OSVDB Search Tips & Tricks

[This was originally published on the OSVDB blog.]

I should have started a series of these posts long ago. One of the more frustrating parts of most VDBs is the lack of a helpful search function. Searching for some products (SharePoint) is easy enough, as the name is distinct and not likely to find many matches. If you happen to know the script affected (logout.php), that too can make the search fast and painless. However, what if you want to list all vulnerabilities in PHP?

CVE: searching for “php.net” yields 0 matches, while searching for “php” gets 2896 BID: search by vendor, PHP ISS: advanced search, “php.net” will find most, but also include non PHP vulnerabilities SecurityTracker: search “php.net” will find some, but a world of additional threads/advisories Secunia: search “php.net”, pick a PHP vulnerability, click the software link, click vendor link, click the 6 links below corresponding to the major versions

If OSVDB had a complete data set, you could search fairly easily off the vendor name due to our vendor dictionary and listing associated products. Until then, one tip is to search references for “php.net” to pull up a list of all PHP native vulnerabilities. This won’t work for most vendors, but for the bigger vendors we’re trying to standardize our entries and references to facilitate easier searches.

If you know the specific GUID (e.g. 3d742890-397c-11cf-9bf1-00805f88cb72) related to an advisory, or some other odd number or unique identifier, try searching the reference for it. This also goes for advisory identification numbers. Again, the data set is far from complete but we’re trying!

Many years ago I opened a ticket to create a new feature that allowed one to search for vulnerabilities by associated port. Curious what vulnerabilities are related to TCP port 1234 or UDP port 5432? No problem! Until we can get more developers on board and knock out some of these projects, search reference for “tcp port 1234” or “udp port 5432”.

Hopefully, more search tips to come.

What The Hell Was He Thinking?

[This was originally published on attrition.org. It was written by Lyger and Jericho.]

For those who haven’t heard, a recent data loss incident involving the Louisiana Board of Regents was recently disclosed to the media. In short, about 80,000 Social Security numbers were inadvertently exposed over the internet, and the media seemed to be very quick in picking up on the story. An independent researcher by the name of Aaron Titus made this discovery, contacted a media source and made the disclosure. Fairly interesting.

Here’s the problem: Aaron Titus made a mistake. He asked for advice regarding responsible disclosure of a known vulnerability (i.e. an exposure of personal information in a public location), and then proceeded to ignore almost every bit of rational advice given to him.

—–Original Message—–

From: lyger [mailto:lyger[at]attrition.org]
Sent: Monday, June 18, 2007 5:44 PM
To: Aaron Titus
Subject: RE: Arkansas Psychology Board Data Breach

On Mon, 18 Jun 2007, Aaron Titus wrote:

: Lyger,

: I’m sorry also for the late reply. Got sent out of town on business, so I’m : coming up for air. Yes, please include the Arkansas Psychology Board
: Data Breach on the data loss mail.

I’ll try to look it over tonight.

: Also, I’d appreciate some advice- I just discovered that the Louisiana
: State Board of Regents has compromised almost 91,000 (yes, thousand)
: names, SSNs, DOBs, old addresses, race & gender indications, etc. They
: are mostly former high school students and staff in Louisiana, born
: between 1982-1985. They appear to have been online since around 2001.

: I am trying to decide the best course of action that will meet two goals:
: 1. Most effectively notify the individuals at risk. 2. Cause change and
: action.

: My inclination is to put a sanitized version of the data in an online
: searchable database, so that individuals could search for their name
: and find out whether their information was compromised (but not find
: but what the information is).

: I’d appreciate your thoughts.

My initial reaction is to treat this like most of the security community
tends to treat vulnerability disclosures: contact the vendor (or in this
case, the Louisiana State Board of Regents) FIRST. Make them aware of the problem. If they’re unwilling to respond or do the right thing and
“provide a patch” (or remove the data), then contact the community (or in this case, the media). Taking the data and posting it on your own could
lead to misuse of the data, much like 0-day exploits end up being used by
hackers (or in this case, identity thieves). Even sanitized, you would be
providing information better left private, which, despite your good intentions, could be against the best interests of those affected.

Let the Board take the measure of handling the situation, including notification, after they’ve been contacted. Just my opinion, but the change and action you hope for will hopefully happen after you contact them and the media gets wind of what will likely be a big story.

Note that we redacted Aaron’s email address in the email above. It is worth mentioning that we also redacted his work telephone number from the same email. We would really hate to invade his personal privacy since he values it so much, but with that said, why would a “privacy advocate” ask for advice regarding responsible disclosure, email us at attrition.org, receive our advice, and then do this:

https://www.ssnbreach.org/

Why, after the suggestions above, did Aaron Titus set up a web page that would allow anyone to search for a potential breach of their personal information? Setting up a web site that allows people to randomly search for ANY type of personal information on other people is a definite security and privacy risk. If you care to visit the site and run a search (which I don’t), plug in a random common last name like Smith, Jones, or Johnson. You won’t get a Social Security number or a date of birth, but exactly how ethical is it for a “privacy advocate” to make ANY of this information publicly available? Before this database, we only knew that X people were affected. Now we know that Maximilian Smith, Dustin C Smith and Juketrica Goldsmith were affected by the breach that prompted him to create the site. Thanks for the information there Aaron, that is definitely serving the victims well.

More Problems with ssnbreach.org

At the top of the page they proudly declare “Currently Documenting 25,631 Data Breaches” which is confusing. Since attrition.org has been tracking data breaches for years and only has an archive of about 725, and other sites such as PRC have similar numbers, where does 25,619 come from? The breach that prompted this web site had roughly 80,000 records compromised, so the use of ‘data breaches’ isn’t erroneously being used in place of ‘records’. What does it mean?

When you input information into the search box, what does ssnbreach.org do with it? Checking their privacy policy we only see “Check back soon for a complete Privacy Policy”. So it was more important to get all of those names up and available, which they weren’t previously to most people, than to establish a privacy policy covering their own use of your data.

While their intention is for you to plug in your name to determine if you were affected, the search mechanism is very weak. Searching for the last name “Smith” yields a lot of results, and the display only gives you 100 names. In fact, searching for the letter “a” yields 100 names containing the letter “a”. With fifteen minutes and a simple script, it would be fairly trivial to harvest the entire database of names.

While we can appreciate the disclaimer at the bottom, “The information given by this website is presented “AS-IS,” without any warranty as to its accuracy or fitness for a particular purpose.“, it is worth noting that searching for “Aaron Titus” yields no results. Wasn’t he impacted by this breach and what lead to him getting all fired up? Nice that he may have removed his own information, but what else may he have removed and why?

Protecting us from criminals?

Titus was quoted in mainstream media as saying “I’d be shaking in my boots. I’d be really, really freaked out. All of my information is available to anyone who wants it right now”, but then makes certain aspects of people’s private information available on the Internet?

Regardless of the intentions of Titus or the Liberty Coalition, the information they are using was taken from the Louisiana Board of Regents, a government web server. They are now using this information to “help the public” and promote the Liberty Coalition organization. The site and its owner have ZERO rights to that information, ZERO rights for making any of it available and their actions could easily be considered criminal.

If nothing else, the site should be taken down out of respect for “privacy”. Isn’t that what you care about, Aaron?

This blog is pretty!

[This was originally published on the OSVDB blog.]

Ran across a post on Dancho Danchev’s blog about information visualization. I’ve seen these types of graphical renderings/representations of everything from “the internet” to web sites. In the past they have been part of presentations or been created with tools that weren’t public. Now, Texone is offering an online applet that will render an image based on your site. Putting in “osvdb.org/blog” and letting it go for a while created this pretty picture. To be fair, it crawled well past OSVDB. I don’t think we’re pretty by ourselves.

Scrubbing the Source Data

[This was originally published on the OSVDB blog.]

A few months ago, Jeff Jones at CSO Online blogged about “Scrubbing the Source Data”, talking about the challenges of using vulnerability data for analysis. Part 1 examined using the National Vulnerability Database (NVD) showing how you can’t blindly rely on the data from VDBs. In his examples he shows that using the data to examine Windows is probably fairly accurate, yet examining Apple is less so and Ubuntu Linux is basically not possible. Unfortunately, there isn’t a part two to the series (yet) as implied by the title and introduction. Jones concludes the post:

Given these accuracy levels for vulnerabilities after the vendor has acknowledged it and provided a fix, it doesn’t seem like too much of a stretch to also conclude that using this data to analyze unpatched data would be equally challenging. Finally, I think this exercise helps demonstrate that anyone leveraging public data sources needs to have a good understanding of both the strengths and the weaknesses that any given data source may have, with respect to what one is trying to analyze or measure, and include steps in their methodology that accomodates accordingly.