Ayoi's

Ok, ok. This post is not a rebuttal, condemning or criticizing anyone. It is more on knowledge sharing for those who didn’t know or perhaps who didn’t get the clear picture on the topic Btw I hope this post will indicate where I do stand and the reason why on recently hotly debated matters with this group of talented people here. So, what the hell is Full Disclosure?

Hmm.. As usual, after doing a simple Google search I just post the definition from the wikipedia;

“Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to save face. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as Bugtraq and full disclosure by other means.”

What doest it mean? It means that contrary to Security through obscurity philosophy, Full Disclosure is a practice of disclosing full details of security problems on a product (either in form of hardware or software).

Why Disclosing the full information?

Like Mr HD Moore said in his blog post titled “The Best Defense is Information“,

“All security providers, whether they make antivirus, assessment, or intrusion detection products depend on detailed vulnerability information to tune their products, create signatures, and in the end, better protect their users. Regardless of how many resources these providers have, they all depend on public information to some extent.”

That’s one of the reasons why mailing lists like Bugtraq and Full Disclosure were created.

Disclose to who? Public?

Whooo… Hold on young man.. This is where the so called Responsible Disclosure comes into the picture. It also said that in absence of the public exploit for that particular security problem, the author or vendor of the product must be notified first to address the issue. Why? For them to provide any countermeasures, patch, fixes or work around for that security problem.

Anyway let see the definition of the parties involved in this Full Disclosure process.

Based on Rain Forest Puppy Full Disclosure Policy:

i). Originator – the individual or group submitting the ISSUE.

ii). Maintainer – the individual, group, or vendor that maintains the software, hardware, or resources that are related to the ISSUE.

(ISSUE -  the vulnerability, problem, or otherwise reason for contact and communication ).

And the IETF draft paper define the parties involved in details :

i). Vendor – an individual or organization who provides, develops, or maintains software, hardware, or services, possibly for free.

ii). Customer – the end user of the software, hardware, or service that may be affected by the vulnerability

iii). Reporter – the individual or organization that informs (or attempts to inform) the Vendor of the vulnerability.  Note that the Reporter may not have been the initial discoverer of the problem.

iv). Coordinator – individual or organization who works with the Reporter and the Vendor to analyze and address the vulnerability. Coordinators are often well-known third parties. Coordinators may have resources, credibility, or working relationships that exceed those of the reporter or vendors.  Coordinators may serve as proxies for reporters, help to verify the reporter’s claims, resolve
conflicts, and work with all parties to resolve the vulnerability in a satisfactory manner.

v). Security Community – The Security Community includes individuals or organizations whose
primary goals include improving overall information technology   security.  The community includes security administrators and   analysts, system administrators who are responsible for the security of their systems, commercial or non-profit organizations who provide security-related products or services, researchers and academics,informal groups, and individuals

But how long is the duration for them to provide the patches etc?

Well I came across with the IETF Responsible Disclosure Draft and yes The Rain Forest Puppy (RFP)also provide one policy called Full Disclosure Policy ver 2.0. Based on the policy, it mentioned that usually it will be 5 working days for the author or vendor to work on the vulnerability. But then the reporter of the vulnerabilty must provide assistance in form of  all known details of the issue, including any programs,
scripts, or pseudo-code that would allow the Vendor to reproduce and/or confirm the vulnerability.

Also the reporter must consider of delaying the disclosure once there’re active communication between the reporter and the vendor as some of the fixes required more than 5 days.

Based on the IETF draft paper also mentioned about the 5 processes of Responsible Vulnerability Disclosure.

a). Latent Flaw – A flaw is introduced into a product during its design, specification, development, installation, or default   configuration.

b). Discovery – One or more individuals or organizations discover the flaw through casual evaluation, by accident, or as a result of focused analysis and testing.  In some cases, knowledge of the flaw may be kept within a particular group.  A vulnerability report or an  exploit program may be discovered “in the wild,” i.e., in use by malicious attackers or made available for use and distribution.

c). Notification – A reporter or coordinator notifies the vendor of the vulnerability (“Initial Notification”).  In turn, the vendor provides the reporter or coordinator with assurances that the notification was received (“Vendor Receipt“).

d). Validation – The vendor or other parties verify and validate the reporter’s claims (“Reproduction”)

e). Resolution – The vendor and other parties also try to identify where the flaw resides (“Diagnosis”).  The vendor develops a patch or workaround that eliminates or reduces the risk of the vulnerability (“Fix development”).  The patch is then tested by other parties (such as reporter or coordinator) to ensure that the flaw has been corrected (“Patch Testing”).

f). Release – The vendor, coordinator, and/or reporter release the information about the vulnerability, along with its resolution. The vendor may initially release this information to its customers and other organizations with which it may have special relationships (“Limited release”).  The vendor or other parties may then release    the information – possibly with additional details – to the security community.

g). Follow up – The vendor, customer, coordinator, reporter, or security community may conduct additional analysis of the vulnerability or the quality of its resolution.

Ohh OK.. But what if  I’ve discovered that this organization’s website is vulnerable to SQL Injection attack based on a known vulnerability of the application that they use and I publish that findings on my website. I’ve already contacted the admin on the matters. Can that be constituted as Full Disclosure?

No. Why?

a). For Discovery phase of Full Disclosure, the Reporter must follow these:

i). the vulnerability is real

ii). the process of getting the product into a known exploitable state is repeatable

iii). the vulnerability has not already been reported by the vendor or well-established vulnerability information sources (bugtraq, Full Disclosure mailing lists)

b). If we look at the Reponsible Disclosure Processes, it is more on the relation between the reporter and the vendor BUT NOT the customer.

c). The things that you’ve done actually is Penetration Testing. Unauthorized Penetration Testing that is.

d). One of the goal of Responsible  Disclosure is : Provide customers with sufficient information for them to evaluate the level of security in vendors’ products. I believe evaluation is the process before you acquire that technology or product and not after.

So I think a further read on this matter especially on the draft and policy would help us to gain more information. That’s why I tend to disagree on the method by some of us in order to increase the security awareness level. Full Disclosure mentioned by Mr. Moore is not about “hacking” on the applications or websites belong to other parties and publish the finding on the net for everybody to see. It is about the importance of disclosing the security problems when the exploit of that problem exists in the “wild” while the vendor failed to acknowledge the problem where these information can be use by the security provider or the affected parties on strategizing their counter measures.

Just imagine these two scenarios:

a). A person discovered that the door provided by the housing developer has weak lock. He inform the developer, point out the weakness, the developer acknowledged. Then the developer notify the existing house owner on the new found flaw of the door and ask them to replace the door.

b). Another person who happens to be one of the house owners then start to break into his neighbours’ house by exploiting the existing flaw. Then he called his neighbours and told them “Hey, your house is not secure. Your door has this vulnerability. Please replace your door” He also then publish not only the list of the houses that he managed to break in but also the break-in method as well at the community service centre’s notice board.

My question is does scenarion (b) can be considered as Full Disclosure or Penetration Testing?

Comments RSS