http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ By Kim Zetter Security Wired.com 10.01.15 SECURITY RESEARCHERS AND vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That’s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. “I spent $2,000 [to come to this meeting],” Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there’s a second meeting, “should at least be an option” for discussion. […]
http://www.computerworld.com/article/2969378/security/oracle-yanks-blog-post-critical-of-security-vendors-customers.html By Joab Jackson IDG News Service Aug 11, 2015 Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them. Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company’s proprietary software, with the aim of finding as of yet unfixed security vulnerabilities. The missive, entitled “No, You Really Can’t,” was issued Monday on Davidson’s corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post. “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a statement emailed Tuesday. […]
https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse By Derek Brink blogs.rsa.com March 19, 2014 Once there was a leadership team that was exceedingly fond of using risk assessments to make business decisions about information security. The team cared little for detailed discussions about threats, vulnerabilities, technical exploits, or a host of potential security controls. They wanted their subject matter experts on information security to explain clearly how their recommended investments in security controls would actually reduce the company’s risk, and they ultimately wanted to make decisions based on the amount of risk the company was willing to accept. Many security professionals, as well as many security vendors, tried but failed to communicate in this way and fell back into their old bad habits, frustrating everyone. But one day some pretenders came along, who let it be known that that they could conduct qualitative (and even “semi-quantitative”) security risk assessments that could be easily understood by the leadership team. Their security risk assessments were presented using bright colors, and had the property of being understood by virtually everyone. The pretenders were supported by a third-party advisor and highly trusted by the leadership team, who vouched publicly for their approach. Does any of this fractured fairy tale sound familiar? It’s based, of course, on Hans Christian Andersen’s classic story, The Emperor’s New Clothes. You can write the end of the story yourself. In spite of their misgivings, everyone goes along with the charade
By Andrew Auernheimer Opinion Wired.com 11.29.12
Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.
Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.
But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:
The hacker decides to sell it to a third party. The hacker could sell the exploit to unscrupulous information-security vendors running a protection racket, offering their product as the “protection.” Or the hacker could sell the exploit to repressive governments who can use it to spy on activists protesting their authority. (It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.)
The hacker notifies the vendor, who may — or may not — patch. The vendor may patch mission-critical customers (read: those paying more money) before other users. Or, the vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do … nothing.
______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org
I’ve compiled a fairly comprehensive list of security vendors, feel free to suggest more. To view the list of vendors click here.
Please select a sub-menu from the “Security Info” Top Level Menu
I was cruising the Exploit-DB.com site today just to see the latest in the exploits in the wild and noticed right away that there was a new metasploit exploit released on October 1st for Trend Micro’s Internet Security Pro 2010. It always chills me when I see exploits for security vendors. I guess I see them as being special or something. Maybe I shouldn’t put them so much on a pedestal since I guess all programmers can make mistakes. However, the question is… should we expect security vendors to have better security than their customers or other software companies? I wonder if NSS Labs is going to come up with a framework for assessing or certifying security product vendor’s development processes? Hmm… That’d be nice to see.
See the exploit below:
Apparently Nessus has really hit the mainstream with this company (Edgeos) offering “managed” security to other security vendors that wish to provide managed scanning services. Interesting, but again kinda scary to host your vulnerability data off-site like that. Apparently hosting your vulnerability data is really catching on as lots of major companies seem to be doing it. Cloud based scanning services were also just released by Rapid7, a strong new vulnerability vendor that has been doing quite well to compete against Qualys and McAfeeSecure (aka Hackersafe).