[ISN] Leaked Bug Alerts Cause a Stir

From: InfoSec News (isnat_private)
Date: Thu Mar 20 2003 - 23:05:06 PST

  • Next message: InfoSec News: "[ISN] Hackers Claim NSA Breach"

    By Brian McWilliams
    March 19, 2003
    Riley Hassell was bewildered this week when details from a
    confidential bug report he had written mysteriously showed up on a
    popular security mailing list.
    Hassell, a security researcher for eEye Digital Security, had
    explained in writing a flaw he discovered in widely used Internet
    software from Sun Microsystems. The problem was so severe that Hassell
    had agreed to keep his advisory secret for several weeks until Sun and
    other vendors could create fixes for the affected applications.
    But an anonymous person using the e-mail account
    Hack4lifeat_private apparently thought the information shouldn't be
    kept under wraps.
    On Sunday, Hack4life posted an advisory containing the bug's specifics
    to the Full-Disclosure security mailing list. Hack4life also posted a
    warning about a separate security flaw discovered by researchers at
    MIT that wasn't supposed to be published until June.
    Hack4life apparently intercepted both documents from the Computer
    Emergency Response Team, a federally funded security information
    clearinghouse. CERT officials confirmed this week that CERT had been
    working with eEye and MIT researchers to coordinate the release of the
    advisories. According to CERT, intruders may have hacked into systems
    operated by any of the dozens of affected vendors who received advance
    copies of the advisories.
    "It is possible that these messages were posted as a result of a
    compromise of a vendor's system, and we are advising them to look for
    signs of a compromise," said Shawn Hernan, vulnerability handling team
    leader for CERT.
    Many read the incident as a protest over CERT's attempt to control the
    vulnerability disclosure process. When notified by researchers about
    security bugs, CERT typically works with vendors to prepare software
    patches prior to the public release of the vulnerability information.
    CERT also gives an advance warning about flaws to members of the
    Internet Security Alliance, an information-sharing consortium. ISA
    members pay a fee to CERT to receive early notification of
    vulnerability information.
    In January, Mark Litchfield, a security researcher with NGS Software,
    threatened to boycott CERT after learning that information his company
    confidentially provided to the clearinghouse was distributed first to
    ISA, and only weeks later to the general public.
    In an e-mail interview, Litchfield said he was not aware of the
    weekend CERT leaks. But he didn't seem surprised that the group could
    be vulnerable to occasional security glitches.
    "Just goes to show how much they can actually be trusted," he wrote.
    Chris Wysopal, director of research and development for AtStake, said
    the leaked advisories point out the fragility of CERT's
    information-handling process.
    "The pre-release vulnerability info flow is a juicy and obvious
    target," he said.
    E-mail exchanges between CERT and affected vendors often contain
    details about reproducing and exploiting vulnerabilities that are
    censored from reports released to the public. Leaks of such
    information can put vendors and their customers at great risk, Wysopal
    Hernan said CERT uses encryption to protect unpublished advisories
    from prying eyes. But while CERT is still investigating the incident,
    Hernan did not express optimism that the perpetrator could be caught.
    "Ultimately, if an individual chooses to take information and post it
    anonymously to a mailing list, that's a difficult thing to track
    down," he said.
    Hack4life did not explain the motive behind posting the CERT
    advisories. In an e-mail interview, Hack4life said only that the
    leaked reports were "draft CERT advisories sent to a vendor before
    release," but did not immediately respond to requests for more
    In response to the leak, Hassell said eEye would shortly be releasing
    its advisory on the Sun security flaw, which lies in a set of software
    libraries used by many Unix programs.
    In an attempt to mitigate damage from the leaked advisories, MIT
    security researcher Tom Yu requested that his paper be removed from
    the Full-Disclosure archive, according to list moderator Len Rose.  
    Yu's paper, co-authored with MIT colleague Sam Hartman, was the basis
    for a draft CERT vulnerability note detailing cryptographic flaws in
    the Kerberos authentication protocol.
    Also among the CERT reports posted without authorization was a third
    advisory based on an article about attacks on the OpenSSL Internet
    security standard published by researchers at Stanford University
    earlier this month.
    In a posting to the list Monday, Rose said he refused Yu's request,
    because such a move would violate the editorial integrity of the
    list's archives. Yu was not immediately available for comment.
    CERT representatives declined to say when the organization planned to
    release official versions of the leaked advisories.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 02:15:53 PST