[ISN] How Much Hack Info Is Too Much?

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 06:26:03 PST

  • Next message: InfoSec News: "[ISN] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game"

    By Michelle Delio
    Nov. 19, 2002
    To disclose or not disclose -- it's a question that's been under heavy
    discussion in the computer security industry over the past year.
    U.S. cybersecurity director Richard Clarke and virtually all software
    companies insist that software vendors should have a chance to fix
    problems before security researchers disclose them publicly.
    Researchers counter that without full disclosure, companies often fail
    to swiftly patch security holes. Full disclosure, in theory, also
    alerts computer users to problems that are already known to malicious
    hackers, who often exploit holes before patches become available.
    But a recent post on security news mailing list BugTraq has infuriated
    some who normally favor full disclosure.
    The post details how a bit of programming code embedded in a Web page
    can reformat site visitors' hard drives, deleting all files stored on
    the affected drive. The exploit affects users running Microsoft
    Internet Explorer browser versions 5.5 or 6.0.
    "Even if you are in favor of full disclosure, that post falls far
    outside of the accepted parameters for a public forum," said security
    expert Richard Smith. "I don't understand how publishing this kind of
    malicious code increases security. Symantec (which hosts the
    SecurityFocus website and BugTraq mailing list) is just helping out
    the script kiddies.
    "BugTraq is a moderated list, so it has the choice of what messages
    are sent out to the list and which ones are rejected," Smith added.  
    "Why wasn't this message rejected?"
    Symantec spokeswoman Genevieve Haldeman said the vulnerability was
    approved for posting on Bugtraq.
    "The vulnerability is well-known within the security community and the
    information posted on Bugtraq was information that had been copied or
    linked from other public forums," Haldeman said. "This particular
    exploit has the potential to cause tremendous damage to systems, and
    security experts need to be aware that this vulnerability is being
    exploited in the wild to cause damage."
    Haldeman added that Symantec maintains Bugtraq for the security
    community as an independent entity under the SecurityFocus brand.
    The site's purpose is to foster objective reporting by security
    experts on the latest tech threats and attacks. Appropriate content
    would include "specific exploit programs, scripts or detailed
    processes about security vulnerabilities," Haldeman said.
    "It is critical to maintain the integrity of the community. We believe
    that its current disclosure policy is appropriate for the venue,"  
    Haldeman said of Bugtraq. "Symantec operates with a separate
    disclosure policy for vulnerabilities found by our customers or
    Smith disagreed.
    "Showing people how to automatically format hard disks from a Web page
    isn't 'full disclosure,'" Smith said. "It is malicious code writing.  
    To an outsider, Symantec's actions give the impression that they are
    encouraging people to create and release malicious code. Given that
    Symantec also sells security and antivirus software, I think there is
    a terrible conflict of interest here."
    The exploit in question was originally discovered by security
    researcher Andreas Sandblad earlier in November.
    Since Sandblad published his report, several exploits -- which have
    been demonstrated on a half-dozen or more websites -- have been
    developed. Most of the published exploits did no damage to a user's
    computer, but demonstrated how it was possible to control the affected
    computer remotely.
    Other security experts said publishing the hard-drive exploit was a
    double-edged sword.
    "The new information enabled me to add to some rudimentary precautions
    I'd taken previously based on earlier information," said Gary Flynn, a
    security engineer at James Madison University. "But, of course, it
    also made it easier for others to take advantage of the situation."
    Flynn has posted a Web page documenting the problem and offering
    possible workarounds.
    A Microsoft spokeswoman said the Microsoft Security Response Center
    investigated the security hole as soon as it was reported.
    Some of the possible ways to exploit the hole have already been
    addressed in security patches, the spokeswoman said, but added that
    Microsoft is "investigating the issues discussed in the report, and
    examining whether there are future changes we could make to provide
    additional defense in-depth."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 15:10:48 PST