Jump to content
Security Installer Community

Hello From A Security Researcher


cybergibbons

Recommended Posts

Posted

Disclosures are often made prior to a fix being released.

 

Sometimes this is due to uneducated or unethical disclosure practices, those discovering an issue may not be aware of the correct reporting procedure or may simply want to boost their ego by announcing it as a 0day vuln...

 

Sometimes it is a result of a company failing to respond to a notification or to act upon a disclosure within a fair agreed time scale.

 

The driver here is that without a policy or procedure in place you make it harder for people to report such issues.  There was an example on Monday the 22nd or someone struggling to contact Vodafone to advise of a vulnerability (curiously the same day that we had network outages - purely coincidence ofc...) if someone cannot contact a manufacturer or service provider directly then they often expose the issue to more people while trying to find a route to report it if not just telling the world.

 

Closing the door to such information is the same as burying your head in the sand.

 

Some firms have a great reputation for responding to (and in some cases awarding) potential security issues when they are found.  These firms tend to have the favour returned in some cases when people opt to go to them instead of to the black market.

btn_myprofile_160x33.png


 

Posted

Let's say there were two options:

1. A vulnerability reporting and disclosure policy, where the manufacturer is given the chance to replicate, fix or simply respond to vulnerabilities.

2. A third party site where vulnerabilities are reported in 0-day style, possibly where participants try to exclude manufacturers.

Which sounds better?

Thanks Joe. A good oversight of how it works in IT.

Take another example. There are huge botnets dedicated to DDoS attacks and sending spam. Generally these are PCs, but there is increasing interest in harnessing devices considered unpatchable - mainly embedded systems like routers. Some alarms certainly have the ability to send arbitrary email. Would it not be hugely harmful to an alarm manufacturer to have an alarm acting in this way, and to not be able to fix it?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted

Take another example. There are huge botnets dedicated to DDoS attacks and sending spam. Generally these are PCs, but there is increasing interest in harnessing devices considered unpatchable - mainly embedded systems like routers. Some alarms certainly have the ability to send arbitrary email. Would it not be hugely harmful to an alarm manufacturer to have an alarm acting in this way, and to not be able to fix it?

 

100% agree - tbh embedded devices are being harnessed to this end already and now it is simply a race by miscreants to ident device fingerprints and inject - our devices are just a.n.other among many

btn_myprofile_160x33.png


 

Posted

100% agree - tbh embedded devices are being harnessed to this end already and now it is simply a race by miscreants to ident device fingerprints and inject - our devices are just a.n.other among many

Just on this note, do many of you fit alarms with IP connectivity?

FFS when do you people sleep!

Sleep is for the weak.

This is some of the best and most open discussion I've had around these topics. It's great!

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted

Just on this note, do many of you fit alarms with IP connectivity?

Sleep is for the weak.

This is some of the best and most open discussion I've had around these topics. It's great!

No, we are one of the handful that exclusively monitor via IP

www.securitywarehouse.co.uk/catalog/

Posted

Most ARCs have some degree of IP connectivity utilised (A rare few avoid it as if it is black magic voodoo and curse be upon thee if used).

 

Current proliferation or wired IP is between ~3% to ~5% of most monitoring estates and will increase slowly but surely.

 

The dominant increase in IP utilisation is in GPRS / 3G /xG.  This areas has had phenomenal growth over recent years and looks set to continue as the next generation broadband roll outs are firmly supporting it also as well as of course the massive demand from smart phones / wearable technology...



Matt is ofc the exception to the rule - not like him to be different :o  lol

btn_myprofile_160x33.png


 

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.