I wanted to support the Red Cross during Harvey… (but I can’t, so I need alternatives…)

File this under “blogs I didn’t expect to, or want to write tonight”.

With hurricane Harvey causing incredible damage and distress to Texas, many of us are looking for ways to help. I’d love to be down there in a boat rescuing animals or humans, bringing free bottled water (as opposed to the horrible alternative), or other forms of support. For those not able to make that commitment, we fall back to supporting charities that are on the ground helping. Tonight started out simple enough:

08-29-2017 21:43:38 Lyger: have you donated anything to any hurricane relief fund?
08-29-2017 21:44:09 jericho: not yet
08-29-2017 21:44:17 jericho: if i do, likely Red Cross
08-29-2017 21:44:38 jericho: may do ASPCA, looks like they are doing relief efforts specifically for animals
08-29-2017 21:44:50 Lyger: was wondering about both of those
08-29-2017 21:45:03 jericho: RC is kind of ‘old faithful’ in that regard
08-29-2017 21:45:03 Lyger: let me know if you do. if reasonable, i’ll match

First, know that I am not only one who donates to charity who is careful where we donate, but I have learned the hard way that not all charities are created equal. I’ve also pointed out how so many of them waste considerable money trying to solicit more donations. I’ve advocated for everyone who will listen to tap into Amazon’s excellent program for giving to charity via your own purchases. I’ve also considered this at a slightly more abstract levels, on smaller amounts, because I really believe that people in a position to help should do so. Please, before you come down on me for warning someone away from charity or Red Cross specifically, I have been very clear it is about supporting charities doing the work you support. In this case, I just wanted to find which charities are specifically helping hurricane Harvey victims, and how.

I started by showing Lyger what Red Cross looks like under Charity Navigator, which is a 501c3 that I support too. With 90% going to program expenses, that is excellent, despite a 3/4 star rating (the CN star rating is more nuanced).

However, things went downhill after that. Start by Googling for “red cross harvey” and you get somewhat expected results:

Follow the links and you get the Red Cross donation page for Harvey:

Unfortunately, this is basically “give us money” with no supporting evidence for what they are doing during Harvey specifically. On the side bar we get a video though! Ignoring the culturally insensitive message suggesting that Hispanic kids have to read a book to figure out who their mother is, we see a building with cots and displaced families, but not a single Red Cross volunteer (the person speaking is almost certainly not a volunteer, as is the person filming them). The blankets and shots are strategic showing a good mix of people, Red Cross branded blankets, and… not much else. The man they briefly interview, I personally don’t think he fully understands if the person that saved him or his family were affiliated with the Red Cross, just that he is grateful that his family was rescued.

At the end of the video, the nice lady encourages you to visit their web site (see screenshot above, that is all the info I could find), or call 1-800-RED-CROSS (800-733-2717). Ignoring the web site issue, and I didn’t pay attention to the number, I called the first number I found on their site: 1-800-HELP NOW (1-800-435-7669). Since I called the ‘Help Now’ number, it wasn’t the intended line to find out more information on how Red Cross is helping during Harvey, which is my fault. But I called, and the nice gentleman I talked to tonight was confused why I would ask about the Red Cross relief efforts (?!). Once I explained and he understood, he told me to call their ‘main line’, 1-800-733-2767 (RED-CROSS). I called that and got an interesting voicemail/routing lineup:

1. Opens with ‘call 911’ or call Houston coast guard if in life threatening situation
2. If experiencing flooding, they give advice to avoid attics, etc.
3. If calling from TX visit redcross.org/shelter or press 1
4. if calling from LA ..
5. To continue in español ..
6. Press 0 for all other inquiries
A. If you are calling about a blood donation, press 1
B. If inquiring on training and certification, press 2
C. To make a financial donation, press 3
a. For all other inquiries press 0 and you will be connected with to the next available representative, you can also visit redcross.org for more information
b. press 0
c. Options for Red Cross / Armed Forces liason
d. Disaster Assistance
e. Else, call back during regular hours

I spent the time trying to find out what the Red Cross is doing during hurricane Harvey, and I am left confused and wanting more information. Again, before you start telling me that of course they are good, wait a minute. The Red Cross took in over half a billion dollars in 2015 via “Contributions, Gifts & Grants“, and ultimately $2,726,672,619 dollars total. That is 2.7 with a B.

I am not saying the Red Cross doesn’t do amazing work, I know they do. I have done the same level of digging tonight in prior years for other disasters and been content they do good things. I have seen videos, first-hand accounts, and a wealth of information showing how they helped. What I am saying is that the Red Cross has completely failed in their social media campaign during Harvey. They are letting down the people they are helping, their countless volunteers who do wonderful work, and their supporters looking to make sure that money donated today goes to help the crisis we’re facing today.

My advice is that Red Cross continue helping during Harvey, but seriously re-evaluate their social media and fundraising efforts afterwards. Consider that my go-to charity to learn about charities, gave a pop-up about how to support during Harvey. And if you scroll down any given page, when the pop-up appears, it shows how you can help in their eyes based on data:

This is clever and helpful and I honestly wish this was a banner at the top of their site right now. That said, clicking on it is revealing in the context of the above. Consider the charities they recommend and where Red Cross places on that list. Of course, verify those other charities ranked higher are actually helping the crisis we face today, just as I tried to do with the Red Cross tonight. Please… make sure that if you donate, your money goes as far as possible. Doesn’t matter if it is $1 or $1,000, just make sure it counts. In the mean time, I am going to keep researching to find a charity I feel will deliver the most good during this incredible time of need, and look to donate tomorrow. Thank you.

Researchers Find One Million Vulnerabilities?!

[This was originally published on RiskBasedSecurity.com.]


No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve a single vulnerability, or sometimes a dozen or two, a headline claiming ‘thousands’ of vulnerabilities is eye-catching, suspect, and problematic to the industry.

Perhaps one of the biggest cases of this came between May and July in the form of headlines such as “‘Thousands’ of known bugs found in pacemaker code” (BBC) and “Code Blue: Thousands of Bugs Found on Medical Monitoring System” (Security Ledger). The headlines were clear, thousands of vulnerabilities in a critical medical device.

Reading past the headline in the Security Ledger article however, it wasn’t so clear: In-brief; The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands. After another mention of “in the thousands”, a less dramatic paragraph followed saying that ICS-CERT warned of 460 vulnerabilities, while one of the researchers again emphasized the bigger number:

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on July 14 about the discovery of 460 vulnerabilities in the Philips Xper-IM Connect system, including 360 with a severity rating of “high” or “critical” severity. But an interview with one of the researchers who analyzed the Xper system said that the true number of vulnerabilities was much higher, numbering in the thousands.

After digging into these claims a bit, it came to light that a majority of them were due to the use of outdated third-party libraries. While these library vulnerabilities may impact a device like a pacemaker, the opportunity for any one of them to be exploited could be an issue or may be non-existent. If an attacker can’t reach the vulnerable code, then it likely isn’t an issue. As such, while there are real issues with vulnerabilities in third-party libraries, claims of ‘thousands’ of vulnerabilities are often creative at best, and untrue at worst.

The alarming headlines don’t help anyone with a potentially vulnerable pacemaker, and the lack of proper analysis of those flaws to determine which are critical is a disservice to the medical and InfoSec industries.

The Curious Case of Tizen OS Security

Tizen is an operating system, that many likely have never heard of before, based on the Linux Kernel, first released on January 5, 2012, designed to offer a consistent user experience regardless of the device running it. 

According to Wikipedia, it “works on a wide range of devices, including smartphones, tablets, in-vehicle infotainment (IVI) devices, smart TVs, PCs, smart cameras, wearable computing (such as smartwatches), Blu-ray players, printers and smart home appliances (such as refrigerators, lighting, washing machines, air conditioners, ovens/microwaves and a robotic vacuum cleaner).” As such, this operating system is poised to have a massive digital fingerprint on devices moving forward, even more so than the millions of Samsung TVs that run it currently.

Since it is based on Linux, one might expect it to be fairly mature code from the start, and not prone to serious vulnerabilities. While Linux has its share of vulnerabilities over the years, a majority of them are local issues resulting in a denial of service or information disclosure. For the first five years, Tizen certainly seemed like it was more mature with a single low-risk vulnerability disclosed in 2012. This year however, has seen a spectacular explosion in Tizen vulnerabilities… maybe? 

In April, researcher Amihai Neiderman told Vice “it may be the worst code I’ve ever seen” and told ThreatPost that he “found 40 bugs, and most of them look exploitable”. Neiderman presented his findings at the Kaspersky Security Analyst Summit in a 20 minute talk that only gave details on four of the issues, alluding to many others. During his talk, he also confirmed that he had only verified a single vulnerability was exploitable, and that the rest look exploitable. All of that only produced six actionable vulnerabilities based on the information made public. Last month, Tizen hit the news again, this time with a spectacular headline that the operating system contains 27,000 bugs according to researcher Andrey Karpov!

From the article: After finding almost a thousand bugs in Tizen code, Karpov contacted Samsung to pitch for the sale of static analyser PVS-Studio software, but Youil Kim from Samsung declined the offer. You may note that he contacted Samsung after finding “almost a thousand bugs”, a far cry from the 27,000 in the headline. The Register goes on to explain this disparity better:

It does look bad. According to Andrey Karpov, founder and CTO of Program Verification Systems, the Russia-based maker of static code analyzer PVS-Studio, Tizen’s codebase contains approximately 27,000 programming blunders. This is, though, based on extrapolating from 900 errors found in 3.3 per cent of the 72.5 million lines of C/C++ code (excluding comments) that compose the Tizen project.

This is certainly an eye-catching figure and one that might scare the most seasoned user of the operating system, if they actually even knew they were running it. What isn’t mentioned in the news articles or any form of disclosure from Karpov is the reality of such claims. While he has shared a somewhat detailed list of the nature of the flaws, there is no indication which of them, if any, are exploitable.

As we often see, and disclaim in many of our vulnerability entries in VulnDB, is that issues found via static code analysis cannot be taken at face value without additional validation. Since Karpov used PVS-Studio to find these code defects, the same disclaimer would apply. In fact, Karpov was questioned on the false positive rate of his findings and blogged that 10 – 15% may be invalid

First, even if these flaws are buffer overflows, memory corruption issues, or other serious flaws that can lead to code execution, it doesn’t mean that any of these discovered or extrapolated issues have legitimate attack vectors.

Second, the more time you spend in vendor bug trackers watching the discussion of such reports, the more you are exposed to “vulnerabilities” that are relegated to a “theoretical” status as no one, researcher or developer, can demonstrate a user-controlled code path to reach the flaw.

Yes, we’re well aware of the pitfalls around calling a vulnerability “theoretical”! In the meantime, we strongly encourage news outlets to report such stories, but to do so in a more mindful and responsible way. Explosive and potentially misleading headlines simple do not help the world of security. As Brian Krebs recently pointed out, in a very similar vein to the above, “beware of security by press release”.

That Vulnerability is “Theoretical”!

[This was originally published on the OSVDB blog.]

A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability in a big vendor’s products and were told it was “theoretical”. Of course, they in turn provided a working exploit for the vulnerability proving it wasn’t just theory. Thus, around 1995, the researchers took on the slogan “L0pht, Making the theoretical practical since 1992.” After digging, I couldn’t find a concise story of the details around that event, so I took to Twitter. Over the course of a couple hours, with input from many people, including some involved with the story, I collected the details. I told those in the conversation that if I had the information I would blog about it to better preserve that slice of history.

My bad memory had me believing the vulnerability was in Sendmail, and that Eric Allman said it to Mudge. Royce Williams dug up the Sendmail exploit i was thinking of, and the header text from Mudge suggested I was on the right track.

*NIX Sendmail (8.7.5) – Buffer Overflow – Newest sendmail exploit
:
# Hrm… and Eric Allman told me to my face that there were *no* buffer
# overflows in 8.7.5 — .mudge
# This works on systems that have the chpass program runable by
# users. Tested on FreeBSD, though the vulnerability exists in all
# Sendmail8.7.5. Granted you need to be able to change your gecos field 😉
#
# The problem is in buildfnam() which lives in util.c – it treats
# the static allocated array nbuf[MAXSIZE+1], from recipient.c, in
# an unbounded fashion.

Next, Royce reminded me that I had actually referenced that vulnerability in a prior blog post from 2006… oops! Mark Dowd was the first to challenge me on that, saying he believed it was related to a vulnerability in Microsoft’s products, related to RAS or CHAP, and he was right about the vendor (which vuln it was specifically is still not confirmed). Next, Space Rogue, an original L0pht member chimed in saying he thought it referred to Microsoft and the NT/Lanman vulnerability, and that the 1992 part of the slogan simply referred to when L0pht was formed. DKP further confirmed this by digging into the wonderful Internet Archive, finding the slogan and quote on the L0pht’s page.

“That vulnerability is completely theoretical.” — Microsoft
L0pht, Making the theoretical practical since 1992.

From here, Weld Pond and Mudge, original members of the L0pht joined the conversation. First, Weld said it might be a RAS or CHAP vulnerability but he wasn’t certain, but that the slogan came from a response from a Microsoft spokesperson who was quoted saying “that vulnerability is theoretical“, and that resulted in the exploit being written to prove otherwise. Weld further confirmed what Space Rogue had said, that the “slogan was coined in 95 or so but made retrospective to the founding of the L0pht.

DKP continued digging and found the quoted in Bruce Schneier’s “Secrets and Lies”, and pointed out Schneier worked with Mudge on a MS-CHAPv2 vulnerability. The paper on that vuln is from 1999 though, suggesting it wasn’t the “theoretical” vuln.

With that, the “theoretical” vulnerability is mostly uncovered. It would be great if anyone could confirm exactly which vulnerability it was that prompted the response from Microsoft. If anyone else recalls details about this, please share!

In the mean time, we also get to wonder about the Sendmail story, where this saga started, that also apparently is interesting. Space Rogue mentioned there was a separate story around that, but couldn’t remember details. Mudge jumped in confirming it was a Sendmail 8.6.9 exploit, “in response to in-person ‘discussion’ w/ [Eric] Allman at a Usenix Security in Texas. Witnesses, but no writeup.Mudge added that “a very similar ‘quote’ happened in person with Allman quite some time prior to the MS issue. It wasn’t a throw away quote. I/we lived it 🙂

August 14, 2017 Update:

Mudge provided more insight into another issue, also a ‘theoretical’ risk. During the Twitter thread, there were questions about L0phtcrack. Mudge saysIn a nutshell – a MSFT PR article in NT magazine said l0phtcrack was a theoretical risk but not an actual one. I responded with LC rant. Soon after we coined the phrase to describe the PoCs I felt it was crucial to write and release“. DKP dug up a Wired article that better illustrates how vendors can dismiss security researchers:

20 Seconds to Comply; 17+ Years to Get It Wrong. From “Roboguard” to “Steve”!

Recently, news broke of a robot security guard lovingly nicknamed “Steve” who drowned in a fountain in the lobby of the building he was sworn to protect. The various Tweets and news articles jumped all over it, with articles anthropomorphizing Steve and headlines such as “Security guard robot ends it all by throwing itself into a watery grave“.

No surprise, but workers in the building set up a “touching” memorial for Steve on his charging plate, further anthropomorphizing him. It’s hard not to care for and feel sorry for poor Steve, who likely roamed an empty building with modern access controls and no real threat, other than a wayward janitor who lost his RFID badge.

While the Internet is enjoying and mourning poor Steve, everyone seems to forget about old ‘Roboguard’! Unfortunately, like most media outlets, even “New Scientist” doesn’t preserve links and evidence like a scientist would. These asshats don’t even clearly list a date on their articles (posted to ISN on Aug 31, 2000). Thanks to the Internet Archive, if we go back far enough we see the article but without pictures, likely because “New Scientist” didn’t want to preserve anything back then, like they don’t today. I don’t think “science” means what they think it means.

Not sure if Asimov would be laughing or rolling in his grave.