http://www.wired.com/news/infostructure/0,1377,58106,00.html By Brian McWilliams March 19, 2003 Riley Hassell was bewildered this week when details from a confidential bug report he had written mysteriously showed up on a popular security mailing list. Hassell, a security researcher for eEye Digital Security, had explained in writing a flaw he discovered in widely used Internet software from Sun Microsystems. The problem was so severe that Hassell had agreed to keep his advisory secret for several weeks until Sun and other vendors could create fixes for the affected applications. But an anonymous person using the e-mail account Hack4lifeat_private apparently thought the information shouldn't be kept under wraps. On Sunday, Hack4life posted an advisory containing the bug's specifics to the Full-Disclosure security mailing list. Hack4life also posted a warning about a separate security flaw discovered by researchers at MIT that wasn't supposed to be published until June. Hack4life apparently intercepted both documents from the Computer Emergency Response Team, a federally funded security information clearinghouse. CERT officials confirmed this week that CERT had been working with eEye and MIT researchers to coordinate the release of the advisories. According to CERT, intruders may have hacked into systems operated by any of the dozens of affected vendors who received advance copies of the advisories. "It is possible that these messages were posted as a result of a compromise of a vendor's system, and we are advising them to look for signs of a compromise," said Shawn Hernan, vulnerability handling team leader for CERT. Many read the incident as a protest over CERT's attempt to control the vulnerability disclosure process. When notified by researchers about security bugs, CERT typically works with vendors to prepare software patches prior to the public release of the vulnerability information. CERT also gives an advance warning about flaws to members of the Internet Security Alliance, an information-sharing consortium. ISA members pay a fee to CERT to receive early notification of vulnerability information. In January, Mark Litchfield, a security researcher with NGS Software, threatened to boycott CERT after learning that information his company confidentially provided to the clearinghouse was distributed first to ISA, and only weeks later to the general public. In an e-mail interview, Litchfield said he was not aware of the weekend CERT leaks. But he didn't seem surprised that the group could be vulnerable to occasional security glitches. "Just goes to show how much they can actually be trusted," he wrote. Chris Wysopal, director of research and development for AtStake, said the leaked advisories point out the fragility of CERT's information-handling process. "The pre-release vulnerability info flow is a juicy and obvious target," he said. E-mail exchanges between CERT and affected vendors often contain details about reproducing and exploiting vulnerabilities that are censored from reports released to the public. Leaks of such information can put vendors and their customers at great risk, Wysopal said. Hernan said CERT uses encryption to protect unpublished advisories from prying eyes. But while CERT is still investigating the incident, Hernan did not express optimism that the perpetrator could be caught. "Ultimately, if an individual chooses to take information and post it anonymously to a mailing list, that's a difficult thing to track down," he said. Hack4life did not explain the motive behind posting the CERT advisories. In an e-mail interview, Hack4life said only that the leaked reports were "draft CERT advisories sent to a vendor before release," but did not immediately respond to requests for more information. In response to the leak, Hassell said eEye would shortly be releasing its advisory on the Sun security flaw, which lies in a set of software libraries used by many Unix programs. In an attempt to mitigate damage from the leaked advisories, MIT security researcher Tom Yu requested that his paper be removed from the Full-Disclosure archive, according to list moderator Len Rose. Yu's paper, co-authored with MIT colleague Sam Hartman, was the basis for a draft CERT vulnerability note detailing cryptographic flaws in the Kerberos authentication protocol. Also among the CERT reports posted without authorization was a third advisory based on an article about attacks on the OpenSSL Internet security standard published by researchers at Stanford University earlier this month. In a posting to the list Monday, Rose said he refused Yu's request, because such a move would violate the editorial integrity of the list's archives. Yu was not immediately available for comment. CERT representatives declined to say when the organization planned to release official versions of the leaked advisories. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 02:15:53 PST