[ISN] Miscommunication after flaw found in Apache server software

From: InfoSec News (isnat_private)
Date: Wed Jun 19 2002 - 01:35:30 PDT

  • Next message: InfoSec News: "[ISN] Secret Service Agent: Hackers Are Unpatriotic"

    By D. IAN HOPPER, AP Technology Writer 
    WASHINGTON (June 18, 2002 6:47 a.m. EDT) - A security bug was found in
    software used by millions of Web sites. Private experts alerted users
    and the FBI's computer security division.
    The problem is, they didn't tell the maker of the software. Then they
    issued the wrong prescription for fixing the problem.
    The incident Monday involving Apache's Web software shows that the
    system to insulate the Internet from attack - a joint effort of the
    government and private companies - is still a long way from perfect.
    "It would be good if people would agree on some standards," said Chris
    Wysopal of Boston security firm AtStake. "People can't be put at risk
    like this again and again."
    Internet Security Systems of Atlanta published a warning early Monday
    about vulnerabilities in Apache on some computer operating systems.  
    Apache is used on about 60 percent of Web servers, the computers that
    deliver Web pages to the Internet. Many companies, including IBM and
    Oracle, create products that rely in part on Apache.
    Now ISS is under fire for breaking informal industry agreements by
    rushing out the warning - and a partial fix - before coordinating with
    Apache developers.
    The issue reveals infighting and hasty decisions that have become
    common in the computer security industry. Experts say the effect is to
    confuse users and possibly cause even more security problems.
    Several third-party groups are designed to coordinate computer
    security information. But there may be too many - ISS and the Apache
    developers chose different ones, and never coordinated with each
    ISS researcher Chris Rouland said the company talked to the National
    Infrastructure Protection Center, part of the FBI. Apache developer
    Mark Cox said his group spoke with researchers at the CERT
    Coordination Center, based at Carnegie Mellon University in Pittsburgh
    and partially funded by the Defense Department.
    Spokesman Bill Pollak said CERT does share information with NIPC, but
    would give no specific details on the Apache hole. A spokeswoman for
    NIPC had no comment.
    The Bush administration has called for the consolidation of government
    computer security groups under the proposed Homeland Security
    Department, and Bush advisers have admonished the technology community
    to share more information with government to protect consumers.
    Rouland said ISS was rushing to beat hackers to the punch.
    "We didn't set out to burn Apache," Rouland said. "We want to make
    sure we notify our customers appropriately."
    Rouland said he didn't notify the developers of Apache because they
    aren't a formal company. Apache is open-source, meaning that the
    software and its blueprints are free and managed by programmers who
    coordinate its evolution.
    Complicating the matter, Rouland said he didn't trust Cox, who along
    with his Apache duties is the senior director of engineering at Red
    Hat Software, which distributes the open source Linux operating
    system. Rouland accused Red Hat of taking credit for earlier ISS
    Cox said he already knew about the hole from a different researcher,
    and that the ISS fix doesn't repair the entire problem.
    "If ISS had told us before going public, we could have told them their
    patch was insufficient," Cox said. "The fact that they didn't has
    caused some problems."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Sat Nov 23 2002 - 00:08:32 PST