|
|
[ Message Precedent sur la mailing][ Message Suivant sur la mailing][ Precedent dans le fil][ Prochain dans le fil][ Index par Date][ Index par fil]
Re: [Full-disclosure] University of Central Florida Multiple LFI
Caspian, I'm not here to catch flies, I'm here to ensure holes get patched. As I've stated time and time again I contacted many people all throughout the "food chain" and even went so far as contacted web developers on their personal cellular devices. When Brown University had a problem I emailed their security contact and within 5 hours I received word back; the same is not true of UCF. When Berkeley had a gaping hole in their security which allowed me into their administrative backend, I again emailed the security contact listed in their whois information and within 12 hours heard back from them with the vulnerability itself being patched within 18 hours; the same is not true of UCF. I've contacted schools and organizations much larger than UCF and received not only faster response times but have been given explicit security contacts should I find anything new; after having disclosed over 20 bugs to UCF, I've yet to ever receive a _single_ email back or even given an explicit security contact despite asking for one in _every_ email I send. At this point, following the RFP Disclosure Policy, I no longer feel obligated to work with them and will more than likely instantly disclose any vulnerability I find in their code; if FD doesn't approve they should consider their stance on Full Disclosure as a disclosure policy.
"Full disclosure requires that full details of a security vulnerability are disclosed to the
public, including details of the vulnerability and how to detect and
exploit it. The theory behind full disclosure is that releasing
vulnerability information immediately results in quicker fixes and
better security. Fixes are produced faster because vendors and authors
are forced to respond in order to protect their system from potential
attacks as well as to protect their own image. Security is improved
because the window of exposure, the amount of time the vulnerability is open to attack, is reduced." Luis Santana
On Sun, Feb 20, 2011 at 12:18 PM, Caspian Kilkelly <caspian@xxxxxxxxxxxxxxxxxxxx> wrote:
Chris and Luis, Thinking that a university IT department is a centralized, monolithic structure (like it is in most businesses) is stretching it. Most of the places I've worked with or for have little internal empires run by whoever got there first, and their budgets are pretty slim. Having something like a regular infrastructure meeting would be great if the heads of the official infrastructure department even knew who the other infrastructure stakeholders were, but they usually don't.
Additionally, 5 days or even 12 is far too short a time to disclose vulns for institutions that have a support response time of a week or more (most universities move at a glacial pace). While I realize that you think this is critical, their IT managers might not have any idea what the problem is (communications are poor, they are usually undertrained and underpaid), and certainly have about 300 other things to think about that are likely just as serious to them (like prof Fuzzyhair's massive lab installation, or the director of research needing a new pc). Next time, make a few phone calls, and not to the peons who run the support desk (no offense, help desk), call the head of IT or the president, rector, or someone equally high up, and give them enough time to respond. You catch more flies with honey, etc..
Agreed - by not taking further steps following the complete negligence of the institution to protect the security of their assets (and thereby placing students & staff at risk) there must be some further incentive to bring this to their attention. If anything they should have regular infrastructure meetings where items like this should be at the top of the agenda.
Its unfortunate that it has to come to this with many institutions - I have had many similar experiences. On Sat, Feb 19, 2011 at 5:54 PM, Hack Talk <hacktalkblog@xxxxxxxxx> wrote:
Weev,
I actually know many of the "techrangers" who are UCF employed students which are in charge of maintaining websites and have spoken to them personally about these and other vulnerabilities many times in the past and they have yet to patch them. In addition to that I have gone so far as to finding one of the developer's website (http://www.stevenmonetti.com/) and not only emailing him, but adding him to my gTalk list (the invitation to which he has yet to accept after about a month) and after looking at his resume left him a text message and a voicemail all with no contact back. I am flat out when reporting vulnerabilities and let the affected party know from day one that I follow the RFP Responsible Disclosure Policy and if I don't hear back in 5 days I no longer need to work with them. On days 3 and 5 I always email back if they haven't gotten back in contact with me and once again reiterate the disclosure policy. At this point they must not care enough if I was doing that every 3 days for quite some time. If they don't care about their own security then something must happen to make them care.
Luis Santana
On Sat, Feb 19, 2011 at 12:49 PM, Eyeballing Weev <eyeballing.weev@xxxxxxxxx> wrote:
Shawn,
"Hack Talk" would rather fire off 5 emails than pick up a phone, make a
phone call and call someone from the WHOIS information since by his own
admission he's a Florida resident who lives near UCF or maybe he's
worried about law enforcement after all ;-)
On 02/19/2011 12:46 PM, Hack Talk wrote:
> Hey Shawn,
>
> I typically follow the Rain Forest Puppy Responsible Disclosure Policy
> which I'm sure many people have read. I even extended the contact time
> to 2 weeks since Universities are quite busy places. During those 2
> weeks I personally emailed them back 5 times and did not get a single
> response back. This is not the first time the University has neglected
> to respond to vulnerabilities affecting their sites and as such I
> decided that enough was enough and that by publicly disclosing these
> vulnerabilities they would be forced to patch their code. I've worked
> with many Universities in the past to patch there vulnerabilities and
> they have responded typically within 12 hours of me sending my initial
> email alerting them to the issue. Being a .edu does not exempt you from
> hackers wanting into your system and it does not mean you can get away
> with having gaping holes in security for months without patching them.
>
> Full Disclosure as a methodology is about forcing people to fix their
> holes which is exactly what I was hoping would happen to UCF.
>
> Thanks for doing your best to extinguish the flamewar that was starting :D.
>
>
> Luis Santana
>
>
>
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-- I’m a hot-wired, heat seeking, warm-hearted cool customer, voice activated and bio-degradable. I interface with my database, my database is in cyberspace, so I’m interactive, I’m hyperactive and from time to time I’m radioactive.
Full-Disclosure - We believe in it.
Charter: link://[click]
Hosted and sponsored by Secunia - link://[click]
Archives de la liste de diffusion Secunia
Archives de la liste de diffusion Full Disclosure
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
