The Ethical Hacker Network - What is the Modes Operandi for an ethical hacker while dealing with new exploits

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

What is the Modes Operandi for an ethical hacker while dealing with new exploits

« on: August 01, 2006, 04:31:06 AM »

Hi All,

What do you think should be the modus operandi for an ethical hacker while dealing with a new exploit. To put it more clearly and in simple terms, say for example, an ethical hacker come across a new exploit while working. Now the first step that he will be initiating is to protect his systems from the subject exploit. What are the other steps that a ethical hacker is supposed to do? Does any of the certification body talk about these issues? Is he supposed to inform anybody or can he submit a work report on the exploit to any of the certification body?

Regards,

Morpheus


	Logged

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

LSOChris

Guest

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #1 on: August 01, 2006, 08:52:19 AM »

releast it 0day so you can get your 15 minutes of fame!!!

just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.


	Logged

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #2 on: August 01, 2006, 12:48:12 PM »

Quote from: LSOChris on August 01, 2006, 08:52:19 AM

releast it 0day so you can get your 15 minutes of fame!!!

just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.

Hi LSOChris,

I totally agree with your suggestion. But the core part of the question is whether any of the Certification standards talk about these issues?

Request responses from CISSP's and CEH's from thier professional and academic experiences on the subject question.

Regards,

Morpheus


	Logged

oleDB

Recruiters
Full Member

Offline

Posts: 236

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #3 on: August 01, 2006, 12:52:50 PM »

I believe its best practices to notify the vendor and give them 6 months to patch prior to releasing to the public. From all that I've heard, many times they don't respond at all. If they don't do anything it 6 months, post to the bugtraq list or your site of choice.

iDefense and some others also offer payment for previously unkown exploits and I believe they pay well for remote root exploits, as opposed to others like local, priv esclation or dos.


	Logged

Kev

Guest

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #4 on: August 01, 2006, 01:17:04 PM »

I don’t remember anything in the CEH Certification standards having a clear policy concerning that issue. The CEH is about testing security in a similar manner as an attacker, not about developing exploits or what you should do if you discover 0day vulnerabilities. If by some chance you were the victim of a Oday and were able to recover the exploit, there is a basic code of ethics for the CEH to do no harm and to do what’s best for the community. Obviously that would mean to contact the vender.


« Last Edit: August 01, 2006, 05:20:03 PM by Kev »	Logged

LSOChris

Guest

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #5 on: August 02, 2006, 08:54:45 PM »

there are several "disclosures" and different hats subscribe to different ones. use google.

i dont recall seeing one for CISSP or CEH or CPTS, more of moral questions like should you just release it to the public without contacting the vendor or not.


	Logged

Hug_It

Newbie

Offline

Posts: 28

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #6 on: August 04, 2006, 09:03:42 AM »

I recently listened to a podcast rountable that was made up mostly of security professionals and a couple security vendors. This exact question came up and the pannel was split down the middle. Some of the security pros said they wanted to know about the problem immediately so they at least had the information and possibly could put in some type of safeguards to mitigate it. The vendors, not surprisingly, said they should know first so they can start working on a solution.

I don't believe any of the certifications deal with this issue because they all come from the practisioner or manager perspective. New exploits usually come from researchers and real crackers. Completely different animals.


	Logged

CISSP

Manu Zacharia (-M-)

Sr. Member

Offline

Posts: 393

c0c0n Hacking Conference - where hackers unite

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

« Reply #7 on: September 29, 2006, 10:34:02 PM »

Hi All,

While searching for a Responsible Vulnerability Disclosure Policy, I came across these sample policies which could be of great use to us. Sharing the info:

http://www.wiretrip.net/rfp/txt/ietf-draft.txt

http://www.zerodayinitiative.com/legal.html

Also some interesting articles about emerging Issues in Responsible Vulnerability Disclosure

http://osvdb.org/blog/?p=15

Regards,

The Morpheus


« Last Edit: October 01, 2006, 09:10:01 PM by The Morpheus »	Logged

Pages: [1] Go Up

« previous next »