Vulnerability Disclosure: The Strange Case of Bret McDanel (original) (raw)
Related papers
Crime Science, 2018
In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in ITsystems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system's owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost-benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included.
Computer Vulnerability Analysis: Thesis Proposal
1997
Computer security professionals and researchers do not have a history of sharing and analyzing computer vulnerability information. Scientists and engineers from older or more established fields have long understood that publicizing, analyzing, and learning from other people's mistakes is essential to the stepwise refinement of complex systems. Computer scientists, however, have not followed suit. Programmers reinvent classical programming mistakcs, contributing to the reappearance of known vulnerabilities. In the recent past, complltcr systems have come to be a part of critical systems that have a direct effect on the safety and well-being of human beings and hence we must have lower tolerance for software failures. In the dissedation I will attempt to show that computer vulnerability information presents important regularities and these can be detected, and possibly visualized, providing important insight about the reason of their prevalence and existence. The information deriv...
Computer Vulnerability Analysis
1998
Many engineering fields have recognized the need to analyze the past in hope of learning from past mistakes and failures. In computer science this realization has resulted in the development of software testing techniques that attempt to detect known problems from software systems and in improved compilers and development tools. However, there exists a series of software failures where detailed analysis is rarely published, mainly for fear that the information could be used against active systems. These software failures, commonly referred to as computer vulnerabilities, have special properties that set them apart from traditional software failures. Detailed analysis of the factors that contribute to the existence of these vulnerabilities is mostly limited to cryptic articles posted to hacker newsgroups or web sites. There are a few notable exceptions, and this report attempts to add to these with a detailed analysis of five common computer vulnerabilities. The analysis of each vulnerability identifies its characteristics, the [expected] policies violated by its exploitation, and contributes to the understanding of the steps that are needed for the eradication of these vulnerabilities in future programs.
Categorization of software errors that led to security breaches
1998
A set of errors known to have led to security breaches in computer systems was analyzed. The analysis led to a categorization of these errors. After examining several proposed schemes for the categorization of software errors a new scheme was developed and used. This scheme classi es errors by their cause, the nature of their impact, and the ty p e o f c hange, or x, made to remove the error. The errors considered in this work are found in a database maintained by the COAST laboratory. The categorization is the rst step in the investigation of the e ectiveness of various measures of code coverage in revealing software errors that might lead to security breaches.
Why Cooperate? Ethical Analysis of InfoSec Vulnerability Disclosure
2015
Vendors, security consultants and information security researchers seek guidance on if and when to disclose information about specific software or hardware security vulnerabilities. We apply Kantianism to argue that vendors and third parties (InfoSec researchers, consultants, and other interested parties) have an ethical obligation to inform customers and business partners (such as channel partners or providers of complementary products and services) about specific software vulnerabilities (thus addressing if disclosure should occur). We apply Utilitarianism to address the question of when disclosure should occur. By applying these two philosophical perspectives we conclude that to maximize social welfare, vendors should release software fixes as soon as possible, and third parties should adopt a coordinated disclosure policy to avoid placing customers and business partners at unnecessary risk.
Proceedings on Privacy Enhancing Technologies
We systematize the knowledge on data breaches into concise step-by-step breach workflows and use them to describe the breach methods. We present the most plausible workflows for 10 famous data breaches. We use information from a variety of sources to develop our breach workflows, however, we emphasize that for many data breaches, information about crucial steps was absent. We researched such steps to develop complete breach workflows; as such, our workflows provide descriptions of data breaches that were previously unavailable. For generalizability, we present a general workflow of 50 data breaches from 2015. Based on our data breach analysis, we develop requirements that organizations need to meet to thwart data breaches. We describe what requirements are met by existing security technologies and propose future research directions to thwart data breaches.
Responsibility for the Harm and Risk of Software Security Flaws
Interdisciplinary Perspectives
Software vulnerabilities are a vexing problem for the state of information assurance and security. Who is responsible for the risk and harm of software security is controversial. Deliberation of the responsibility for harm and risk due to software security flaws requires considering how incentives (and disincentives) and network effects shape the practices of vendors and adopters, and the consequent effects on the state of software security. This chapter looks at these factors in more detail in the context of private markets and public welfare.
Data Breach- an Oblivious Threat and Its Consequences
International Journal of Engineering Applied Sciences and Technology
Data breach has become one of the serious problems in recent years as with the increase in technology the threat of data security is increasing. This paper mainly focuses on giving information about causes of data spill and prevention methods an organisation or individual should adopt to prevent themselves from such a threat.