.

What is the Modes Operandi for an ethical hacker while dealing with new exploits

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Tue Aug 01, 2006 4:31 am

What is the Modes Operandi for an ethical hacker while dealing with new exploits

Hi All,

What do you think should be the modus operandi for an ethical hacker while dealing with a new exploit. To put it more clearly and in simple terms, say for example, an ethical hacker come across a new exploit while working. Now the first step that he will be initiating is to protect his systems from the subject exploit. What are the other steps that a ethical hacker is supposed to do? Does any of the certification body talk about these issues? Is he supposed to inform anybody or can he submit a work report on the exploit to any of the certification body?

Regards,

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

LSOChris

Post Tue Aug 01, 2006 8:52 am

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

releast it 0day so you can get your 15 minutes of fame!!!


just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Tue Aug 01, 2006 12:48 pm

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

LSOChris wrote:releast it 0day so you can get your 15 minutes of fame!!!


just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.
Hi LSOChris,

I totally agree with your suggestion. But the core part of the question is whether any of the Certification standards talk about these issues?

Request responses from CISSP's and CEH's from thier professional and academic experiences on the subject question.

Regards,

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Aug 01, 2006 12:52 pm

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

I believe its best practices to notify the vendor and give them 6 months to patch prior to releasing to the public. From all that I've heard, many times they don't respond at all. If they don't do anything it 6 months, post to the bugtraq list or your site of choice.

iDefense and some others also offer payment for previously unkown exploits and I believe they pay well for remote root exploits, as opposed to others like local, priv esclation or dos.
<<

Kev

Post Tue Aug 01, 2006 1:17 pm

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

I don’t remember anything in the CEH Certification standards having a clear policy concerning that issue. The CEH is about testing security in a similar manner as an attacker, not about developing exploits or what you should do if you discover 0day vulnerabilities.  If by some chance you were the victim of a Oday and were able to recover the exploit, there is a basic code of ethics for the CEH to do no harm and to do what’s best for the community. Obviously that would mean to contact the vender.
Last edited by Kev on Tue Aug 01, 2006 5:20 pm, edited 1 time in total.
<<

LSOChris

Post Wed Aug 02, 2006 8:54 pm

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

there are several "disclosures" and different hats subscribe to different ones.  use google.

i dont recall seeing one for CISSP or CEH or CPTS, more of moral questions like should you just release it to the public without contacting the vendor or not.
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Fri Aug 04, 2006 9:03 am

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

I recently listened to a podcast rountable that was made up mostly of security professionals and a couple security vendors. This exact question came up and the pannel was split down the middle. Some of the security pros said they wanted to know about the problem immediately so they at least had the information and possibly could put in some type of safeguards to mitigate it. The vendors, not surprisingly, said they should know first so they can start working on a solution.

I don't believe any of the certifications deal with this issue because they all come from the practisioner or manager perspective. New exploits usually come from researchers and real crackers. Completely different animals.
CISSP
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Fri Sep 29, 2006 10:34 pm

Re: What is the Modes Operandi for an ethical hacker while dealing with new expl

Hi All,

While searching for a Responsible Vulnerability Disclosure Policy, I came across these sample policies which could be of great use to us. Sharing the info:

http://www.wiretrip.net/rfp/txt/ietf-draft.txt

http://www.zerodayinitiative.com/legal.html

Also some interesting articles about emerging Issues in Responsible Vulnerability Disclosure

http://osvdb.org/blog/?p=15

Regards,

The Morpheus
Last edited by morpheus063 on Sun Oct 01, 2006 9:10 pm, edited 1 time in total.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software