New Database Tracks Open-Source Security Threats

Two years in the making, the Open Source Vulnerability Database (OSVDB) this week debuted online, providing the public with a constantly updated catalog of the Internet's ever-changing security vulnerabilities.

The project is sponsored by Digital Defense and Winterforce and is available at osvdb.org.

The open-source vulnerability project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed.

"There were, and still are, numerous vulnerability databases," said a statement on the osvdb.org site, which went live March 31st.

"Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content. None are simultaneously comprehensive, open for free use, and answerable to the community."

The OSVDB's organizers set out to implement a vulnerability database that meets all those requirements.

Next Stage of Growth Set

The organization behind the project is a virtual one. The collaborators concentrated at first on establishing a core group of project organizers, creating the technical infrastructure to collect and validate vulnerability data, and building a team of contributors to generate the open-source vulnerability records.

"These goals have been met, and the OSVDB team is now planning its next stage of growth," said a statement from the organizers.

In its first few days of operation, the database catalogued a number of vulnerabilities, including problems with the MyGuestbook Authorization Bypass. MyGuestbook contains a flaw that allows a remote attacker, using a properly designed URL request, to gain access to the administrative web panel and administrative functions, such as adding or deleting database entries.

This refers to the discontinued ASP script named MyGuestbook by Elad Rosenberg and not the PHP/MySQL script called MyGuestbook by Mark Kronsbein, a statement on the site indicated.

CERT Research

Research from the Computer Emergency Response Team (CERT) indicates the number of computer security vulnerabilities found each year has risen more than 2,000 percent since 1995.

Network operators and computer scientists reckon that tracking these vulnerabilities and their cures is critical for those who protect networked systems against accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises.

But this private-sector initiative is not the only one under way to combat malicious code makers. The Department of Homeland Security and the FBI are tracking malicious code makers and have created a Cyber Terror Response Center.

With new types of Internet crimes being invented every day, according to the center, these crimes have the potential to degrade or disrupt critical infrastructures -- such as blocking emergency communications or cutting off electricity and water.

The government, for example, recommends that organizations can protect against future e-mail-delivered malicious code by "blocking all executable code at their e-mail gateway."

Overblown Threat?

But some computer experts are skeptical about the potential economic impact of Internet crime and terror. George Smith, a senior fellow at GlobalSecurity.org, a think tank in Washington, D.C., that studies security issues, told LinuxInsider that he has followed the issue for years.

The White House, during the Clinton era, used to have an Internet terrorism chief, Richard Clarke, the same individual who last week released the controversial book Against All Enemies.

Smith said it was Clarke who first promulgated the idea of a "digital Pearl Harbor," when in the employ of the government, and who was one of the main sources of government-generated fear about the overblown Y2K phenomenon.

"Unsurprisingly, a two-year review of Clarke literature in the news media shows the public record of the National Security Council advisor's speeches and interviews to be almost utterly devoid of substantive discussion on computer security and cyberterror but rich in cliche and numbingly overreliant on simplistic and unsubstantiated claims," Smith told LinuxInsider.