Re: [Full-disclosure] A Botted Fortune 500 a Day
Just to add my two cents... The fact is that the cost in damages of a single compromise is usually far greater than the cost of implementing and maintaining good security. TJX is a golden example of that. On 4/13/07 11:05 AM, "Jamie Riden" <[EMAIL PROTECTED]> wrote: > Hi Steven, > > I believe security of an organisation is orthogonal to the number of > employees/users and how savvy they are. It depends more on the will > and resources to secure the network properly. Two, corporations do > have many financial incentives to make sure they are secure - if they > are doing their risk analyses properly, they can see that. So, yes I > do expect them to fare better - a lot better - than ISPs. More > comments are in-line. > > On 13/04/07, Steven Adair <[EMAIL PROTECTED]> wrote: >>> On 13/04/07, Steven Adair <[EMAIL PROTECTED]> wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? >>> >>> Yes! Off the top of my head: >>> >>> 1. Corporations should have more of an economic incentive to prevent >>> compromises on their internal networks. E.g. "TJX breach could cost >>> company $1B" - >>> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html >>> Now, a typical spambot will cost almost nothing compared with that, >>> but the point is you don't know the extent of the compromise until >>> you've examined the machines involved. >>> >> >> You list incentives but this doesn't mean I should really expect any >> differently. You are also equating a compromise into TJ MAXX servers for >> which details have not been given. I doubt and hope the same user that's >> an account for TJ MAXX and using e-mail isn't conencted or able to get to >> a server that processes credit card transactions. > > A compromise is a compromise and you don't know the extent until > you've looked at everything. If one of your machines is spewing spam, > how do you know it is also not leaking confidential data to a third > party? Any compromise has the potential to be *extremely* costly. > >>> 2. Corporations have a lot more influence over their employee's >>> behaviour than ISPs do over their customers. Customers can walk away >>> to a new ISP with minimal fuss if sanctions are threatened. >> >> Well this is true but you seem to be missing the point of the comparison. >> These are large corporations with tens of thousands (some more, some less) >> that are geographically dispersed across the countries. This isn't a >> small shop of 50 elite IT users. This is probably like most other places >> were 90% of the users can barely use Microsoft Word and Excel. Once >> again.. do I expect differently? No. > > There is no reason for an admin to let users compromise the company's > security. If the company cares about security, they can disable admin > rights, lock down the firewall and run an IDS. > > I can buy the argument that most companies don't care sufficiently, > but this is really orthogonal to the number and experience level of > their users. > >>> 3. Corporations can lock down their firewalls a lot tighter than ISPs >>> can. If my ISP blocked the way my employer does, I would be looking >>> for a new ISP. >>> >> >> Sure they can in some instances. How would locking down a firewall stop >> this e-mail from going out? Maybe you can lock down SPAM firewalls but >> that doesn't stop the root cause. You have 100,000 users at a Fortune 500 >> company with admin access to their Windows laptops. Are you going to >> block them form using the Internet and using e-mail? If not I am going to >> continue to expect them to keep getting infected. > > Block the infection vectors: screen email, http and ftp traffic. No > personal laptops on company networks. No admin rights as far as > possible. Monitor and react to new vectors and threats as they arise. > > Yes, I would disable people's Internet access - in fact all intranet > access too. My main interaction with Cisco kit to date is shutting > down Ethernet ports and re-enabling them after the problem has been > resolved. If there's an incident, the plug gets pulled until someone > has examined the machine, and if necessary reinstalled from known good > media. > >>> 4. ISPs don't own the data on their customer's computers. Corps very >>> much do own most of the data on their employees computers. Therefore >>> they need to worry about confidentiality in a way that ISPs do not. >>> >> >> Well usually corporations not only own the data on the machines, they own >> the computers themselves as well. You are equating a need and want for >> protection with what would really be expected. > > They have a financial incentive to look after their machines, so I do > expect them to look after them. An ISP has no such incentive to look > after their customer's machines. > >>> I used to look after security at a large-ish
Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Just wanted to let everyone know that I've updated the blog to reflect new changes. You can see the changes at http://snosoft.blogspot.com. On 1/18/07 2:27 PM, "Simon Smith" <[EMAIL PROTECTED]> wrote: > Oh, > About your ROI question, that varies per buyer. I am not usually told > about why a buyer needs something as that's none of my business. > > On 1/18/07 4:22 AM, "Roman Medina-Heigl Hernandez" <[EMAIL PROTECTED]> > wrote: > >> Simon Smith escribió: >>> Amen! >>> KF is 100% on the money. I can arrange the legitimate purchase of most >>> working exploits for significantly more money than iDefense, In some cases >>> over $75,000.00 per purchase. The company that I am working with has a >>> relationship with a legitimate buyer, all transactions are legal. If you're >> >> >> >> I was wondering which kind of (legal) enterprises/organizations would pay >> $75000 for a simple (or not so simple) exploit. >> - governmental organizations (defense? DoD? FBI? ...) >> - firms offering high-profiled pen-testing services? >> - ... ? >> >> What about the ROI for such investment? >> >> >> >> Regards, >> -Roman >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Roman, It depends on the needs and requirements of the buyer. On 1/18/07 4:22 AM, "Roman Medina-Heigl Hernandez" <[EMAIL PROTECTED]> wrote: > Simon Smith escribió: >> Amen! >> KF is 100% on the money. I can arrange the legitimate purchase of most >> working exploits for significantly more money than iDefense, In some cases >> over $75,000.00 per purchase. The company that I am working with has a >> relationship with a legitimate buyer, all transactions are legal. If you're > > > > I was wondering which kind of (legal) enterprises/organizations would pay > $75000 for a simple (or not so simple) exploit. > - governmental organizations (defense? DoD? FBI? ...) > - firms offering high-profiled pen-testing services? > - ... ? > > What about the ROI for such investment? > > > > Regards, > -Roman > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Oh, About your ROI question, that varies per buyer. I am not usually told about why a buyer needs something as that's none of my business. On 1/18/07 4:22 AM, "Roman Medina-Heigl Hernandez" <[EMAIL PROTECTED]> wrote: > Simon Smith escribió: >> Amen! >> KF is 100% on the money. I can arrange the legitimate purchase of most >> working exploits for significantly more money than iDefense, In some cases >> over $75,000.00 per purchase. The company that I am working with has a >> relationship with a legitimate buyer, all transactions are legal. If you're > > > > I was wondering which kind of (legal) enterprises/organizations would pay > $75000 for a simple (or not so simple) exploit. > - governmental organizations (defense? DoD? FBI? ...) > - firms offering high-profiled pen-testing services? > - ... ? > > What about the ROI for such investment? > > > > Regards, > -Roman > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Re: [_SUSPEKT] - Re: [Full-disclosure] iDefense Q-1 2007 Challenge - Bayesian Filter detected spam
Tim, The name of the business that will be maintaining the Exploit Acquisition Program is Netragard, L.L.C. You can see their web site at http://www.netragard.com. We were not sure if this idea was going to gain any traction at first so we kept the name quiet while we tested the waters. Having said that, anyone could figure out what company it was by doing a bit of research. ;) On 1/17/07 1:33 PM, "Tim Newsham" <[EMAIL PROTECTED]> wrote: >>More importantly, the company that I am working with is no different >> than iDefense. In fact, they both sell their exploits and harvested research >> to the same people. The only real difference is in the amount of money that >> the researcher realizes when the transactions are complete. This difference >> is a direct result of low corporate overhead. > [...] >> IDefense is reselling these exploits to the same third parties as the >> business that I work for, or at least I assume that they are. Both > iDefense >> and our buyers use the exact same list of software targets. > > Is there a reason you are withholding the name of the company you work > with? Inquiring minds want to know. We all know about iDefense. > (The added secrecy makes one suspicious...) > >>Lastly, all transactions require that the researcher engage the company >> that I work with in a tight contract. This contract ensures that both >> parties are legitimate and also protects both parties. They don't do that on >> the black market do they? > > Surely someone who was going to break one law would have no qualms > about breaking another (ie. contract law)... > > Tim Newsham > http://www.thenewsh.com/~newsham/ >
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Well, I guess that miscommunication sums it up and I apologize (publicly) for being such a snappy brat. For the record though, this isn't something that the company markets at all. We've been doing this for a while and are very selective about who we work with. Hence, why there is no real marketing. I wanted to test the waters and see what kind of response I could get from the community. So far, its been very interesting. On 1/16/07 3:06 PM, "Blue Boar" <[EMAIL PROTECTED]> wrote: > Simon Smith wrote: >> Blue Boar, >> Simply put, and with all due respect, you're wrong. > > About? I see basically two assertions in my note; 1) that I would sell > to iDefense or TippingPoint. Surely you're not going to tell me what I > would do? And 2) That iDefense isn't doing the same thing that Blackhats > are. Is the latter one the one you disagree with? > >> Furthermore I don't >> appreciate you directly or indirectly suggesting that these exploits are >> being sold on the black market, that will never happen on my watch, ever! > > If you look carefully, you'll see I was replying to Kevin, who did make > a comparison to selling to blackhats. I hadn't even seen your note at > the point, and I wasn't replying to you, and I didn't quote anything you > wrote. > > So I assume you think I was saying that your company is selling to > blackhats. I wouldn't think you were. Certainly you don't mean to claim > that, in general, the entire market never sells to blackhats, nor that > you have any control over what others do. > >> More importantly, the company that I am working with is no different >> than iDefense. In fact, they both sell their exploits and harvested research >> to the same people. The only real difference is in the amount of money that >> the researcher realizes when the transactions are complete. This difference >> is a direct result of low corporate overhead. >> >> Lastly, all transactions require that the researcher engage the company >> that I work with in a tight contract. This contract ensures that both >> parties are legitimate and also protects both parties. They don't do that on >> the black market do they? > > So, is the problem that I didn't realize you guys also bought vulns, and > that you pay more? No, I had no idea that you did. I guess some better > marketing is in order. The quarterly challenge thing is pretty good for > publicity, maybe you guys should do one of those. > > BB
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Blue Boar, Simply put, and with all due respect, you're wrong. Furthermore I don't appreciate you directly or indirectly suggesting that these exploits are being sold on the black market, that will never happen on my watch, ever! More importantly, the company that I am working with is no different than iDefense. In fact, they both sell their exploits and harvested research to the same people. The only real difference is in the amount of money that the researcher realizes when the transactions are complete. This difference is a direct result of low corporate overhead. Lastly, all transactions require that the researcher engage the company that I work with in a tight contract. This contract ensures that both parties are legitimate and also protects both parties. They don't do that on the black market do they? If anyone is interested in learning more about this, you know where to find me. ;] IDefense is reselling these exploits to the same third parties as the business that I work for, or at least I assume that they are. Both iDefense and our buyers use the exact same list of software targets. On 1/16/07 1:35 PM, "Blue Boar" <[EMAIL PROTECTED]> wrote: > K F (lists) wrote: >> We all know black hats are selling these sploits for <=$25k so why >> should the legit folks settle for anything less? As an example the guys >> at MOAB kicked around selling a Quicktime bug to iDefense but in the end >> we decided it was not worth it due to low pay... >> >> Low Pay == Not getting disclosed via iDefense > > Maybe that's all they are worth to iDefense, since they aren't > monetizing them in the same way blackhats are. > > Maybe for some people if they were going to just give them to Microsoft > anyway, a few thousand bucks is worth it. > > Me, for example, if I were capable of of finding such vulns, I wouldn't > sell them to the guys writing the drive-by spyware installers. I might > sell it to iDefense or Tippingpoint, though. > > BB > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Amen! KF is 100% on the money. I can arrange the legitimate purchase of most working exploits for significantly more money than iDefense, In some cases over $75,000.00 per purchase. The company that I am working with has a relationship with a legitimate buyer, all transactions are legal. If you're interested contact me and we'll get the ball rolling. -Simon $8000.00 USD is low! On 1/16/07 12:29 PM, "K F (lists)" <[EMAIL PROTECTED]> wrote: > No offense to iDefense as I have used their services in the past... but > MY Q1 2007 Challenge to YOU is to start offering your researchers more > money in general! I've sold remotely exploitable bugs in random 3rd > party products for more $$ than you are offering for these Vista items > (see the h0n0 #3). I really think you guys are devaluing the exploit > market with your low offers... I've had folks mail me like WOW iDefense > offered me $800 for this remote exploit. Pfffttt not quite. > > We all know black hats are selling these sploits for <=$25k so why > should the legit folks settle for anything less? As an example the guys > at MOAB kicked around selling a Quicktime bug to iDefense but in the end > we decided it was not worth it due to low pay... > > Low Pay == Not getting disclosed via iDefense > > -KF > > >> I know someone who will pay significantly more per vulnerability against the >> same targets. >> >> >> On 1/10/07 12:27 PM, "contributor" <[EMAIL PROTECTED]> wrote: >> >> >>> -BEGIN PGP SIGNED MESSAGE- >>> >> Hash: SHA1 >> >> Also available at: >> >> >> >>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha >>> ll >>> enge >>> >> >> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities >> >>> in >>> >> Vista & IE 7.0* >> >> Both Microsoft Internet Explorer and Microsoft Windows >> >>> dominate their >>> >> respective markets, and it is not surprising that the decision >> >>> to >>> >> update to the current release of Internet Explorer 7.0 and/or Windows >> Vista >> >>> is fraught with uncertainty. Primary in the minds of IT >>> >> security >> >>> professionals is the question of vulnerabilities that may be >>> >> present in these >> >>> two groundbreaking products. >>> >> >> To help assuage this uncertainty, iDefense Labs >> >>> is pleased to announce >>> >> the Q1, 2007 quarterly challenge. >> >> Remote Arbitrary >> >>> Code Execution Vulnerabilities in Vista and IE 7.0 >>> >> >> Vulnerability >> >>> Challenge: >>> >> iDefense will pay $8,000 for each submitted vulnerability that >> >>> allows >>> >> an attacker to remotely exploit and execute arbitrary code on either >> of >> >>> these two products. Only the first submission for a given >>> >> vulnerability will >> >>> qualify for the award, and iDefense will award no >>> >> more than six payments of >> >>> $8000. If more than six submissions >>> >> qualify, the earliest six submissions >> >>> (based on submission date and >>> >> time) will receive the award. The iDefense Team >> >>> at VeriSign will be >>> >> responsible for making the final determination of whether >> >>> or not a >>> >> submission qualifies for the award. The criteria for this phase >> >>> of >>> >> the challenge are: >> >> I) Technologies Covered: >> - -Microsoft Internet >> >>> Explorer 7.0 >>> >> - -Microsoft Windows Vista >> >> II) Vulnerability Challenge >> >>> Ground Rules: >>> >> - -The vulnerability must be remotely exploitable and must >> >>> allow >>> >> arbitrary code execution in a default installation of one of >> >>> the >>> >> technologies listed above >> - -The vulnerability must exist in the >> >>> latest version of the >>> >> affected technology with all available patches/upgrades >> >>> applied >>> >> - -'RC' (Release candidate), 'Beta', 'Technology Preview' >> >>> and >>> >> similar versions of the listed technologies are not included in >> >>> this >>> >> challenge >> - -The vulnerability must be original and not previously >> >>> disclosed >>> >> either publicly or to the vendor by another party >> - -The >> >>> vulnerability cannot be caused by or require any additional >>> >> third party >> >>> software installed on the target system >>> >> - -The vulnerability must not >> >>> require additional social engineering >>> >> beyond browsing a malicious >> >>> site >>> >> >> Working Exploit Challenge: >> In addition to the $8000 award for the >> >>> submitted vulnerability, >>> >> iDefense will pay from $2000 to $4000 for working >> >>> exploit code that >>> >> exploits the submitted vulnerability. The arbitrary code >> >>> execution >>> >> must be of an uploaded non-malicious payload. Submission of >> >>> a >>>
Re: [Full-disclosure] iDefense Q-1 2007 Challenge
I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, "contributor" <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: > http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall > enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities > in Vista & IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows > dominate their respective markets, and it is not surprising that the decision > to update to the current release of Internet Explorer 7.0 and/or Windows Vista > is fraught with uncertainty. Primary in the minds of IT security > professionals is the question of vulnerabilities that may be present in these > two groundbreaking products. To help assuage this uncertainty, iDefense Labs > is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary > Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability > Challenge: iDefense will pay $8,000 for each submitted vulnerability that > allows an attacker to remotely exploit and execute arbitrary code on either of > these two products. Only the first submission for a given vulnerability will > qualify for the award, and iDefense will award no more than six payments of > $8000. If more than six submissions qualify, the earliest six submissions > (based on submission date and time) will receive the award. The iDefense Team > at VeriSign will be responsible for making the final determination of whether > or not a submission qualifies for the award. The criteria for this phase > of the challenge are: I) Technologies Covered: - -Microsoft Internet > Explorer 7.0 - -Microsoft Windows Vista II) Vulnerability Challenge > Ground Rules: - -The vulnerability must be remotely exploitable and must > allow arbitrary code execution in a default installation of one of > the technologies listed above - -The vulnerability must exist in the > latest version of the affected technology with all available patches/upgrades > applied - -'RC' (Release candidate), 'Beta', 'Technology Preview' > and similar versions of the listed technologies are not included in > this challenge - -The vulnerability must be original and not previously > disclosed either publicly or to the vendor by another party - -The > vulnerability cannot be caused by or require any additional third party > software installed on the target system - -The vulnerability must not > require additional social engineering beyond browsing a malicious > site Working Exploit Challenge: In addition to the $8000 award for the > submitted vulnerability, iDefense will pay from $2000 to $4000 for working > exploit code that exploits the submitted vulnerability. The arbitrary code > execution must be of an uploaded non-malicious payload. Submission of > a malicious payload is grounds for disqualification from this phase of the > challenge. I) Technologies Covered: - -Microsoft Internet Explorer 7.0 - > -Microsoft Windows Vista II) Working Exploit Challenge Ground > Rules: Working exploit code must be for the submitted vulnerability only > iDefense will not consider exploit code for existing vulnerabilities or new > vulnerabilities submitted by others. iDefense will consider one and only one > working exploit for each original vulnerability submitted. The minimum award > for a working exploit is $2000. In addition to the base award, additional > amounts up to $4000 may be awarded based upon: - -Reliability of the > exploit - -Quality of the exploit code - -Readability of the exploit > code - -Documentation of the exploit code -BEGIN PGP > SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with > Mozilla - http://enigmail.mozdev.org > iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU QkO9IXq+PsC6 > bMKg7j6Dwfw= =N0am -END PGP > SIGNATURE- ___ Full-Disclosur > e - We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by > Secunia - http://secunia.com/
