What is upSploit?

upSploit is a free service to the IT security industry to enable vulnerability and exploit advisories to be distributed between the founder, vendor and other security professionals easily. This Vulnerability Advisory Gateway (VAG) should break down the barriers for security researchers and professionals to pass details of vulnerabilities to vendors in a structured easy to follow process.

How does upSploit work?

upSploit consists of two sections. The first is public where you can search and view published advisories and also read more information about the project. The second is for the registered members where they will be able to either upload their existing advisory or, if unsure how to write one, can automatically generate an advisory by using our online advisory wizard form.

Once these details have been uploaded upSploit automatically then pass on the information to the correct vendor and arranges for a patch to be released.

Once this occurs the user can then choose which mailing lists and databases to submit their advisories to.

Why use upSploit?

With a number of options to the security professional regarding disclosure of vulnerabilities we are trying to create a process that will provide a natural balance for both vendor and security researcher.

A place where both vendor and security professional are equal, this is why we have put together a responsible disclosure policy. We will contact the vendor a number of times over a set period to try and arrange a patch date and then publish the advisory. If this time is exceeded we will then publish the advisory to the community, although this circumstance is decided on a case-by-case basis.

We have given the security professional the control to decide where each of their advisories is sent. If the user doesn’t want to upload to a particular mailing list or database then they don’t have to, if they want it to be anonymous it will not show up in their public profile.

How is this different to any other database or mailing list?

The service isn’t just a database. It provides the user with so much more. The main point of upSploit is that it distributes the advisory to the vendor and other databases and mailing lists. It does the job that otherwise can take the user hours to do themselves. After the advisory has been published we will then show all of our advisories in a usual manner for future analysis and historical reference.

Dates for the calendar

There are three stages to upSploit development plan and the dates are as follows:

19th July – 2 August 2010 –> Alpha Stage

2nd August – 6 September 2010 –> Beta Stage

6th September 2010 –> Version 1

These dates are not set in stone, however are no likely to change.

We are now currently opening our doors to three types of people, listed below:

Alpha Testers

Beta Testers

Sponsors

Alpha Testers are needed to find vulnerabilities and bugs within the service i.e. we are looking for web application assessments and testing.

Beta Testers are needed to actually use the service i.e. we need people who are actively finding vulnerabilities and exploits and contacting vendors.

Sponsors are needed to help support the development of the project. The hope is that upSploit is going to be used by a lot of people and by sponsoring upSploit your logo will be found on main page attracting views from those people.

To apply as any or all of the above please email the upSploit team at info@upsploit.com with your name and information on why you want to be an alpha/beta tester or sponsor.

Thomas Mackenzie & Duncan Alderson

As some of you may have seen on Twitter I have been working on a new project this summer called upSploit. I am due to be giving a lightning talk at BruCON 2010 about the project and hopefully will be talking at AppSEC Ireland in September about it too CFP permitting.

The project is my brainchild and the beta version (date of which will be announced early next month) is due the hard work of both myself and Duncan Alderson – @Webantix.

Without reaviling any information now I hope to get you readers on edge for what is going to be a great project to work on in the future and something I hope will help alot of people.

The official annoucement is going to be given on the 1st July 2010 both with a number of blog posts describing the service and hopefully a couple of interviews on some better known security podcasts. Please keep you eye on my blog for more information about upSploit and if you want to get involved once the announcement has been made contact us at info [AT] upsploit [DOT] com

the beta logo

It isn’t that I cannot get motivated, in fact I pride myself in being very motivated. The problem I have is letting other things get in the way of my productivity. The two biggest problems I have are Twitter and Email.

Starting with Twitter, I am addicted. I have to be on all the time, checking what everyone is tweeting, tweeting back. Just keeping in scene really. The problem here is that I can be writing a report/essay/reply to an important email and when I get a pop up on tweetdeck I will abandon it, reply to my tweet and then forget exactly what I was thinking. This is why from now on I will not be using any Twitter App on my computer and just the web front end. I will make sure that the tab doesn’t stay open and that I check twitter on a timed basis instead of being constantly online. I hope that in doing this my reports and essays are going to be better and I don’t have to redo them.

Emails. I have two email account that get mail sent to them, (I do have more but my mail gets forwarded to these two accounts). I used ThunderBird to check my email and have it updating on a 1 minute basis, this means constant emails coming through over and over again. Just like twitter, when I get an email I cannot resist but read and then reply, I pride myself in being a quick replier to an email however my productivity is going down because of it. From now on all my email will be again, web based, and it will be checked on a timed basis just like twitter.

I hope that this will help me be more productive and in turn boost my motivation. This is just the begining of a series of posts I am going to do on productivity whilst I read Getting Things Done.

Cheers

So it has been a while again since I have last posted but thats with good reason. I have had a couple of exams today, one of which I am sure I passed haha, I have been spending a lot more time at work and I have been spending some time on some projects which I am going to speak to you about now.

SHITcast

SHITcast stands for the Student Hacker Information Podcast and I co-host the podcast with a fellow student, Matthew Hughes. The show has become quiet well liked with students over in America and we had 50 downloads in less that 24 hours of the last release The podcast alhtough not very well though out before hand does take time out of the day but is something I am really happy doing, it is really fun.

I would like to give a shout to Duncan Alderson/@webantix who built the website found at http://www.shitcast.co.uk, so thank you very much.

Self Promotion

Even though I have a great and stable job over at RandomStorm it is always good to get your own name out there and that is why (hopefully) soon, again with the help of Duncan I will be releasing a new website that is an introduction about myself and links to all of my social networking and “information security stuff”. It is always great to plan for your future and this is something that is going to hopefully help me. As for self promotion please add me on your linkedin account at http://uk.linkedin.com/in/thomasmackenzie1991

Reading

Now I don’t want you all to think I am some machine, so I do take time out of my day to read, infact too much time. I recently read two books by Peter V. Brett called The Painted Man and The Desert Spear – both of which are amazing. I am currently starting Lord of The Rings as that is one book I have never had the chance of reading. I recently bought The Ambassadors Mission by my favourite author Trudi Canavan which I am saving for my holiday to Tenerife in June. I also have just bought a book that by boss has built an entire website around called Getting Things Done by David Allan. It is a book about productivity and such like, so I am excited to get my teeth stuck into this tonight

Travelling

A few posts ago I talked about my travels and here is an update: -

June – 10 days – Tenerife with some friends from College

July – 7 days – Turkey, all inclusive, with my Girlfriend

September – BRUcon 2010 in Brussels and maybe APPsec in Ireland too.

Last night I performed a new talk that I have been working on called, Web Application Security using DVWA.

The aim of the talk was to get the user familiar with the DVWA project and how it can be using not to learn how to exploit, but how to stop attackers compromising the web application.

The consisted of three parts, I talked about myself slightly and introduced what I did. I then went on to talk about the DVWA project, what it was, what was happening to it, what it does, how it works and who created it. Then finally I talked about the command execution vulnerability and the cross site scripting reflected and how low, medium and high security can help a web developer secure the web app and understand how applications can be vulnerable to attack.

There were some good questions asked at the end and thankfully I could answer them all.

All in all I thought the talk went really well, there are a few things that I need to tweak slightly for future talks but apart from that I now have my first talk that I can give at other conferences/user groups. So if anyone is reading this and would like to hear the talk at their conference or user group drop me a tweet @tmacuk or an email at tmac<—@—>tmacuk.co.uk and we can arrange me coming and giving the talk.

The talk was recorded and I will upload it as soon as possible.

Cheers,

Preamble

First of all please allow me to apologize for my lack of updating to the blog. I have been super busy, what with work/university/small project I haven’t had time to think about anything else.

The aim of this post is to try and hopefully let you know what I have been up to, what I am getting up to soon and plans for the future up until September. After this blog post, I will aim to try and get a more technical one released by Friday at the latest.

RandomStorm

Back on the 23rd of February I post this blog post http://tmacuk.co.uk/?p=204. I started work on the 1st of March and have been super busy with work. It has been a great first month, I have really enjoyed myself. The company is amazing always there to give you a hand when you need it and the employees are just as great. So thanks guys for a great first month, and I am looking forward to next month, after my exams, when I can begin to work full time over the the summer.

University

So recently University has got a whole lot harder. I have an assignment due in on Wednesday for Networking Technology. An assignment that we have to compare the results of a wired and wireless network both simulated and real life. The problem isn’t comparing the results, or even creating these networks, the problem is the simulation package. The university have apprently spent 100k on a piece of software name ITGURU. ITGURU is shit. Well actually let me rephrase that, ITGURU is good, if we were told how to use it. I feel at the moment we have just been chucked the software and told there you go make me something at the end of the month. It isn’t just me the class are feeling the strain, the problem is that we cannot ask for an extension because it is the end of term!

I also have another two assignments due in for the end of April. Which seems stupid as we break up for easter on Thursday. Come back for a week at the end of April, and then that is it, unless we have exams. ONE WEEK where I have to go into University, where instead I could be earning myself some money for the places I am planning on going, which I will talk about next.

Traveling/Conferences

• So starting from this month up until September it looks like I will getting over my fear of flying. I am planning on going to a few local meetings and then starting to branch out starting from the 16th of April.

• Tomorrow I will be attending SuperMonday’s http://www.supermondays.org – Here John Lunn from paypal will be coming to talk about mobile payments. John has worked within fraud systems for over 15 years and I hope to be learning some things about the security paypal incorporate into their mobile payment systems.

• I will be spending a week with my girlfriend in the peak district (where she lives) from the 1st April.

• On April 8th I will be heading to Dundee to go and speak at a LUG and possibly at the University, but that is still being decided. More information further down.

• On the 16th of April I will be flying out to Dublin, Ireland. I am going the LiveCD training there.

“This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can
boot from this Live CD and have access to a full security testing suite. This presentation aims to provide a showcase for the great OWASP tools and documentation materials available in the CD, tips and tricks, and also some introductory stuff regarding code review and penetration testing. Training is aimed at introductory /intermediate level in terms of pen testing, code review and tools. “

• On April 21st I will be attending NEBytes http://www.nebytes.net/ for a presentation on Office 2010 and SQL injection attacks and defense.

• I may be heading off to London on the 28th/29th of April for the last day of InfoSec http://www.infosec.co.uk/, that all really depends if work say it is worth me going.

• Hopefully sometime in between this and the next con I will be going away somewhere Spanish with my girlfriend.

• On the 3rd of September I am going to Ireland again, this time for a couple of days to attend Ireland AppSec – http://www.owasp.org/index.php/Ireland

• Then the best one BRUCON!!!! http://2010.brucon.org – I AM SO EXCITED! 24-25th of September.

Projects

So recently I have been spending a lot more time on DVWA, reasons to follow below. I today in fact found a small bug in one of the vulnerabilities and fixed that and that will be released in the net version. I have also, with the help of Robin Wood, written a sign up script for DVWA which Ryan and myself are talking about if that could be included as a vulnerability.

I have been working a lot on tracsec recently, yesterday being a great interview with JanisSharp – Gary Mckinnon’s mother.

Speaking

As mentioned above I will be traveling up to Dundee on the 8th April to go and speak at a LUG. My talk is called Web Application Security using DVWA and contains the following: -

“Web Application Security with DVWA – Thomas MacKenzie

The talk is going to consist of three sections.

The first section is going to be a brief introduction about myself, my background and how I first got into this line of work.

The second section is going to look at DVWA which is an open source web application created by Ryan Dewhurst and has been recently acquired by RandomStorm LTD. DVWA stand for Damn Vulnerable Web Application and was created as an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

The third section is going to look at specific web application vulnerabilities i.e. SQL Injection and Cross Site Scripting, how they work and how they can be prevented. DVWA incorporates a high security level which will be used here to present what security should be in place in that particular environment.”

I maybe giving a similar talk at Abertay Dundee University to the third year students however as said above this is still being decided.

If anyone is interested in hearing the talk, or would like me to do the same talk somewhere drop me an email at tmac<~~@~~>tmacuk.co.uk

Cheers

tmAcUK

p.s. if someone can suggest some where else to travel to for a con etc. that is relatively cheap. let me know.

Matthew Hughes here! Me and Tom made a podcast that lives up to its name! It’s called SHITcast. It’s Creative Commons licensed and it features banter about life at university and tech news. You can check it out at my respective blog, here.

Also, many thanks to @rcassidy from twitter, who let me use his bandwidth and space whilst my university internet was playing up. You’re a gent!

Matthew Hughes

http://hackerpublicradio.org/eps/hpr0526.mp3

Arron Finnon (f1nux) – www.finux.co.uk – interview myself about the security vulnerability that I found in WordPress.

As of Monday 1st March I will be an employee of RandomStorm Limited. I Will be undertaking the role of Security Engineer and conducting Web Application and Network Penetration Testing.

It is great to be asked to join such a great company and I look forward to be on the team to develop my knowledge further. For more information on RandomStorm and their great services please visit: http://www.randomstorm.com and follow them on twitter @RandomStorm

tmacuk

It has come to my attention that some people are upset about the bug that I have found in WP as apparently someone else had reported it.

Well the truth is that looking into it now that has been the case. The reason that I did not find it before is that the bug wasn’t named how I myself thought it should have been. Non the less this person did find the bug and do deserve credit in the sense that they did try to go to WP to explain but were not successful.

caesarsgrunt – http://profiles.wordpress.org/caesarsgrunt

You c an find more information here – http://hakre.wordpress.com/2010/02/16/the-short-memory-of-wordpress-org-security/

Please note I put a lot of hard work into finding and emulating this bug and I emailed WordPress directly with the advisory and I also have screen shots on how exactly the bug itself works.