[ISN] Security pros: We must track the hacks

From: InfoSec News (isnat_private)
Date: Tue Jun 26 2001 - 01:34:00 PDT

  • Next message: InfoSec News: "[ISN] Flaw means virus could disable Norton Anti-Virus"

    By Dennis Fisher
    June 24, 2001 9:00 PM PT
    Two security incidents last week have polarized the parties debating
    the thorny issue of reporting vulnerabilities and exploits, but help
    may be on the way in the form of an industry group with established
    An ad hoc association of security and general-purpose software vendors
    headed by Russ Cooper, moderator of the NTBugtraq mailing list and
    surgeon general at TruSecure, in Reston, Va., is working to establish
    such an industry group. The panel would formalize the way researchers
    handle the reporting of new vulnerabilities and would dispense
    vulnerability and exploit information, first to its members and then
    to the general public, once patches are available.
    Currently, as no such standardized method exists, vulnerabilities and
    their exploit code are sometimes released to the general public before
    vendors are notified, greatly enhancing a hacker's ability to exploit
    security holes.
    Other groups have attempted this feat with varying degrees of success,
    most notably the CERT Coordination Center at Carnegie Mellon
    University, in Pittsburgh. But Cooper said he believes that an
    industry-led group could significantly reduce the number of attacks
    against computer networks.
    "It's better for everyone if we keep [this data] to ourselves," Cooper
    said. "Why not keep it amongst the people who are considered
    responsible security practitioners? Most attackers aren't smart enough
    to write exploits themselves, so they rely on other people to release
    Cooper has spoken with representatives from Microsoft Corp., Sun
    Microsystems Inc. and others about his plans and said he hopes to have
    a final blueprint within two months.
    His efforts come at a time when more and more so-called researchers
    are ignoring the industry practice of notifying and working with the
    vendor to verify a new vulnerability and holding off on disclosing it
    until a patch is ready.
    Cisco flaw
    Just last week, a company called Sentry Research Labs posted an
    advisory on the Bugtraq mailing list about a new flaw in Cisco
    Systems's Trivial FTP Daemon server, apparently without first
    notifying Cisco of the problem. Earlier in the week, eEye Digital
    Security Inc. released a bulletin about a new hole in Microsoft's
    Internet Information Services Web server.
    While eEye did wait to release its advisory until a patch was ready,
    the company has come under fire from security professionals for
    releasing sample exploit code and providing the exact number of bytes
    needed to cause the new buffer overflow.
    "The release of the exploit code is what causes all of the problems,"
    said William Arbaugh, assistant professor of computer science at the
    University of Maryland, in College Park. Arbaugh is also the co-author
    of a paper that analyzes the effect that releasing exploits has on the
    number of attacks on a given vulnerability. "But there's always
    someone who will do it, arguing that the bad guys are going to get it
    anyway," he said.
    However, some administrators argue that disclosing vulnerabilities as
    soon as possible keeps the vendors honest and informs a greater number
    of people about the problem.
    "If no one posted these, how would we ever know about it? The vendors
    wouldn't tell us," said one security specialist, who asked to remain
    Vendors, not surprisingly, said they reject this notion and maintain
    that it's in everyone's best interests for vulnerability data to be
    handled carefully.
    "It doesn't do any good to tell the whole world, because you're just
    letting in the people who will exploit it," said Scott Culp, security
    program manager at Microsoft, in Redmond, Wash. "There should be a
    code of ethics for security professionals, with an end goal of keeping
    the users safe."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:14:50 PDT