HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 31 guests and 1 member online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow What is the Modes Operandi for an ethical hacker while dealing with new exploits
Ethical Hacker Community Forums
December 04, 2008, 06:11:46 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: What is the Modes Operandi for an ethical hacker while dealing with new exploits  (Read 3212 times)
0 Members and 1 Guest are viewing this topic.
Manu Zacharia (-M-)
Full Member
***
Offline Offline

Posts: 195



View Profile WWW
« on: August 01, 2006, 04:31:06 AM »
Hi All,

What do you think should be the modus operandi for an ethical hacker while dealing with a new exploit. To put it more clearly and in simple terms, say for example, an ethical hacker come across a new exploit while working. Now the first step that he will be initiating is to protect his systems from the subject exploit. What are the other steps that a ethical hacker is supposed to do? Does any of the certification body talk about these issues? Is he supposed to inform anybody or can he submit a work report on the exploit to any of the certification body?

Regards,

Morpheus
Logged
Manu Zacharia
Certified ISO 27001:2005 (Information Security Management System) Lead Auditor
Promote the Information Security Day
Visit - http://www.informationsecurityday.com
ChrisG
EH-Net Columnist
Hero Member
*****
Offline Offline

Posts: 1042


View Profile WWW
« Reply #1 on: August 01, 2006, 08:52:19 AM »
releast it 0day so you can get your 15 minutes of fame!!!


just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.
Logged
...tests i took go here...

http://carnal0wnage.blogspot.com/
Manu Zacharia (-M-)
Full Member
***
Offline Offline

Posts: 195



View Profile WWW
« Reply #2 on: August 01, 2006, 12:48:12 PM »
Quote from: LSOChris on August 01, 2006, 08:52:19 AM
releast it 0day so you can get your 15 minutes of fame!!!


just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.
Hi LSOChris,

I totally agree with your suggestion. But the core part of the question is whether any of the Certification standards talk about these issues?

Request responses from CISSP's and CEH's from thier professional and academic experiences on the subject question.

Regards,

Morpheus
Logged
Manu Zacharia
Certified ISO 27001:2005 (Information Security Management System) Lead Auditor
Promote the Information Security Day
Visit - http://www.informationsecurityday.com
oleDB
Full Member
***
Offline Offline

Posts: 231



View Profile WWW
« Reply #3 on: August 01, 2006, 12:52:50 PM »
I believe its best practices to notify the vendor and give them 6 months to patch prior to releasing to the public. From all that I've heard, many times they don't respond at all. If they don't do anything it 6 months, post to the bugtraq list or your site of choice.

iDefense and some others also offer payment for previously unkown exploits and I believe they pay well for remote root exploits, as opposed to others like local, priv esclation or dos.
Logged
Kev
Guest
« Reply #4 on: August 01, 2006, 01:17:04 PM »
I don’t remember anything in the CEH Certification standards having a clear policy concerning that issue. The CEH is about testing security in a similar manner as an attacker, not about developing exploits or what you should do if you discover 0day vulnerabilities.  If by some chance you were the victim of a Oday and were able to recover the exploit, there is a basic code of ethics for the CEH to do no harm and to do what’s best for the community. Obviously that would mean to contact the vender.
« Last Edit: August 01, 2006, 05:20:03 PM by Kev » Logged
ChrisG
EH-Net Columnist
Hero Member
*****
Offline Offline

Posts: 1042


View Profile WWW
« Reply #5 on: August 02, 2006, 08:54:45 PM »
there are several "disclosures" and different hats subscribe to different ones.  use google.

i dont recall seeing one for CISSP or CEH or CPTS, more of moral questions like should you just release it to the public without contacting the vendor or not.
Logged
...tests i took go here...

http://carnal0wnage.blogspot.com/
Hug_It
Newbie
*
Offline Offline

Posts: 28


View Profile
« Reply #6 on: August 04, 2006, 09:03:42 AM »
I recently listened to a podcast rountable that was made up mostly of security professionals and a couple security vendors. This exact question came up and the pannel was split down the middle. Some of the security pros said they wanted to know about the problem immediately so they at least had the information and possibly could put in some type of safeguards to mitigate it. The vendors, not surprisingly, said they should know first so they can start working on a solution.

I don't believe any of the certifications deal with this issue because they all come from the practisioner or manager perspective. New exploits usually come from researchers and real crackers. Completely different animals.
Logged
CISSP
Manu Zacharia (-M-)
Full Member
***
Offline Offline

Posts: 195



View Profile WWW
« Reply #7 on: September 29, 2006, 10:34:02 PM »
Hi All,

While searching for a Responsible Vulnerability Disclosure Policy, I came across these sample policies which could be of great use to us. Sharing the info:

http://www.wiretrip.net/rfp/txt/ietf-draft.txt

http://www.zerodayinitiative.com/legal.html

Also some interesting articles about emerging Issues in Responsible Vulnerability Disclosure

http://osvdb.org/blog/?p=15

Regards,

The Morpheus
« Last Edit: October 01, 2006, 09:10:01 PM by The Morpheus » Logged
Manu Zacharia
Certified ISO 27001:2005 (Information Security Management System) Lead Auditor
Promote the Information Security Day
Visit - http://www.informationsecurityday.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.039 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.