackers.

Patch Ready to System is Fixed – Also during this time period the vulnerability is still there waiting to get exploited.

The following diagram demonstrates those timelines in relation to the ShellShock bug:

7-ways-to-stay-7-years-ahead-of-the-threat-5-638

Image taken from http://www.slideshare.net/ibmsecurity/7-ways-to-stay-7-years-ahead-of-the-threat

 

Summary

So indeed the disclosure process eventually ends with a fixed system but there is a long period of time where systems are vulnerable and attackers don’t need to work hard on uncovering new vulnerabilities since they have the disclosed one waiting for them.

I got into thinking about this after I saw this stats via Tripwire

“About half of the CVEs exploited in 2014 went from publish to pwn in less than a month” (DBIR, pg. 18).

This stats means that half of the exploits identified during 2014 were based on published CVEs (CVE is a public vulnerability database) and although some may argue that the attackers could have the same knowledge on those vulnerabilities before they were published I say it is far-fetched. If I was an attacker what would be easier for me than going over the recently published vulnerabilities and finding one that is suitable for my target and later on building an attack around it. Needless to say that there are tools which provide also examples for that such as Metasploit. Of the course the time window to operate is not infinite such as in the case of an unknown vulnerability which no one knows about but still a month or more is enough to get the job done.

Last Words

A new process of disclosure should be devised where the risk level during the time of disclosure up to the time a patch is ready and applied should be reduced. Otherwise we are all just helping the attackers while trying to save the world.

 

 

 

 

Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+

Most cyber attacks start with an exploit – I know how to make them go away

Yet another new Ransomware with a new sophisticated approach http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Pay attention that the key section in the description on the way it operates is “The malware arrives to affected systems via an email attachment. When users execute the attached malicious JavaScript file, it will download four files from its C&C server:”

When users execute the JavaScript files it means the JavaScript was loaded into the browser application and exploited the browser in order to get in and then start all the heavy lifting. The browser is vulnerable, software is vulnerable, it’s a given fact of an imperfect world.

I know a startup company, called Morphisec which is eliminating those exploits in a very surprising and efficient way. 

In general vulnerabilities are considered to be a chronic disease and this does not have to be this way. Some smart guys and girls are working on a cure:)

Remember, it all starts with the exploit.

    Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+

    No One is Liable for My Stolen Personal Information

    The main victims in any data breach are actually the people, the customers, whom their personal information has been stolen and oddly they don’t get the deserved attention. Questions like what was the impact of the theft on me as a customer, what can I do about it and whether I deserve some compensation are rarely dealt with publicly.

    Customers face several key problems when their data was stolen, questions such as:

    • Was their data stolen at all? Even if there was a breach it is not clear whether my specific data has been stolen. Also, the multitude of places where my personal information resides makes it impossible to track whether and where my data has been stolen from.
    • What pieces of information about me were stolen and by whom? I deserve to know whom has done that more than anyone else. Mainly due to the next bullet.
    • What are the risks I am facing now after the breach? In case of a stolen password that is used in other services I can go manually and change it but when my social security number was stolen, what does it mean for me?
    • Whom can I contact in the breached company to answer such questions?
    • And most important was my data protected properly?

    The main point here is the fact companies are not obligated either legally or socially to be transparent about how they protect their customers’ data. The lack of transparency and standards as for how to protect data creates an automatic lack of liability and serious confusion for customers. In other areas such as preserving customer privacy and terms of service the protocol between a company and its customers is quite standardized and although not enforced by regulation still it has substance to it. Companies publish their terms of service (TOS) and privacy policy (PP) and both sides rely on these statements. The recent breaches of Slack and JPMorgan are great examples for the poor state of customer data protection – in one case they decided to implement two factor authentication and I am not sure why didn’t they do it before and in the second case the two factor authentication was missing in action. Again these are just two examples which present the norm across most of the companies in the world.

    And what if each company adopted a customer data protection policy (CDPP), an open one,  where such a document would specify clearly on the company website what kind of data it collects and stores and what security measures it applies to protect it. From a security point of view such information can not really cause harm since attackers have better ways to learn about the internals of the network and from a customer relationship point of view it is a must.

    Such a CDPP statement can include:

    • The customer data elements collected and stored
    • How it is protected against malicious employees
    • How it is protected from third parties which may access to the data
    • How it is protected when it is stored and when it is moving inside the wires
    • How the company is expected to communicate with the customers when a breach happens – whom is the contact person?
    • To what extent the company is liable for stolen data


    Such document can increase dramatically the confidence level for us, the customers, prior to selecting to work with a specific company and can serve as a basis for innovation in tools which can aggregate and manage such information.

    Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+