Thoughts on scope of coverage

19 views
Skip to first unread message

Kurt Seifried

unread,
Jan 7, 2022, 12:09:40 AMJan 7
to GSD Discussion Group
Thinking about scope of coverage.

CVE traditionally covers:
vulnerability
weakness

I mean it's literally in the name.

For the GSD I'm thinking we should also cover:

malware
not exhaustively of course, but it drives me nuts that there's no good naming for high profile ones/big events

exploitation
e.g. where there's smoke there's usually fire

exploit code
e.g. we may have a piece of malicious code, we're not sure of the exact exploit/mechanism but we know it does something bad

incident
something bad happened, possibly using a new vuln/weakness/etc

backdoor / honeypot / deceptive software
I need a better name for this, maybe it's one category, maybe it's not)

Some examples of these:

Weakness: weird DLL loading issues in windows system utilities that I certainly never knew about and I'm betting less than 1% of MCSE's are even aware can exist.
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1000xxx/GSD-2022-1000003.json

deceptive software: The Norton Crypto Miner which is just a classic gift card balance scheme
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1000xxx/GSD-2022-1000002.json

On the incident/honeypot side we have this rather clever Ethereum contract rugpull that netted about $100,000 USD:
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1000xxx/GSD-2022-1000004.json

And this fascinating Twitter thread about some hashrate shenanigans on some chains that share a common hash function:
https://twitter.com/ohgodagirl/status/1476438702003933185?s=11
Which is a percect example of "nothing bad happened... right? but... did someone just test a new weapon?" basically.
I didn't write it up because sourcing it all will take ages and I'm lazy.



Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance

Kurt Seifried

unread,
Jan 11, 2022, 10:14:56 PMJan 11
to GSD Discussion Group
On Thu, Jan 6, 2022 at 10:09 PM Kurt Seifried <ksei...@cloudsecurityalliance.org> wrote:
Thinking about scope of coverage.

CVE traditionally covers:
vulnerability
weakness

I mean it's literally in the name.

For the GSD I'm thinking we should also cover:

malware
not exhaustively of course, but it drives me nuts that there's no good naming for high profile ones/big events
exploitation
e.g. where there's smoke there's usually fire
exploit code
e.g. we may have a piece of malicious code, we're not sure of the exact exploit/mechanism but we know it does something bad
incident
something bad happened, possibly using a new vuln/weakness/etc
backdoor / honeypot / deceptive software
I need a better name for this, maybe it's one category, maybe it's not)


So some further thinking/experimentation, I think for sure we need some categories/tags, something can belong to more than one category/tags, e.g. something can be malware and a vulnerability (e.g. malvuln.com content or a backdoor with exploit code). 

So as for the categories/tags:

Vulnerability
Exposure
Malware
Exploitation
Exploit code
Incident
Backdoor
Honeypot
Deceptive software
Intentional (e.g. the color.js thing)
Availability 
Integrity
Confidentiality
"This could have been much worse but we got lucky"

I think part of this is in some cases the outcome of an issue doesn't just happen to have a confidentiality or availability impact, but that's the core of the issue, I also wonder if I'm trying to tag this stuff higher up in order to to make up for a lack of CVSS scoring data (offset by the fact that sometimes we don't have a lot of detail, but we know with reasonable certainty it likely has impact X or whatever), who knows. Another tag I'd love to see is if "this could have been much worse", e.g. the log4j thing was seen as world-ending (it wasn't, it's messy, but life goes on), and it couldn't have been much worse than it was. The recent color.js thing on the other hand could have been far worse, instead of an infinite loop what if it had a shell port or simply rm -rf /*?



Reply all
Reply to author
Forward
0 new messages