Ethical hacking: Må man dele en it-sårbarhed?

Har man ret til at bringe andre folks system-integritet i fare, hvis det er for at forhindre et større angreb, eller er det endda en undladelsessynd, hvis man lader være? Version2 har snakket Responsible Disclosure Policy med Claus Vesthammer, COO i Improsec.

Et klassisk etisk dilemma handler om et løbsk tog.

Forestil dig, at du står på en bro, og ser et tog, der har kurs mod fem børn, der af uforklarlige og irrelevante årsager leger på sporet. Men der er en hjælp at hente.

Tæt på dig er der et sporskifte, og hvis du drejer det, vil det løbske tog slå ind på en anden kurs og kun ramme ét barn, der også leger på skinnerne den dag. Anvender du sporskiftet?

Claus Vesthammer, der er COO i sikkerhedrådgivningsfirmaet Improsec, argumenterer for, at man er nødt til at handle. Heldigvis er situationen hypotetisk, selvom dilemmaet ikke er.

Dansk firma finder to nye sårbarheder i IBM Notes

I dag offentliggør det danske sikkerhedsfirma Improsec to nye sårbarheder i IBM Notes. Sårbarhederne gjorde det muligt at opnå fuld kontrol over maskinerne, der benyttede softwaren.

Under arbejdet med en sikkerhedsanalyse for en kunde har det danske sikkerhedsfirma Improsec opdaget sammenlagt otte sårbarheder i e-mail- og kalenderplatformen IBM Notes.

De sidste to er netop offentliggjort her til morgen. Sikkerhedshullerne gjorde det muligt at opnå fuld adgang som lokal administrator, skriver firmaet på deres blog, hvor de også har en teknisk gennemgang af sårbarhederne.

Maskinerne var sendt til firmaet for at blive testet for netop den slags sårbarheder.

Privilege escalation in IBM Notes Diagnostics #6

This is the fifth blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Client side code execution in IBM Notes

This is the sixth blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in Heimdal #2

This blog post highlights bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in Heimdal #1

This blog post highlights bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in IBM Notes Diagnostics #3-5

This is the fourth blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom

Dansker finder alvorlige sårbarheder i IBM's Lotus Notes: Står stadig piv-åbne tre måneder efter IBM blev advaret

En dansk sikkerhedsekspert har fundet adskillige kritiske sårbarheder i IBM-platformen Notes. Og de bliver tilsyneladende ikke patchet.

Lasse Trolle Borup er sikkerhedsrådgiver hos Improsec, og da han i oktober 2017 testede sikkerheden på en bærbar computer for en kunde, blev han hurtigt opmærksom på IBM-systemet Notes.

Privilege Escalation in IBM Notes Smart Update Service

This is the third blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in IBM Notes Diagnostics #2

This is the second blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy

In this blog post I will tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.