Blog « IT Security Geeks

On the 28th September 2011, we notified a vendor about multiple security vulnerabilities in one of their products, and requested contact details of who to send the details on to.

The initial response from the vendor support team took 6 days.

The complete details of the vulnerabilities were disclosed to the vendor on the 5th October. These included screen shots, HTTP requests and responses, and Proof of Concept code for the vulnerabilities. After that no response was received.

We then sent another e-mail to the vendor on the 11th October, asking for an update on these issues, or if they had even received our original e-mail with the details of the vulnerabilities.

We received no response from the vendor.

On the 8th November, we finally received a response stating “These have been replicated by R&D and they will fix in a later release.” No “Thanks for your help guys”, no dates that these will be patched, no responses to our other queries.

We followed this e-mail up with a response to the vendor, asking to work together on a timed release, and to agree on some reasonable dates. The vendor response was “I have asked for timescales for the fixes and will update you when these are released.”

Now just to be clear, we are not getting paid to disclose these vulnerabilities to any vendors. We are doing this to help make the Internet and networks in general a safer place for all.

We don’t ask for much, just credit for the disclosure of the vulnerability, and a timely patch to mitigate the vulnerabilities. It really doesn’t need to be this difficult to report vulnerabilities, and a little bit of thanks and courtesy never hurt anyone.

To all software and hardware vendors out there, can you please take a few moments to read the Wikipedia article on Responsible Disclosure, which can be found here. Then please try to work with your relevant teams, to make it easier to report vulnerabilities in your code, and work with you.

We understand that not all vendors can afford to hire fully fledged security teams, and most security professionals are willing to help you secure your applications and devices just for the credit of finding the vulnerability in your product. That’s got to be the cheapest application security assessment that you’ve ever had!

Little things, like an e-mail address, or a form on your website to contact your product security team, or even your developers would make the world of difference. This would also help to make sure that we as security researchers, contact the relevant teams within your organisation right off the bat (and don’t get sent around the houses, trying to do you a favour). This way, we can always deal with the same person (or team) within your organisation, and get any vulnerabilities mitigated in a timely manner.

Please guys and girls, help us to help you. We’re giving you free security advice, educating your developers and strengthening your products, all this for a one liner in your security patch disclosure notification.

Think about it…

As you can see we’ve successfully launched the new version of our web site now, and we’d like to say a huge thank you to Tick Tock Computers for all the hard work that they’ve put into this site.

Hopefully this now makes the site more user friendly, and makes finding what you’re looking for a lot easier. Please keep checking back, as we’ll be regularly updating the company Blog with news and updates.

If you’ve got any comments on the new web site at all, please drop us a line and let us know, we always value customer feedback.

We are pleased to announce that we have recently partnered with SourceFire, the leader in intelligent cyber security solutions.

Having worked with SourceFire in the best, along with other IDS vendors, we honestly believe that SourceFire is the current leader in IDS/IPS technologies, and are honoured to be able to support and sell their offerings going forward.

IT Security Geeks is proud to announce that we have happily partnered with Rapid7. Rapid7 is the leading provider of unified vulnerability management, compliance and penetration testing solutions.

What does this mean to our clients? 

This now means that we are able to sell you the suite of Rapid7 products, such as Metasploit Express, Metasploit Professional, and the range of Nexpose products.

For more info on the Rapid7 range of products or to arrange a demo, please contact us via our contact us page.

We are proud to announce that IT Security Geeks has partnered with IronKey, the leader in secure USB device drives, so we will be selling these devices, and also doing some really exciting things with them.

Website updates will be coming soon, with all the info.

IT Security Geeks would like to congratulate Neil Fryer for discovering a stack overflow vulnerability in Apple’s OS X CFNetwork.

The below is taken from the Apple Security update site:

CFNetwork

CVE-ID: CVE-2010-1752
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through
v10.6.4, Mac OS X Server v10.6 through v10.6.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution
Description: A stack overflow exists in CFNetwork’s URL handling code. Visiting a
maliciously crafted website may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved bounds checking. Credit to Laurent
OUDOT of TEHTRI-Security, and Neil Fryer of IT Security Geeks for reporting this issue.

There is a really good article over on Secmaniac.com that describes where a lot of penetration testing companies are going wrong lately.

We encourage all our customers to take 5 minutes out of their day and have a read.

You can find the full article here.

IT Security Geeks is officially off the ground now, and the next couple of months are going to bring some really exciting times and changes to the website.

We are currently looking at partnering with quite a few security related organizations in the next couple of months, and we’re also looking into doing some really interesting training in the UK, and hopefully expanding this to cover Europe as well.

Please keep an eye on the website, as it is still undergoing development and it will be for a few months yet, as we have a lot of things to add.