[SecurityRatty] tag: tcp

Partial Disclosure - The Good, Bad, and Ugly

Tue, 21 Oct 2008 09:58:00 +0000

There is apparently a bit of fear going around information security circles that the next big trend in the disclosure wars is going to be “Partial Disclosure”. In the past, the vulnerability research community has embraced the concepts of “Full Disclosure” and/or “Non-Disclosure”. Once those concepts had been sufficiently played out, the general consensus was to move towards “Responsible Disclosure” whereby the security researcher responsibly discloses the discovered vulnerability to the vendor and works in a cooperative fashion in an effort to minimize the risk to the general user populous. This has worked well in the vast majority of cases that I have had the pleasure of managing the disclosure process.

Partial Disclosure - The Good

The responsible disclosure process tends to break down in rare occasions where the vendor doesn’t want to fix the issue. When this occurs, the researcher is put into a difficult position whereby full disclosure could put users’ systems at high risk of compromise. The other case where partial disclosure becomes an alternative is when the researcher has discovered a design flaw in a protocol or underlying multiple vendor component. Examples of this case include the DNS flaws published this past summer by Dan Kaminsky and the TCP denial of service condition discovered by Robert E. Lee and Jack Louis that is currently in the disclosure process. When the flaw affects a very large number of vendors and the actual problem is located within the underlying protocols that support the communications of the Internet as a whole, one possible solution is to follow a partial disclosure model where phasing the details to the general public can be used to encourage adoption and creation of patches throughout the enormous target audience.

Partial Disclosure - The Bad

What is driving the fear surrounding partial disclosure is the potential for abuse. When a major flaw is partially disclosed, a number of potential issues may occur. First and foremost, the further along the partial disclosure path we are, the more details will be released to the public, and the higher the probability that someone (either good or bad intentioned) will figure out the exploit and disclose the details. Second, when partially disclosing, the vendor’s hand is being forced into a situation that could speed up fixes, reduce testing, and cause ripple problems elsewhere within the infrastructure. It is difficult enough to dance the fine time line when doing responsible disclosure, but if we are escalated to the point of partial disclosure, additional fuel is added to the fire.

The Ugly

The real ugly part of partial disclosure is when we add to the equation the ability to spread fear, uncertainty, and doubt into the normal user community. It is generally well accepted that FUD can be used to drive additional revenue. If it is possible to increase the perceived magnitude of the “problem” that your product or service solves, it is possible to directly impact the demand for that product or service. That is the major fear imposed by the growing trend of partial disclosure. By releasing just enough information to trigger wide scale speculation into the flaw, it is possible to create buzz and garner media attention resulting in a lot of speculation and very little hard facts around the issue. The potential for abuse by the security industry at large is enormous.

The Fix

Some have suggested a group of security researchers be convened to vet the requirement of partial disclosure and to allow for independent peer review of any security research that requires the partial disclosure process. This suggestion leaves questions regarding who would stand on this group and who would be impartial enough to ensure that the right thing was always done regardless of profit potential. It also leaves open the opportunity for member researchers to utilize the information gathered during the vetting process to position themselves to profit from the data upon release. It might be wiser to rely on a higher level authority or government entity to manage this process and use the services of security researchers as required for subject matter expertise. While a group of this type wouldn’t ensure that all partial disclosure is appropriate, it would hopefully limit the potential for abuse and the ever present chance that people try to profit from the FUD that surrounds the current partial disclosure process.

Using Metasploit to create a reverse Meterpreter payload EXE by John Strand

Wed, 15 Oct 2008 16:20:00 +0000

New Video:Using Metasploit to create a reverse Meterpreter payload EXE by John Strand
John Strand of Black Hills Security sent me an awesome video on using Metasploit to create an EXE with the Meterpreter payload that creates a reverse TCP connection outbound, blowing through many NAT boxes and firewalls. This goes great with a previous video I did on EXE Binders/Joiners.

Using Metasploit to create a reverse Meterpreter payload EXE by John Strand

Wed, 15 Oct 2008 13:53:56 +0000

Vendors rush to fix bug that could crash Internet systems

Fri, 03 Oct 2008 00:00:00 +0000

Internet infrastructure vendors are working on a patch for a critical TCP/IP bug that can bring down many firewalls and operating systems.

OSfuscate: Change your Windows OS TCP/IP Fingerprint to confuse P0f, NetworkMiner, Ettercap, Nmap and other OS detection tools

Thu, 02 Oct 2008 20:15:15 +0000

I was wondering awhile back how one could go about changing the OS fingerprint of a Windows box to confuse tools like Nmap, P0f, Ettercap and NetworkMiner. I knew there were registry setting you could change in Windows XP/Vista that would let you reconfigure how the TCP/IP stack works, thus changing how the above tools would detect the OS. I wasn't sure what all registry changes to make, but luckily I found Craig Heffner's work on the subject. In this post I cover the issue of passive/active OS fingerprint detection, as well as release my tool OSfuscate.

OSfuscate: Change your Windows OS TCP/IP Fingerprint to confuse P0f, NetworkMiner, Ettercap, Nmap and other OS detection tools

Thu, 02 Oct 2008 20:15:15 +0000

Flaw in internet protocol core could disrupt almost any broadband connection device

Wed, 01 Oct 2008 18:22:42 +0000

Security experts have discovered a flaw in a core internet protocol that can be exploited to disrupt just about any device with a broadband connection. The finding could have profound consequences for millions of people who depend on websites, mail servers, and network infrastructure. The bug in the transmission control protocol (TCP) affords attackers a wealth [...]

Nmap presentation for the ISSA in Louisville Kentucky

Sat, 06 Sep 2008 13:03:27 +0000

This is a presentation I gave for the Kentuckiana ISSA on the security tool Nmap. I've also posted the slides and other media so you can follow along if you like. Topics covered include: port scanning concepts, TCP three way handshake, stealth scans, idle scans, bounce scans, version detection, OS detection, NSE/LUA scripting and firewall logs. Hope some of you can make it to the free class we will be holding at Ivy Tech Sellersburg on Sept 20th, 2008 at 1pm. Contact me to RSVP. The video is about an hour long. Enjoy.

Nmap presentation for the ISSA in Louisville Kentucky

Sat, 06 Sep 2008 13:03:27 +0000

Nmap presentation for the ISSA in Louisville Kentucky

Sat, 06 Sep 2008 13:03:27 +0000