Ethical Mass-Exploitation 101: Theory and Practice
02-11, 14:00–15:00 (Europe/Amsterdam), Alfred Nobel

DIVD is known for notifying parties running vulnerable software on the IPv4-space. Members of DIVD have given many presentations on this process, but never on the practical approach to ethically confirming the vulnerability in hosts on this scale. During this workshop, the audience is taken along DIVD's fingerprinting process including the practical and ethical considerations of accurate identification. By leveraging Open-Source Intelligence (OSINT), the participants are guided through practical examples of fingerprinting and deweaponizing exploitation of vulnerable software with the goal of finding vulnerable instances at scale.


NOTE: IN ORDER TO PARTICIPATE IN THIS WORKSHOP, A (FREE) SHODAN ACCOUNT IS REQUIRED!

DIVD is known for notifying parties running vulnerable software on the IPv4-space. Members of DIVD have given many presentations on this process, but never on the practical approach to ethically confirming the vulnerability in hosts on this scale. During this workshop, the audience is taken along DIVD's fingerprinting process including the practical and ethical considerations of accurate identification. By leveraging Open-Source Intelligence (OSINT), the participants are guided through practical examples of fingerprinting and deweaponizing exploitation of vulnerable software with the goal of finding vulnerable instances at scale.

The content of the workshop will be as follows:
- Explanation of DIVD's fingerprinting process
- Dutch jurisprudence in the context of Coordinated Vulnerability Disclosure
- The difference and overlap between weaponized, intrusive, deweaponized and ethical fingerprints
- Considerations behind real-life fingerprints
- Common fingerprinting tools and methods
- Practical walkthrough of one to three investigations

The main goal of the workshop is to let participants experience the power of fingerprinting to exercise vulnerability management on public-facing hosts at scale. However, the emphasis will lie on the original Responsible Disclosure problem: how to leverage subsidiarity and proportionality in the identification of vulnerable instances. This means the overarching idea of this workshop is not only to give attendees practical experience with fingerprinting, but also teaches about the origin of Coordinated Vulnerability Disclosure and how to safely conduct it for the people that can use this knowledge.


Language

English

CSIRT member and CNA administrator at the Dutch Institute for Vulnerability Disclosure.

DIVD investigations:
Co-speaker Ralph Horn: https://www.divd.nl/people/Ralph%20Horn/
Max: https://www.divd.nl/people/Max%20van%20der%20Horst/