[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cambium Group, LLC. CAMAS Advisory



I guess these days it isn't so amazing that people can type, and even hit
send, rarely sharing their views face to face. Hiding in your grandmother's
closet with your indestructable, glow-in-the-dark keyboard from Best Buy is
sooo in. Anyways, free Kev.. speech!

On Thu, Feb 26, 2009 at 5:22 PM, Smoking Gun <pentesterkunt@xxxxxxxxx>wrote:

> On Wed, Feb 25, 2009 at 11:57 AM, Adriel T. Desautels
> <ad_lists@xxxxxxxxxxxxx> wrote:
> > I'm not sure if its appropriate for this list but it is related to
> > penetration testing and vulnerability disclosure (moderators decide).
> >
>
> The irony of Kevin (don't make fun of my complexion) Finisterre disclosing
> he has a full time job outside of security followed by his foray into the
> realm
> of security with "advisories" is puzzling. So Kevin isn't working in the
> industry as he disclosed in his previous email which means he obviously
> isn't working for "Netragard" which leads me to believe that Netragard is
> merely a fictitious company formed on an IRC channel amongst friends.
> Now this is not to say there is anything wrong with this however, to trust
> a bunch of IRC kids on an infrastructure would amount to career suicide.
> For starters outside of a modded Pentium, they'd have little experience in
> the real world. Themes like DoDAF, DIACAP, Information Security
> Architecture would be beyond the scope of their understanding.
>
> Without further-ado, I'll now speculate on the intent of this current
> "Critical" advisory Netragard was gracious enough to bless the community
> with.
>
> > -
> -------------------------------------------------------------------------------------------------
> > Contact                         : Adriel T. Desautels
> > Researcher                      : Kevin Finisterre
> > Vendor Notified         : 08/22/2007
> >
>
> > [Proof Of Concept]
> > -
> -------------------------------------------------------------------------------------------------
> > Proof of concept code exists but is not provided as to not increase
> > CAMAS
> > users overall risk levels. Any website that reads "Powered by the
> > Cambium
> > Group, LLC." is a CAMAS powered website.
>
> Snake oil at it's finest. You may recall Netragard has a pay for play
> scheme working where they never disclose any code. This works
> to anyone's advantage as a trump card when you think about it on
> a psychological warfare like scale. "We found a tumor somewhere
> in your body however, we're choosing not to tell you about how we
> found it, nor where it is."
>
> Imagine if you will those words coming out of a doctor's mouth.
> You have to take into account that a doctor is a professional as
> should someone in this industry be - a professional. The entire
> absurdity of "finding a tumor" and not revealing that tumor is
> quite shady. Wouldn't you agree? You may choose to disagree
> but offer some supportive argument should you choose to say
> so.
>
> > [Vendor Status and Chronology]
> > -
> -------------------------------------------------------------------------------------------------
> > 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered
> > 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail
> > 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to
> > Notification
> > 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled
> > 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
> > 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded
> > 09/26/2008 11:17:35 PM EDT - Issues remain unfixed
> > 02/09/2009 09:00:00 PM EDT - Issues remain unfixed
> > 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation
> > to Netragard)
> > 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release
>
> During the initial discovery by the self-impose-experts at Netragard, it
> seems that Cambium performed some form of diligence in the sense
> they took the time to listen to Netragard however, much can be gleaned
> from Netragards own choice of wording:
>
> > 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
> > 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded
>
> At the onset of a conference call - dot dot dot - there was an immediate
> breakdown. Not one day later, not one week later - according to Netragard
> it occurred the minute Netragard got on call with them. This is a rather
> peculiar scenario if you think about it logically. What could have been
> the potential breakdown; after all, Cambium took the time out of their
> schedules to do "something". Could it have been the pitch offered by
> Netragard. Were you guys trying to extort them Adriel? How could that
> conference have played out?
>
> http://www.copyright.gov/1201/2003/comments/019.pdf
>
> It has been brought to my attention that, on July 18, 2002, a buffer
> overflow
> exploit of Tru64 UNIX was posted on securityfocus.com under the alias
> phased@xxxxxxxxxxxx (a/k/a "phased", phased@xxxxxxx" and "James Green").
> Based on information provided by Gil Novak to HP concerning aliases
> utilized
> by SnoSoft, we understand that this action was taken by an agent of SnoSoft
> despite SnoSoft's representations that it intended to comply with the
> industry
> standard practice of reporting its findings to CERT and despite the ongoing
> discussions between Gil Novak and Rich Boren on this issue.
>
> Snosoft and its "agents" are nothing more than wanna be security experts
> without having the capacity to keep out of the big boys club of penetration
> testing. The purpose of me pointing many of your company's errors and
> misleading ways is that quite frankly, I wish you guys would just STFU with
> your wanna be holier than thou approach to infosec. You're not and have
> never been experts at anything.
>
> So what exactly happened with HP since it is quite easy to taint the view
> on
> security mailing lists and look for sympathetic ears - "b00-h00 th1s b1G
> c0mpanY iS l0okInG tO sTicK it t0 m3 beCAuSe eYe DiScOvrrrD zer0
> d@y anD theY woN'T pAy m3 t0 fix0r sh1zZl3 f0r d3m! Fr3e K3rv1n!"
> (The Free Kervin was an ode to Sinnerz hola fh, tm, jw, su1d har har har)
>
> I'm sure Brigitte and Marion would be appalled by your Adriel.
>
>
> --
> Making no mistakes is what establishes the certainty of victory, for
> it means conquering an enemy that is already defeated. - Sun Tzu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/