CVE Commentary

[This was originally published on the OSVDB blog.]

http://cve.mitre.org/cve/edcommentary.html#community_issues

CVE editor Steven Christey has begun to post commentary related to CVE and VDBs.

[2013-07-07 Update: This effort didn’t last long. The last update was 2006-02-16, 4 days after this blog post. =(]

Insert a classy pun.

[This was originally published on the OSVDB blog.]

This entry should have been published days ago. On top of being overly busy and spread thin, I ran into a big problem related to finding a reference I wanted to include, which will lead to this being a little more ranty than intended.

How is it that our industry is over twenty years old (don’t bother debating how old the ‘security’ industry really is), and we don’t have a list of commonly accepted vulnerability classifications? Traditionally, it was fairly easy to list out the major classifications; overflow, symlink, race condition, command injection, XSS, SQL injection, path disclosure, traversal, denial of service, format string, etc. Over time we saw new types of vulnerabilities like HTTP Response Splitting, CRLF injection, Off-by-one, Underflows, etc. So, who keeps a list of what constitutes a class of vulnerability? The Secure Software Body of Knowledge has nothing, SANS’ glossary doesn’t even appear to have cross site scripting, and the OWASP Top Ten is a bit too high level. The best resources are probably:

  1. The OWASP Vulnerability Listing but I think this is too detailed to cover a general classification breakdown.
  2. Mitre’s Common Weakness Enumeration (CWE) might be the best due to their hierarchy system and more general categories.
  3. CVE’s Vulnerability Abstraction has a decent breakdown more like my quick list above, but might be considered a bit lacking, or soon will be.
  4. The Web Application Security Consortium Web Security Glossary but it is web-centric.

That said, now I can get back to my original point! On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software security process in which Window Snyder (former Microsoft security strategist) said “These are entire classes of vulnerabilities that I haven’t seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.” referring to vulnerabilities that were proactively removed. The article goes on to say “Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.

Anyone else curious about these? Less than a year, and three new classes of vulnerabilities? Come on Window, you left Microsoft, you can speak up now! Steffan, spill the beans, give us details!

Thanks for discussion and pointers: Steven Christey, Chris Wysopal, Sullo

Google VulnSearch?

[This was originally published on the OSVDB blog.]

Fall behind and someone will always beat you to the punch! Gadi Evron posted an entry over at Securiteam on the topic of using Google’s Codesearch to find vulns. Since he and others are writing about this, I don’t have to! However, i’ll post a few more thoughts before anyone else maybe!

First, we have this great ability to (ab)use Google’s Codesearch to find vulnerabilities through fast code analysis. Is this a fun but very short fad? Or will we see people use this to disclose vulnerabilities and give credit to their method? Will it lead to a lot of false positives> like we’re seeing with remote file inclusion? Several ‘researchers’ are grep’ing for a single stringle, finding it, and posting it as a remote file inclusion vulnerability without really analyzing the code or testing their own “proof of concept”. Hopefully, researchers will use this new tool to not only find vulnerabilities, but truly validate their finding before disclosing.

Second, who is going to be the first to create an interface that smoothly links the Google Codesearch with a robust static code analyzer? Imagine a web interface where you choose a few key things like what language, what types of vulnerabilities, and click click for all the results. The program would then use the Codesearch results to pipe into the code analyzer and spit out a list of high probability vulnerabilities.

Some of these ideas courtesy of email discussions with Chris Wysopal, Mudge and others.

General TV Complaint

I’ve thought about this post in my mind for the last two years, since I’ve started watching more tv shows. thank $deity for torrents and a 19″ monitor, because i certainly can’t watch the shows on the network’s time tables. yes, i pay 55 bucks a month for extended cable and *never* turn my TV on. fuck their schedules, fuck them for airing complete crap instead of the prime shows more than once. they are begging for their customers to turn to TiVo (and fast forward past commercials) or torrents. for a more dry rundown of tv shows (last season), check out my thoughts.

My thoughts on television today…

There are a lot of great shows on TV these days. Bigger budgets, movie stars making the shift back to weekly TV, more viewers and higher advertising. shows like 24 and the various law & orders and CSI are getting the attention, and rightfully so. Admittedly, I watch 24 only when I have all twenty four episodes downloaded from the previous season and I watch it much like I watch a car wreck or police action on 18th street from my balcony. More recently, shows like Lost and a few others I don’t watch (Grey’s Anatomy) are becoming all the rage, even though most people didn’t enjoy JJ Abram’s first show (Alias) beyond the first season. Unfortunately, the main stream press simply must follow the popular shows and give no thought or attention to the lesser known but equally as enjoyable shows (exception: entertainment week continually gives props to Battlestar Galactica!). If you haven’t seen BSG on SciFi, you are missing out. Ditch your pedantic views on television and cast aside this notion that ‘sci fi’ is for nerds and geeks. The show is phenomenally written, beautifully directed and masterfully designed from season to season. The show is not about “killing toasters” as much as it is about exploring human interaction, social drama and current political nightmares. The writers and directors are smart though, and they know they can get away with taking all of the political issues of today, wrapping them in a blanket of “that stupid sci fi” and getting away with exploring it in ways conventional TV could not.

Reality TV is dead, the networks just don’t know it yet. Survivor this year perfectly demonstrates that since it is moving to a ‘racial’ theme after *twelve* years of running. Read the back story people.. they had to *recruit* some of the minorities you see, because only white people are crazy enough to volunteer to go on the show. They couldn’t even get a full team (5 members per team) of hispanics, african-americans and asians. Three episodes in and the show is getting boring, the stereotypes are dull and even watching one race insult themselves is old. The only compassion i found for anything on that island was the poor chickens.

Crime pays. Anyone who tells you otherwise wasn’t a good criminal or isn’t in the entertainment business. The law enforcement themed shows are at an all time high. COPS is in it’s *19th season* believe it or not! Law & Order has several shows, CSI has three, the Closer gets good reviews (for some reason), Criminal Minds is entertaining.. the amount of ‘bad guy’ shows is spiking again including Heist, Thief and several more this season. I won’t bother listing the other dozen shows that fall under this category out of fear of boring you to death. The sad part is, the best ‘bad guy’ series is on BBC and just now hitting the US; Hustle. If you haven’t seen it, make a point to do so. Only six episodes per season, but absolutely brilliant. In this category also worth seeing is The Shield and The Wire (HBO). Fortunately, several mainstream lackeys have finally caught on to the power and intensity of The Wire and it is beginning to get the attention it deserves. Killer Instict (lame), The Inside (had potential), Wanted (yawn), Eyes (gimick), Without a Trace (pretty good), Cold Case (pretty good) .. the list goes on.

I know I mentioned the CSI franchise last paragraph, but it really deserves its own. First, did you know that the UK had its own forensic show years before CSI? It’s called ‘Silent Witness’ and according to many UK fans has “sold out” in trying to be more like CSI and losing its core values. Perhaps this is one time where the US stole an idea and did it right though.. CSI (the original) continues to be outstanding. I wish the series luck in their break from formula (to a degree) in the 7th season, but i wonder if they will lose audience since they are now demanding you watch episode to episode to see a case finish. One value of the show in prior years is that 43 minutes of attention (you dont actually watch commercials do you?!) and you saw one or two cases solved. CSI:NY listened to criticism and made some important changes in season 2 (less in S3 this fall), and the show continues to be entertaining. The cases are a bit ‘Miami’, but the characters (Sinise!) carry the show. Now, the number one train wreck of a TV show five years running? CSI:Miami. Whoever writes and produces this show needs to jump the shark, bite the bullet, and get the fuck off the air. The show is beyond ‘bad’, boldly sucking like no show has before. David Caruso can not act. He is a cliche of himself, and needs to die off fast. (dare you to play the Caruso/CSI drinking game; drink when a) he puts his sunglasses on/off, b) uses the person’s first name in casual dialog, c) puts his hands on his hips or d) looks down while talking to someone. You’ll be trashed before opening credits). The rest of the characters are boring, shallow, can’t act and have no other redeeming quality. The only character that DID have a little appeal, got killed off (the guy who was a CSI but did it as a job, not for some profound love of the profession). The pop tart fake southern bimbo needs to die in a fire to save us from more agony. I don’t care if it is Miami, having every single case be loaded with rich bitches and blinged out retards is overdone. We don’t need to see million dollar houses/boats/cars in every single case. Speaking of the crime shows, why are medical examiners always African American? The Closer, L&O SVU, L&O, CSI:NY, CSI:Miami.. seems odd.

On the technical crime series.. a while back, Kiera mentioned how annoying it was dealing with TV shows that felt they were forced to dumb down for the average retarded viewer. While I understand the networks for doing this, I also challenge them to break from the norm and move on. If you aren’t smart enough to pick up on the pink cotton swab in *season 7* of CSI, then the show probably isn’t for you. The rest of the world is tired of hearing the same explanations for every minor thing week after week. Some of us want to know how TV would evolve if they didn’t have to carry the baggage of new viewers. Oh, CSI:Miami, the fact that every single scene in the lab begins with “Oh, is that the X from case Y?” to set the stage is BORING. Fuck yourself with a baseball bat you ignorant jackass retards. You are writing down to the retard population that you are part of.

Other shows that stand out; Boston Legal, pretty twisted humor written in to this show, Shatner and Spade carry it without a hint of burden. Weeds (Showtime) is a brilliant comedy that would fail miserably on public channels, but floats by on premium because it embraces that edge. Rescue Me, no pondering how real it is, the character interaction alone is worth the watch. Invasion (carried by Fichtner), Penn and Teller’s Bullshit (Showtime, should be mandatory viewing for US citizens), Prison Break (Miller, Purcell and Fichtner are oustanding), Saved, Spooks (forget US mainstream spy crap, watch the UK version), Bones (Deschanel’s social interaction rules), and The Unit (Haysbert drops his pen from 24 and picks up a machine gun), all worth checking out. Hell, Jason Lee even proves that comedy isn’t dead in My Name is Earl, despite the networks running comedy into the ground.

Yes, the three people who read this thinking “omg he’s such a tv whore!” can say that. If i didn’t watch the shows a) on my schedule, b) commercial free and c) on the third computer while I work on the first two, then I wouldn’t have seen ANY of these shows, except Meerkat Manor. That is the one show I will stop everything for, sit on the couch, and actually “watch TV” for.

Stupid E-mail Disclaimers and the Stupid Users that Use Them

This was written with Martums and originally published on attrition.org.


We thought it would be a fad. Ok, we hoped it would be a fad, destined to go away as quickly as it came. Unfortunately, those worthless e-mail legal disclaimers still pollute the internet. Written by overzealous lawyers that don’t seem to realize the stupidity futility of their effort, poorly worded legal gibberish tries to force you into binding contracts to protect their careless mistakes. One of their employees just fires off an e-mail full of corporate secrets? No worries! That legal disclaimer will ensure the unintended recipient deletes it without question! Wishful thinking douchebag lawyers.

We can’t help it–this really makes us nuts. When will these people learn? You transmitted your crappy mind-numbing message to us, in plain text, over the public internet. It’s ours (and whoever is sniffing our mail) to do with as we please and you can’t have it back, so piss off. We won’t delete it, we will publish it, we will forward it, and there is nothing you can do about it. Go ahead, take us to court, but try to find a shred of legal precedent first, ok?

Many other folks have chimed in on this epidemic of user stupidity previously. How many articles must be written, how many snarky replies sent, before these litigious prone companies pull their collective heads out of their asses?

To be fair, some people work at Really Big Companies® where one of these boiler-plate atrocities dutifully gets stamped on the end of all outgoing messages by the mail server, regardless of the user’s common-sense quotient. These people cannot be held liable for their employer’s misguided sense of self preservation. Then there are those middle-management, PHB, bottom-feeding, thumb-sucking imbeciles who insist on following the rest of the herd and slap together their signature with a poignant indicator of their blatant ignorance of the law. If all you have is a hammer…

How did we get here, and what are we doing wrong that we feel the need to include these ridiculous appendages in the first place? Did someone accidentally (oops) send private client data to the wrong recipient (idiot)? Did someone mistakenly enter the wrong alias in the To: field (asshat)? Or did they forward a confidential document to their competitor (moron)? Or maybe they asked Attrition staff really stupid questions? (brilliant!) Gotta love those squirrels at least.

If you transmit any content to the wrong recipient, contact them, confess your sin, and gently ask for their mercy. If they use it against you, that’s malicious behavior on their part and they might be on the fast track to hell. I certainly know how we’d handle it here. There’s plenty of room next to Hoffa in the Giants’ end zone for another corpse. Why plead for mercy? Simple, because there is absolutely no legal precedent for these legal disclaimers having any weight in any court of law.

What to do…

What are some best practices that the average corporate peon can do instead of attaching silly disclaimers to every mail? Don’t hit send until you’ve proofread the mail, including the headers. Typos happen. Responsible grown-ups should catch them. Sensitive information? Encryption is your friend. Really sensitive information? FedEx is your friend. Voilà! What are the consequences of any content or attachments you accidentally send being made public? Is it worth ten bucks to use an overnight carrier instead of ending up as the latest entry on Dataloss? What’s your reputation worth? Remember, email’s like a postcard, open to the world. We love other people’s postcards.

Failing that, if your dimwit corporate lawyers insist on keeping the disclaimer, either take a baseball bat to their kneecap or demand that the disclaimer go at the top of the mail. While crappy mega-giant software makers can get away with ‘shrink wrap licenses‘, as Paul Goodman says, “Despite their widespread use, there still remain serious legal questions regarding the validity of the shrink-wrap license.” Like the shrink wrap licenses, e-mail disclaimers at the end of the e-mail force a user to open the mail/software before ‘agreeing’ to the terms. No, they don’t really agree, but that is the implication and desire of such licenses.

Tired of seeing these silly disclaimers on every third public mail-list post? What to do.. what to do! Easy, follow their instructions. Almost every disclaimer has a provision that suggests that if the mail is not addressed to you, you should send it back to the person that sent it in the first place, or send it to the legal counsel of their firm. Ok! Every… single… mail, do just that. If they send it to mail_list@example.com, it was not addressed to you, and by their own twisted reasoning it should be sent back to them so they can figure out what bad things are happening as a result. One post to a list of 5,000 responsible professionals that honor these goofball disclaimers and guess what…


References

– Stupid Email Disclaimers – Jeff Goldberg

“The value of disclaimers is limited, since the courts normally attach more weight to the substantive content of the communication and the circumstances in which it is made than to any disclaimer…Even though their effectiveness in court is doubtful…” — From the UK’s weblaw via Jeff Goldberg

– Jeff Goldmark’s list of Parody Disclaimers

– Disclaimers could make emails into contracts

– Readers’ Letters – The Email Disclaimer Awards 2001

– The Email Disclaimer

“But there’s a fine line between legally wise and intellectually ridiculous.”

– E-mail disclaimers explained

The sobering reality is, however, that the validity of these disclaimers have not yet been tested by our courts and most businesses draft and implement their disclaimers in such a way that they are invalid, unenforceable and useless.”

– Trailers: Disclaimers

– EMail Disclaimers – Frequently Asked Questions

– EMail Disclaimers – Should you use them?

– E-mail Confidential – Who’s afraid of Time Inc.’s legal disclaimer?

Stupid E-mail Disclaimers and the Stupid Users that Use Them

[This was written with Martums and originally published on attrition.org.]


We thought it would be a fad. Ok, we hoped it would be a fad, destined to go away as quickly as it came. Unfortunately, those worthless e-mail legal disclaimers still pollute the internet. Written by overzealous lawyers that don’t seem to realize the stupidity futility of their effort, poorly worded legal gibberish tries to force you into binding contracts to protect their careless mistakes. One of their employees just fires off an e-mail full of corporate secrets? No worries! That legal disclaimer will ensure the unintended recipient deletes it without question! Wishful thinking douchebag lawyers.

We can’t help it–this really makes us nuts. When will these people learn? You transmitted your crappy mind-numbing message to us, in plain text, over the public internet. It’s ours (and whoever is sniffing our mail) to do with as we please and you can’t have it back, so piss off. We won’t delete it, we will publish it, we will forward it, and there is nothing you can do about it. Go ahead, take us to court, but try to find a shred of legal precedent first, ok?

Many other folks have chimed in on this epidemic of user stupidity previously. How many articles must be written, how many snarky replies sent, before these litigious prone companies pull their collective heads out of their asses?

To be fair, some people work at Really Big Companies® where one of these boiler-plate atrocities dutifully gets stamped on the end of all outgoing messages by the mail server, regardless of the user’s common-sense quotient. These people cannot be held liable for their employer’s misguided sense of self preservation. Then there are those middle-management, PHB, bottom-feeding, thumb-sucking imbeciles who insist on following the rest of the herd and slap together their signature with a poignant indicator of their blatant ignorance of the law. If all you have is a hammer…

How did we get here, and what are we doing wrong that we feel the need to include these ridiculous appendages in the first place? Did someone accidentally (oops) send private client data to the wrong recipient (idiot)? Did someone mistakenly enter the wrong alias in the To: field (asshat)? Or did they forward a confidential document to their competitor (moron)? Or maybe they asked Attrition staff really stupid questions? (brilliant!) Gotta love those squirrels at least.

If you transmit any content to the wrong recipient, contact them, confess your sin, and gently ask for their mercy. If they use it against you, that’s malicious behavior on their part and they might be on the fast track to hell. I certainly know how we’d handle it here. There’s plenty of room next to Hoffa in the Giants’ end zone for another corpse. Why plead for mercy? Simple, because there is absolutely no legal precedent for these legal disclaimers having any weight in any court of law.

What to do…

What are some best practices that the average corporate peon can do instead of attaching silly disclaimers to every mail? Don’t hit send until you’ve proofread the mail, including the headers. Typos happen. Responsible grown-ups should catch them. Sensitive information? Encryption is your friend. Really sensitive information? FedEx is your friend. Voilà! What are the consequences of any content or attachments you accidentally send being made public? Is it worth ten bucks to use an overnight carrier instead of ending up as the latest entry on Dataloss? What’s your reputation worth? Remember, email’s like a postcard, open to the world. We love other people’s postcards.

Failing that, if your dimwit corporate lawyers insist on keeping the disclaimer, either take a baseball bat to their kneecap or demand that the disclaimer go at the top of the mail. While crappy mega-giant software makers can get away with ‘shrink wrap licenses‘, as Paul Goodman says, “Despite their widespread use, there still remain serious legal questions regarding the validity of the shrink-wrap license.” Like the shrink wrap licenses, e-mail disclaimers at the end of the e-mail force a user to open the mail/software before ‘agreeing’ to the terms. No, they don’t really agree, but that is the implication and desire of such licenses.

Tired of seeing these silly disclaimers on every third public mail-list post? What to do.. what to do! Easy, follow their instructions. Almost every disclaimer has a provision that suggests that if the mail is not addressed to you, you should send it back to the person that sent it in the first place, or send it to the legal counsel of their firm. Ok! Every.. single.. mail, do just that. If they send it to mail_list@example.com, it was not addressed to you, and by their own twisted reasoning it should be sent back to them so they can figure out what bad things are happening as a result. One post to a list of 5,000 responsible professionals that honor these goofball disclaimers and guess what..


References

– Stupid Email Disclaimers – Jeff Goldberg

“The value of disclaimers is limited, since the courts normally attach more weight to the substantive content of the communication and the circumstances in which it is made than to any disclaimer…Even though their effectiveness in court is doubtful…” — From the UK’s weblaw via Jeff Goldberg

– Jeff Goldmark’s list of Parody Disclaimers

– Disclaimers could make emails into contracts

– Readers’ Letters – The Email Disclaimer Awards 2001

– The Email Disclaimer

“But there’s a fine line between legally wise and intellectually ridiculous.”

– E-mail disclaimers explained

The sobering reality is, however, that the validity of these disclaimers have not yet been tested by our courts and most businesses draft and implement their disclaimers in such a way that they are invalid, unenforceable and useless.”

– Trailers: Disclaimers

– EMail Disclaimers – Frequently Asked Questions

– EMail Disclaimers – Should you use them?

– E-mail Confidential – Who’s afraid of Time Inc.’s legal disclaimer?