Security hole
A security hole or vulnerability is a flaw in an information system that can be exploited to breach the security of the system.
Types
Examples of types of vulnerabilities according to their nature:
- Software. Examples:
- SQL injection
- Buffer overflow
- Clickjacking
- Career conditions
- Cross-site request forgery
- Cross-site scripting
- Hardware
- The physical environment of the system
- From the staff involved
- Management, organization and security procedures involved
- From the communications network used
Prevention
The best policy against security holes, to reduce their number and make it easier to locate them, is to prevent them in the development process. For this, the secure software development life cycle (S-SDLC) has been created, which incorporates security within the software development life cycle. Each phase of the life cycle takes security into account to maximize security.
Examples of good practices to achieve software with fewer vulnerabilities:
- Maintain updated development tools
- Use good coding practices
- Establish security requirements
- Remove from the software the modules and files that are not used.
- Register all events in a log.
- Avoid displaying error messages as generated by the system
- Use authorizations in addition to authenticating.
- Separate control instructions data
- Validate all data explicitly.
- Identify sensitive data and how they should be managed
- Use safe update procedures
- The default settings should be a secure configuration
- Use of test tools specially designed for vulnerability detection. For example:
- Fuzzers. They are based on injecting entries with random data and verifying behavior
- Application Safety Test Tools (AST, English Application Security Testing. They are tools that test the security of applications. Depending on their operation they can be classified into:
- Based on code analysis (SAST, English Static Application Security Testing)
- Based on the analysis in the output obtained when running with certain entries (DAST) Dynamic Application Security Testing)
- Real-time Performance Analysis Tools (RAST, English Run-time Application Security Testing). They are immersed in the execution environment and analyze how the execution is carried out.
- Interactive analysis tools (IAST) Interactive Application Security Testing). They combine internal and external observation of an implementation application. They are usually implemented as an agent within the testing environment. They can prove if known sulnerbilities in the code are actually exploitable in execution.
- Hybrid tools that combine several of the aforementioned strata.
Milestones or stages
In the lifetime of a vulnerability we can distinguish the following milestones or important stages:
- Birth. During the development process product by the supplier (e.g., the seller or a software developer community) introduces a series of flaws. These defects can be of design, implementation or management. Some of these defects can become risks to product safety and thus to safety user of the product. A defect becomes a defect vulnerability if it makes the behavior of the system such that it can be used to obtain unauthorized access, raising privileges, denial of service or any other way of breaking the security of the system. They are not considered vulnerabilities that are detected and corrected before deployment.
- Discovery. This milestone occurs when the existence of vulnerability is known. If vulnerability is intentionally created then birth and discovery occur simultaneously. His name is discoverer a the first person who reveals a defect and determines that this defect is a vulnerability. If the discoverer is not known, it is said to be anonymous.
- Vulnerability communication. This milestone occurs once the discoverer reveals vulnerability to someone else. This transfer of information can be of different types. Examples: complete and public via (complete disclosure) or private communication between hackers. His name is originator English originatoror revealing English discloser) to the person or organization that reports vulnerability to the product supplier. Note that the discoverer and the originator can be different people.
- Corrigendum. It happens when the product seller analyzes vulnerability, locates what the problem is, and releases a version to the public that solves vulnerability.
- Publication. It is when the knowledge of vulnerability extends to an important audience by advertising it.
- Automation of exploitation. It is when from vulnerability a tool or script is created that automates the exploitation of vulnerability. This tool or script is called exploit exploit. This allows not only experts on the subject (hackers) to violate security. This way you have a tool that allows other inexperienced users (script kiddies) to violate it.
- Death. It happens when the number of systems vulnerable to the exploit is insignificant. This may have happened because the system has been removed, the system has been fixed by some patch, or because hackers have no interest in exploiting it.
These events do not necessarily occur strictly in this order. For example:
- Publication and correction can happen at the same time, particularly in cases where the vulnerability discoverer is the product's own seller, which uses the arrangement of vulnerability as part of the product's own advertising.
- The correction of a vulnerability does not have to happen before the automation of exploitation. If an exploit is built before the vulnerability is corrected by the supplier, it is said to be a Zero day exploit which leads to zero-day attacks.
- The discovery can occur at the same time of birth, that is, it is an intentional vulnerability. It is speculated that some systems have from the origin intentional security holes known by some of the parties involved in design and/or development. This type of vulnerabilities would work as a back door or Trojan horse. Examples:
- In 2007, the United States government launched a standard for the generation of random numbers. Four pseudo-random number generators were proposed. One of them, the Dual EC DRBG, promoted by the NSA, had a back door consisting of a set of secret numbers that allowed to predict the output from collecting a small portion of the previous results.
- Much has been said about the alleged pressures PGP Corporation received to enter a back door into its software. This supposed back door would allow certain organizations (e.g. FBI, NSA) to decipher the encrypted content with this tool. In order to camouflage this supposed back door, it is speculated that PGP Corporation was pressured to make the PGP code (open source software) so thick and wide that no such back door could be detected. This caused many users to stay with old, easily verifiable versions, and promoted the creation of alternative software.
- Another case is the supposed introduction of a back door in openBSD promoted by the FBI.
Search for vulnerabilities and motivations for publication
Search for security vulnerabilities is mainly performed by two types of people or organizations:
- System attackers. They can leverage vulnerabilities to make systems vulnerable and achieve in a way illegal monetary benefits of this, either directly (e.g. allowing the use of external credit cards) or indirectly (e.g., by selling private information about victims). By its very nature this type of vulnerability researchers are not interested in Revelation of the discovered vulnerabilities, as this ensures that vulnerability is not managed and thus can continue to benefit from it.
- Computer professionals and especially security. These professionals, by different motivations, study in form legal systems and often manage to find vulnerabilities. This type of person is interested in Revelation of the information. In this way they prove to have found the same and thus they can point the merit. The motivations that these professionals have to find vulnerabilities could be summarized in:
- Reputation. Whether a person or organization is accredited as the first to discover a particular vulnerability is very important in the world of computer security. On the one hand people are credited with skills and this can be used to increase their income or get better jobs. For a company it is also important because it can be used to get customers based on the high level of staff working for it.
- Perjudging competitors. For example, a developer or company may be particularly interested in looking for vulnerabilities to competing products to challenge the supplier and discredit its products. In this way it is possible to improve the position in the market of the own product.
- To force the product provider to improve its quality and to have more interest in producing safer software.
- Enjoy the intellectual challenge of finding vulnerabilities.
- Get monetary gratifications from the product supplier or from another entity.
Handling information about vulnerabilities
The ways to get information about vulnerabilities are as follows:
- Research on the operation of products
- Research on the functioning of malicious code using vulnerabilities
- Through reports that reveal such information.
The two fundamental aspects to study about the treatment of information on vulnerabilities are:
- As this information is disseminated (transmission of information)
- As managed to have all the information available (Information Management)
Transmission of information
Suppose someone not involved in a product discovers a vulnerability. This can take 4 main options:
- Don't do anything.
- Use it and take advantage of this vulnerability to violate the security of the system.
- Try to sell it to someone interested. This is the starting point of the so-called vulnerability market.
- Revelle publicly and extensively.
The first three cases could be grouped by saying that they adopt a disclosure policy based on not publicly disclosing the information (each one for different reasons). In the latter case, the individual would be faced with making a decision about which public disclosure policy he wants to use.
Reveal date
The disclosure date is the date the vulnerability is first described in a channel with the following characteristics:
- Freely available to the public
- The information is published by a reliable and independent source. It is often considered a reliable channel when it is an accepted source of industry security information (e.g. CERT/CC, Security Focus, Secunia, Microsoft Security Bulletin, USCERT and FrSIRT)
- Vulnerability has been subject to the analysis of experts evaluating the risk of disclosure. This ensures the quality of the information disclosed and ensures that it provides sufficient details to determine your own risk.
Disclosure Policy
If the subject wants to publicly disclose the information about the vulnerability, they are faced with a complex question: How to disclose the information about said vulnerability? Information about vulnerabilities, when disclosed, can force the vendor of the product to take prompt action to fix the defect that makes it possible; However, this same information can amplify the risks for users and give power to those who with bad intentions want to exploit the vulnerability before it is fixed.
The policy to take is a controversial topic and it is not only exclusive to the computer world. For example, in the past there were controversies in the world of locksmithing about the distribution of knowledge of the vulnerabilities that the locks had.
Taking into account the various factors (costs, benefits and risks) different types of practices and policies have been proposed for the disclosure of information on vulnerabilities. The proposals could be classified into 3 types: Do not disclose, complete disclosure and practices halfway between one another (partial disclosure).
Do not disclose
We could consider the (extensive) public non-disclosure of vulnerability information to be itself a disclosure policy. The information is kept secret. This approach is based on prioritizing keeping the vulnerability secret over publicizing the information in order to protect ourselves against it.
Sometimes instead of absolute non-disclosure, information about the vulnerability is shared in a restricted way (pseudo-secret). The larger the number of people who know about the vulnerability, the greater the risk to end users. Information may be disclosed, for example, to:
- System Provider for Vulnerability
- Other researchers (hackers).
- Someone who buys that information. This establishes a market of vulnerabilities.
Many times the discoverer of the vulnerability takes this policy and the information is disclosed through private channels until it reaches a certain organization or person who decides to publish it to avoid further damage.
Full disclosure
The strategy of full disclosure, full disclosure or mass disclosure (in English full disclosure) consists of reveal all the community (mass disclosure) all available information about a security issue as soon as it becomes known. For example, information can be given on how the bug was found, which systems are vulnerable, how to exploit security or how to protect against the bug. All kinds of details about the bug are revealed and this detailed information can be used by malicious hackers to develop exploits that allow anyone who uses it to exploit the vulnerability, even if they don't understand how it works (script kiddies).
Partial disclosure
Partial disclosure policy partial disclosure attempts to establish itself as a middle ground between obscurity security policy and full disclosure policy. They try to take advantage of good ideas from one policy and the other to reach an intermediate point with better characteristics. Different models have been developed but each one has its drawbacks considering the disclosure policy problem as an open problem pending solution.
Vulnerability Marketplace
Around the world of security holes, an important economic activity has been created, giving rise to sometimes very lucrative businesses. The asset being traded is vulnerability information. The business is usually in:
- The purchase/sales of information on vulnerabilities. The business can be with money or in kind (e.g. advertising on the discoverer or rewarding with a free payment service). There may be intermediaries. There may be several ways to make the purchase/sales. Examples: exclusive direct sale, direct sale without exclusivity (the same can be sold to several), traditional auctions, auctions with more than one winner. The problem of auctions is the ability to communicate the quality of vulnerability if disclosing information about vulnerability. This is intended to be achieved by providing minimal details on the vulnerability or establishment of trusted intermediaries to establish the quality of vulnerability by keeping the information in rigorous secrecy (this type of intermediaries are appearing on the market underground).
- Recruitment of persons/equips engaged in the search for vulnerabilities either internally or externally to the organization itself. For example, there are a multitude of companies involved in the security audit.
- The sale of products (e.g., antivirus, IDS, IPS or firewall) that detect, solve or mitigate the impact of vulnerabilities.
- Product providers that allow the detection or use of vulnerabilities of other products.
It has been proposed that the existence of a vulnerability marketplace may be a good idea to encourage system vendors to focus more on improving the security of their products and quickly fixing vulnerabilities that are found.
Motivations
The motivations for the existence of this type of market are, ultimately:
- Get economic gain. This is the main reason for the existence of this market.
- Consequence of a defensive or offensive tool to be able to use it in a certain type of conflict (network war and computer war).
Actors
The players in this market are:
- Information producers:
- Hackers
- researchers
- Consumers:
- Governments (network war, computer war)
- Providers of systems subject to attacks.
- Providers of systems that protect against attacks
- Evil attackers
- Intermediate
Vulnerability Marketplace and Product Vendors
Product providers play a special role in this market since the market is based on the existence of failures in their products, which can cause them to lose trust and ultimately lose customers. The existence of a vulnerability market does not benefit them since:
- Unincentive for researchers to disclose the unpaid information.
- The more market there is more competition for obtaining the information, the better the information is, and therefore it will be more difficult for suppliers.
- The more market there is more competition for obtaining the information, the more it is worth that information and therefore the more it is encouraged to discover these vulnerabilities.
Therefore, they try not to promote it, although they are being forced by their growth to gradually enter it so as not to be increasingly excluded from the knowledge of the vulnerabilities of their own products. For example, the call for paid contests to search for vulnerabilities is becoming more frequent.
To encourage the disclosure of information without paying, they are taking a series of initiatives such as:
- Facilitate contact for vulnerability communication (e.g. email addresses or web forms on your websites).
- Dedication of resources for prompt response and collaboration with vulnerability discoverers.
- Establishment of good relations with researchers to encourage them to disclose the information. Examples:
- Participation in lectures by hackers and researchers (e.g. Black Hat Briefings).
- Create your own conferences (e.g. Blue Hat).
- Invite their units to researchers to teach them how to find vulnerabilities in their products.
- Public thanks for the collaborations with the discoverers. In this way, researchers are reputed.
Market Types
We can talk about two clearly differentiated vulnerability markets: the legal and the illegal. Being a purely legal difference, it will depend on the jurisdiction of the country in which we are that certain businesses belong to one or another market. For this reason, the hiring of hackers for more controversial purposes is carried out in countries with not very restrictive legislation, for example: Brazil, Russia and Ukraine.
For the legal market to be truly effective, it must:
- Catch the vulnerability researchers. To do this:
- Prices have to be comparable or higher than those given by the black market and be high enough to be worth the effort. Note that the underground market facilitates the sale of multiple buyers the same information. In 2006 it was estimated that what was paid to researchers lawful companies dedicated to this business was equivalent to selling the product to 3 malicious actors in the underground market. What they paid to the researchers product suppliers was equivalent to selling the product to 1 malicious actor in the underground market.
- Catch the trust of researchers. To do this, it is usual to advertise in the environments of researchers such as the Blackhat and DEF CON conferences of the United States or RootedCON of Spain.
- Win acceptance in the industry and therefore customers for your products. The aim is to introduce the idea that this industry can protect itself from vulnerabilities that are likely to circulate in the illicit market. To this end, they often use responsible disclosure policies and actively collaborate to correct such vulnerabilities. It is also usually requested that the supplier give some publicity to the vulnerability discoverer.
- Develop the business in a way that allows profits. The aim is to create products (e.g. newsletters, software products such as antivirus, IDS, IPS or firewalls) that will protect against vulnerabilities before the provider fixes vulnerability.
Disadvantages
The main drawbacks of this type of market have to do with the disclosure of information, incentives for researchers and the increase in prices of vulnerabilities
Disclosure of information
The existence of the vulnerability market causes resistance to security holes being revealed so they can be fixed. Vulnerability information loses value the more people know about it and totally loses value when the problem is fixed and no longer exists. Therefore there is a tendency, to protect the value of the information, to keep the information hidden. All this has an impact on lower product safety.
In general, the most important companies that are engaged in this business are communicating to the providers about the vulnerabilities they find. However, there are some smaller companies that don't do this. This policy of non-disclosure of vulnerabilities is highly criticized but it is not usually considered illegal since the information is sold with a disclaimer saying that this information should be used for internal tests, not to circumvent the law.
Governments, depending on the type of vulnerability they find, inform the vendor of the product or not. If it is a weak point in the systems that they use themselves, then they will notify the provider. If, for example, it is a vulnerability used in an offensive tool, then it will not reveal the information about said vulnerability to the provider.
Motivate the search for vulnerabilities
The existence of a market where vulnerabilities can be sold causes more vulnerabilities to be investigated, which causes more to be discovered and therefore a broader set of active vulnerabilities that cause insecurity for users
Increasing prices of vulnerabilities
The existence of an ever-widening market for vulnerabilities causes prices to rise. This causes the information to be less accessible to the providers who are ultimately the ones who fix the vulnerability for all their clients.
Examples
Examples of businesses in the world of vulnerabilities:
- Almost from the beginning of the information systems there has been, and still, a black market or underground market e illicit of vulnerabilities in which attackers sell unrevealed information publicly about vulnerabilities so that others can use them illegally (e.g., steal money, cause damage, spying, collect information for blackmail, disclosure of false information as true (e.g. making pump and dump) or unwanted adware. A contrasted example of the use of the underground market for the sale of information about vulnerabilities is the case of the vulnerability of the Microsoft Windows WMF rendering was sold in the illicit market. There are two types of business related to this type of market: The hiring to attack a specific target (e.g., person or organization) and on the other hand the purchase of products already prepared and ready to be used (exploits). To get in touch, parts of this type of market use IRC channels and specific websites. As a illicit market, businesses are not public and this facilitates the sale of the same product to different buyers and thus bring greater profit.
- TippingPoint, a 3Com division, offers intruder detection systems to protect against vulnerabilities. This company applies a responsible disclosure security policy.
- iDefense, a Verisign company, is dedicated to the sale of information on vulnerabilities. It has a subscription service in which members pay for receiving notifications about vulnerabilities and solutions or ways to mitigate the impact of such vulnerabilities until the provider provides a solution. This company applies a responsible disclosure security policy.
- Some product providers call Bug Bounty's which are calls for hackers and security researchers to investigate their products and, if they find and report on vulnerabilities they are rewarded for it. Some of the organizations that have convened this type of contest are Mozilla, Microsoft, Google or Facebook.
- Many Governments have programmes in which non-public vulnerabilities can be used defensively or offensively with the aim of defending the interests of those who hold power. In 2001, more than 20 countries were already thought to have or were developing capabilities to develop computer attacks (net war and computer war).
- Wabisabi Labi was a site that allowed the acquisition of vulnerabilities. It allowed four types of transactions: Traditional auctions, auctions with more than one winner, immediate purchases and purchases from an exclusive buyer.
- Argeniss, Imunity and GLEG Ltd are small companies that hire their own researchers and sell subscriptions to their services to provide information on the vulnerabilities they find. This information is not communicated to the suppliers of the products to which they relate. In this way they increase the value and time of life of the vulnerabilities they trade with. They give the information a private character. This has had important ethical criticism.
Information management
There are different initiatives whose purpose is to manage information about vulnerabilities.
MITER initiatives
MITRE has different catalogs that allow monitoring of vulnerabilities (CVE), documented weaknesses (CWE) and attack patterns (CAPEC). The three catalogs are closely linked, that is, a vulnerability is exploited thanks to a weakness achieved in software or hardware, which in turn has been exploited through an attack pattern. Therefore, every time any of the three lists receives a new entry, it is considered, verified and studied, so that it is very likely that the records in any of the others can be generated or complemented.
Associated with the above, MITRE has a format (CPE) to identify systems, products and platforms in detail.
CVE
The MITRE CVE List or simply CVE is a catalog of vulnerabilities that associates each known vulnerability with a unique identifier known as CVE-ID. This CVE-ID code is used as a vulnerability naming standard by most vulnerability repositories to identify each vulnerability. In addition to the identifier, the catalog describes what the vulnerability consists of, which software versions are affected, possible solution to the bug (if it exists) or how to configure to mitigate the vulnerability.
CWE
The Common Weakness Enumeration or CWE is a catalog of documented common software and hardware weaknesses that could lead to vulnerabilities. For example, SQL injection (CWE-89) or buffer overflow (CWE-120) are entries in this catalog. It is widely used by different security tools in charge of identifying these weaknesses and to promote the identification of vulnerabilities, mitigation and their prevention. For each weakness, an identifier CWE-ID is provided, which is used as standard, and data such as description, introduction time, examples, etc.
CAPEC
The Common Attack Pattern Enumeration and Classification or CAPEC is a catalog of attack patterns that collects information about them, along with a comprehensive classification scheme. An attack pattern is the description of the method used to exploit a vulnerability, that is, the model to exploit the vulnerability. Many of the reported vulnerabilities share attack patterns. For example, the 'Exploit Client Trust' (CAPEC-22) is an attack pattern for client/server channels with authentication and data integrity, in which the trust between the client and the server is exploited to execute a type of attack in which the server believes it to be a valid client. Each attack pattern is associated with a CAPEC-ID identifier, which is used as a standard, and then data such as the description, mitigations, resources or skills necessary for the attack are provided,...
CPE
Common Platform Enumeration or CPE is a format that makes it possible to accurately identify systems, products and platforms with a unique and standard name. It is used to determine in a completely unique and exact way the versions, editions or languages of a product that are affected by a vulnerability. NIST maintains an authorized version for distribution as part of its NVDB initiative.
For example to refer to Microsoft Internet Explorer 8.* SP? (without editing and in any language) is used:
- wfn:[part=”a”,vendor=”microsoft”,product=”internet_explorer”, version=”8.*”,update=”sp?”,edition=NA,language=ANY]
Vulnerability assessment
There are different initiatives to evaluate the criticality of vulnerabilities in a standard way. They are based on giving scores based on different criteria. These standard methods make it possible to establish representative risk criteria in the organization, which usually translates into a conscious prioritization of the security measures to be applied.
CVSS
The Common Vulnerability Score System or CVSS is an open standard defined by the Forum of Incident Response and Security Teams (FIRST) that quantifies vulnerabilities by estimating the impact derived from the same. A score from 1 to 10 is used and a series of public metrics are used to establish it. This standard is used by the National Vulnerability Database and by the Common Vulnerabilities and Exposures. The way of establishing the measures is evolving, producing new versions of the standard.
CWSS
Created by MITRE as part of the CWE project and with the support of the United States government, the Common Weakness Scoring System or CWSS is a standard which purports to be an evolution of CVSS. It follows a more advanced criterion than its predecessor. For example: The effects of critical business processes are taken into account, determine to what extent that vulnerability could be exploited by hackers (it can grant access to documents in read-only mode or if things would be more serious and it could be accessed in writing mode, being able to modify data or delete it).
The CWSS is intended for developers and to facilitate their work by establishing criteria for its use during the development phase of a program. For example, if a buffer overflow is discovered during a code audit, it is assigned a low CWSS priority if the data that triggers that event is not entered by the user but is part of the random operation of the program.
There is no public website, service or application that uses this system. In its early days, this system used to be promoted through publications (such as the Top 25 Most Dangerous Software Errors documents developed between MITRE and SANS Institute), however, it is currently difficult to find recent information associated with weaknesses. of software. This may be due to the fact that today the CWE list is updated very little and that software development companies protect the code of their applications and their study, evaluation and resolution are usually managed privately without sharing the information.
Vulnerability repositories
In addition to the MITRE CVE, which works more as a source of basic information that provides a standard identification of vulnerabilities, there are different vulnerability databases:
- The National Vulnerability Database or NVDB is the repository of NIST vulnerabilities, an agency of the Technology Administration of the United States Department of Commerce. To facilitate the use and classification of vulnerabilities, this repository uses SCAP, a standard for expressing (forms and nomenclatures) and manipulating security-related information about faults and configurations. To assess vulnerabilities, use CVSS.
- Vulnerability Assessment Platform (Vulners) is a repository of associated vulnerabilities with their exploits. Regularly update your database of more than 70 sources.
- Vulnerability Database (VulDB).
- CVE Details.
- Vulnerability Notes Database or VND is a repository of vulnerabilities of the CERT Coordination Center/CC of the Carnegie Mellon University.
- WPScan Vulnerability Database is a repository of vulnerabilities associated with WordPress.
Vulnerability scanners
The volume of growth of vulnerabilities together with the existence of different vulnerability repositories, which in turn are not usually very easy to consult, has led to the appearance of software that automatically searches the different vulnerability repositories. vulnerabilities. Often these tools also query various exploit databases. Examples of this type of tools are Pompem, vFeed and vulnerability-alerter
Another approach is to download all the information, store it in a database, and query it. This is the approach of for example cve-search
Famous cases
Various industries, including the healthcare industry, banks, and even the United States government, have been affected by security breaches due to system vulnerabilities.
Cases include:
- In June 2005, a credit card maintenance server was cracked by a group of people, taking advantage of an error in the verification code. This generated losses of US$ 10,000.000.
- The FBI suffered an attack by a user who used email accounts, obtained passwords and other relevant data, through a port that was open in the web code.[chuckles]required]
- In Windows 98 certain user passwords are displayed in folders, which can be read in MS-DOS.
Contenido relacionado
CD-RW
Recursion
Oil field