[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cambium Group, LLC. CAMAS Advisory



On Wed, Feb 25, 2009 at 11:57 AM, Adriel T. Desautels
<ad_lists@xxxxxxxxxxxxx> wrote:
> I'm not sure if its appropriate for this list but it is related to
> penetration testing and vulnerability disclosure (moderators decide).
>

The irony of Kevin (don't make fun of my complexion) Finisterre disclosing
he has a full time job outside of security followed by his foray into the realm
of security with "advisories" is puzzling. So Kevin isn't working in the
industry as he disclosed in his previous email which means he obviously
isn't working for "Netragard" which leads me to believe that Netragard is
merely a fictitious company formed on an IRC channel amongst friends.
Now this is not to say there is anything wrong with this however, to trust
a bunch of IRC kids on an infrastructure would amount to career suicide.
For starters outside of a modded Pentium, they'd have little experience in
the real world. Themes like DoDAF, DIACAP, Information Security
Architecture would be beyond the scope of their understanding.

Without further-ado, I'll now speculate on the intent of this current
"Critical" advisory Netragard was gracious enough to bless the community
with.

> - 
> -------------------------------------------------------------------------------------------------
> Contact                         : Adriel T. Desautels
> Researcher                      : Kevin Finisterre
> Vendor Notified         : 08/22/2007
>

> [Proof Of Concept]
> - 
> -------------------------------------------------------------------------------------------------
> Proof of concept code exists but is not provided as to not increase
> CAMAS
> users overall risk levels. Any website that reads "Powered by the
> Cambium
> Group, LLC." is a CAMAS powered website.

Snake oil at it's finest. You may recall Netragard has a pay for play
scheme working where they never disclose any code. This works
to anyone's advantage as a trump card when you think about it on
a psychological warfare like scale. "We found a tumor somewhere
in your body however, we're choosing not to tell you about how we
found it, nor where it is."

Imagine if you will those words coming out of a doctor's mouth.
You have to take into account that a doctor is a professional as
should someone in this industry be - a professional. The entire
absurdity of "finding a tumor" and not revealing that tumor is
quite shady. Wouldn't you agree? You may choose to disagree
but offer some supportive argument should you choose to say
so.

> [Vendor Status and Chronology]
> - 
> -------------------------------------------------------------------------------------------------
> 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered
> 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail
> 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to
> Notification
> 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled
> 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
> 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded
> 09/26/2008 11:17:35 PM EDT - Issues remain unfixed
> 02/09/2009 09:00:00 PM EDT - Issues remain unfixed
> 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation
> to Netragard)
> 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release

During the initial discovery by the self-impose-experts at Netragard, it
seems that Cambium performed some form of diligence in the sense
they took the time to listen to Netragard however, much can be gleaned
from Netragards own choice of wording:

> 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
> 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded

At the onset of a conference call - dot dot dot - there was an immediate
breakdown. Not one day later, not one week later - according to Netragard
it occurred the minute Netragard got on call with them. This is a rather
peculiar scenario if you think about it logically. What could have been
the potential breakdown; after all, Cambium took the time out of their
schedules to do "something". Could it have been the pitch offered by
Netragard. Were you guys trying to extort them Adriel? How could that
conference have played out?

http://www.copyright.gov/1201/2003/comments/019.pdf

It has been brought to my attention that, on July 18, 2002, a buffer overflow
exploit of Tru64 UNIX was posted on securityfocus.com under the alias
phased@xxxxxxxxxxxx (a/k/a "phased", phased@xxxxxxx" and "James Green").
Based on information provided by Gil Novak to HP concerning aliases utilized
by SnoSoft, we understand that this action was taken by an agent of SnoSoft
despite SnoSoft's representations that it intended to comply with the industry
standard practice of reporting its findings to CERT and despite the ongoing
discussions between Gil Novak and Rich Boren on this issue.

Snosoft and its "agents" are nothing more than wanna be security experts
without having the capacity to keep out of the big boys club of penetration
testing. The purpose of me pointing many of your company's errors and
misleading ways is that quite frankly, I wish you guys would just STFU with
your wanna be holier than thou approach to infosec. You're not and have
never been experts at anything.

So what exactly happened with HP since it is quite easy to taint the view on
security mailing lists and look for sympathetic ears - "b00-h00 th1s b1G
c0mpanY iS l0okInG tO sTicK it t0 m3 beCAuSe eYe DiScOvrrrD zer0
d@y anD theY woN'T pAy m3 t0 fix0r sh1zZl3 f0r d3m! Fr3e K3rv1n!"
(The Free Kervin was an ode to Sinnerz hola fh, tm, jw, su1d har har har)

I'm sure Brigitte and Marion would be appalled by your Adriel.


-- 
Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/