[ISN] HP Exploit Suit Threat Has Holes

From: InfoSec News (isnat_private)
Date: Thu Aug 08 2002 - 01:21:58 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, August 7, 2002"

    By Brian McWilliams 
    11:00 a.m. Aug. 2, 2002 PDT 
    When Patrick Mueller got a phone call Wednesday from a Hewlett-Packard 
    engineer looking for a program to test the security of his Web server, 
    alarm bells went off in his head. 
    "My first impression was that he was trying to trap us," said Mueller, 
    a security analyst with Neohapsis, a network and security consulting 
    group located in Chicago. 
    Under ordinary circumstances, the HP engineer's request for OpenSSL 
    "exploit code" would not have raised eyebrows. But earlier this week, 
    HP sent shock waves through the industry when it threatened a lawsuit 
    against Secure Network Operations (SnoSoft), a small security firm 
    based in Massachusetts. 
    In a novel legal argument, HP claimed SnoSoft violated the 1998 
    Digital Millennium Copyright Act when one of its researchers released 
    an exploit in mid-July that could give remote attackers control of 
    systems running HP's Tru64 Unix operating system. In a July 29 letter 
    to SnoSoft, HP warned that the incident exposed SnoSoft to potential 
    imprisonment and half a million dollars in fines. 
    HP's request for help from Neohapsis probably was spurred on by 
    Neohapsis being credited Tuesday with discovering a serious security 
    bug in OpenSSL, a popular open-source Internet application. 
    After warily conversing with the HP engineer, who identified himself 
    as Peter Bobco, a webmaster with the company's Compaq headquarters in 
    Houston, Mueller decided the request was legit and passed it on to his 
    "Sure, we've got an exploit for the OpenSSL bug, but no way are we 
    going to let it out, and definitely not to someone from HP," said Greg 
    Shipley, Neohapsisí chief technology officer. 
    Bobco declined a telephone interview with Wired News Thursday. An HP 
    spokesperson said the company was investigating the situation and had 
    no immediate comment. 
    By threatening SnoSoft with legal action, HP has awkwardly stepped 
    into the middle of the debate over what security professionals call 
    "full disclosure." At issue is what constitutes the responsible 
    handling of vulnerable information. 
    To SnoSoft co-founder Adriel T. Desautels, the bizarre timing of 
    Bobco's request for Neohapsis' OpenSSL exploit code was like a slap in 
    the face. 
    "I almost feel insulted by it. We offered to work with HP and help 
    them harden their systems in a big way. Yet HP refused our help. And 
    now they are out digging for exploit code?" Desautels said Thursday. 
    SnoSoft had been working privately with HP for several months on a 
    handful of Tru64 bug reports when a SnoSoft researcher without 
    authorization posted the exploit to the Bugtraq security mailing list, 
    according to Desautels. 
    In response to public outcry, HP appears to be backing away from its 
    legal threats. According to Desautels, SnoSoft held "positive" talks 
    with HP on Thursday that suggested the big computer maker will not 
    move ahead with legal action against SnoSoft. 
    An HP representative declined to comment on the SnoSoft discussions, 
    but did provide a statement that said the letter to SnoSoft "was not 
    consistent or indicative of HP's policy. We can say emphatically that 
    HP will not use the DMCA to stifle research or impede the flow of 
    information that would benefit our customers and improve their system 
    According to Shipley, HP's attempt to make exploit code illegal could 
    seriously harm computer security. 
    "That's what exploit code is good for -- helping companies develop 
    fixes," said Shipley, who noted that Neohapsis only releases such 
    proof-of-concept programs to affected vendors and not to the public or 
    to researchers who privately request them. 
    Accepting demonstration code from bug finders appears to be standard 
    practice at HP. A page at the firm's site for reporting security 
    vulnerabilities in HP software provides instructions for submitting 
    exploits to the company. 
    In some instances, new exploits, also known as "zero-days," are also a 
    means by which security researchers can privately prod vendors who 
    deny vulnerabilities exist. 
    "When we told HP that we found (the bugs in Tru64 Unix), they didn't 
    take us seriously. Then we created some proof-of-concept-code, and 
    their attitude changed," said Desautels. He said SnoSoft's disclosure 
    policy generally gives vendors eight days to respond to a 
    vulnerability report before going public. In the case of HP, SnoSoft 
    agreed to a 45-day grace period, he said. 
    System administrators and software developers also rely on such 
    programs to test their applications for security flaws. A couple dozen 
    U.S. government and military sites have already downloaded the leaked 
    SnoSoft exploit, according to a log at the download site. 
    Mueller said the irony of Bobco's exploit request was not lost on the 
    HP engineer. 
    "He was sympathetic and said HP's handling of the whole SnoSoft thing 
    made HP look bad but he pointed out that HP was a big company and not 
    everyone feels the same way," Mueller said. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 03:46:50 PDT