The Hack in the Box conference in Malaysia is over, but our interviews continue with the last of the speakers who was willing to share his professional insight on some of the issues that currently affect the security industry.
Benjamin Kunz Mejri, the founder of the Vulnerability Laboratory was kind enough to answer some questions about the flaws they found is Skype, his research team and some aspects of their important quest to make the internet a safer place.Softpedia:
The Vulnerability Lab project is doing extremely well, constantly discovering potential weaknesses in websites, software and applications, at the same time providing help in the patching process. Can you tell us a bit about the latest, more interesting vulnerabilities you've discovered?Benjamin Kunz Mejri:
We mostly discover vulnerabilities on security products like software, applications & websites. We are more interested in vendor product vulnerabilities then in protection for example a customer website but we also focus on specific strategic nodes like you can see on our website. We also produce videos & verified + free documents for prevention. The most famous publications of the last month were ...
- Upek Protector Suite QL 2011 - Buffer Overflow Vulnerability
- StarMoney Banking Software v8.0 - Multiple Vulnerabilities
- Skype 5.3.x 2.2.x 5.2.x - Persistent Software Vulnerability
- International Atomic Energy Agency Website Service - Blind SQL Injection Vulnerability
- U.S. Geological Survey Center Website - SQL Injection Vulnerability
- SonicWall Viewpoint v6.0 SP2 - SQL Injection Vulnerability
- Facebook BugBounty #2 - Persistent Web Vulnerabilities
- Sonicwall Viewpoint v6.0 SP2 - Multiple Web Vulnerabilities
- Fortigates FortiAnalyzer Appliance - Multiple Web Vulnerabilities
- Google SketchUp v8.x - Memory Corruption Vulnerability
- Kaspersky IS&AV 2011/12 - Memory Corruption Vulnerability
- Barracuda Spam & Virus Web Application Firewall 600 - Multiple Web Vulnerabilities
To highlight 3 of them i picked out the persistent skype bug, the Upek protector suite buffer overflow vulnerability & another critical website vulnerability.
Skype 5.3.x 2.2.x 5.2.x - Persistent Software Vulnerability (http://www.vulnerability-lab.com/get_content.php?id=182
The Bug is located in the status-bar module of the slide index. The vulnerability allows an local attacker to implement persistent malicious script codes on the skype software. The successfully exploitation can lead to redirects, client exploitation, session hijacking & request manipulation over the specific vulnerable software module.
Upek Protector Suite QL 2011 - Buffer Overflow Vulnerability (http://www.vulnerability-lab.com/get_content.php?id=259
The vulnerability allows an local attacker to crash the EikonTouch USB peripheral device driver/software via local buffer overflow. The bug is located on the profile import module of the software when processing special crafted (manipulated) .vtp profile files.
International Atomic Energy Agency Website Service - Blind SQL Injection Vulnerability (http://www.vulnerability-lab.com/get_content.php?id=268
An unsecure application parameter request allows remote attackers to implement/execute own sql commands via sql-injection.
Successful exploitation of the blind injection may result in dbms compromise, defacement or manipulation of service/application content.
How do the newly discovered Skype vulnerabilities affect the everyday user? What are the risks involved in using the application?Benjamin Kunz Mejri:
The discovered local & remote vulnerabilities can result in the an account steal, session hijacking or for example execution of malicious content out of the software context. Skype exploitation on the black scene is very rarely because of the tricky art of exploitation inside of the software. On Skype there are not much techniques know which could lead to mass exploitation because skype security works in cooperation with hackers & researchers. Skype is for me actually one of the most secure messengers & voip software i have ever penetrated because of the fact that all other messengers fall down after some minutes/hours (Adium, ICQ, MSN & Co.) ... and skype exploitation needs mostly days/weeks of research. I do not say skype is the most secure client but i definitly know skype really cares about security & vulnerabilities inside of there products. After a vulnerability has been disclosed/published to skype security the bug is mostly patched/fixed after some days or weeks. I also need to say that real bugs are mostly very tricky to exploit. I also discovered also a denial of service vulnerability which is from local to remote exploitable and can crash the software of the end user via a persistent weakness. The security risk for end users depends from issue to issue. The most vulnerabilities i have discovered are with medium priority for end users.
How do you approach a website owner to tell him that his domain can be compromised and how do they react to the news?Benjamin Kunz Mejri:
There are 2 options for the product vendor ... he hates us because he can not see his own flaws/mistakes/fails ... or he loves us because he can now see his flaws/mistakes/fails. Nothing between. The most vendors reply very friendly & ask us for disclosure partnership (cooperation) for future bug publications. Very often they fix the issue(s) within some hours. Every vendor needs to be notified on a special way over the website forms, mail or by phone. Sometimes it's very easy to contact the product vendor and sometimes the bureaucracy, spam filters or employees of a company are blocking the verification process. It depends from issue to issue & vendor to vendor but the most are really nice on cooperation with the vulnerability lab research team.
In most cases, do you find the vulnerabilities on your own or do vendors seek your aid?Benjamin Kunz Mejri:
Both! We have product vendors on the lab which forwards us as partner to discover bugs inside of the own software, application or service. Sometimes they provide us hardware, demos or information to identify zer0-day vulnerabilities. Sometimes the researchers interact on there own to identify zero-day vulnerabilities.
Depends from case to case of the exploitation scenario.
I know that the team you work with is a perfect example of cultural diversity as most of them come from different countries. Tell us a bit more about them.Benjamin Kunz Mejri:
Thanks! We are a good team with a lot of different countries. The displayed website team is just a part of the public representatives of the team. A lot of them want to stay in background because of other reasons. In 1997, Benjamin K.M. founded a non-commercial and independent security research group called, "Global Evolution - Security Research Group" which is still active today. In 2010 Benjamin K.M. founded the company "Evolution Security". After the firm's establishment arose the Vulnerability Lab as the legal european initiative for vulnerability researchers, analysts, penetration testers, and serious hacker groups. We have a lot of stable references as team by solved events or contests & exclusive zero-day exploitation sessions/releases.
Do you have any advice for webmasters on what they should do to better protect their sites?Benjamin Kunz Mejri:
Share knowledge & exchange information or data to protect yourself, vendors & other people. Bring the customers more transparence to prevent against attacks & data lost. Test your own products, functions, process or modules to identify & fix/patch vulnerabilities inside. Include for example bugbounty- or reward programs & implement security contacts to show stable presence.
Cloud-based systems are covering ground fast, but there's also a large number of risks involved. What's your opinion on the matter?Benjamin Kunz Mejri:
Cloud-based systems provides computation, softwares, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services. I think that the use of a remote system without knowing anything about it or what services are running into it represents a high risk if for example a cracker can hack into one of the remote computers.
What should be the security industry's greatest fear? What's in store for the world at the way things are going right now?Benjamin Kunz Mejri:
The greatest fear of the security industry is that the private industry (like us) jumps into the market to show what they missed or completly ignored over years.
Sometimes the security industry needs to change the tactics of prevention to secure the most important infrastructures.