Re: [ISN] Leaked Bug Alerts Cause a Stir

From: InfoSec News (isnat_private)
Date: Mon Mar 24 2003 - 00:43:22 PST

  • Next message: InfoSec News: "[ISN] Microsoft asks colleges to teach hacking"

    Forwarded from: security curmudgeon <jerichoat_private>
    
    > http://www.wired.com/news/infostructure/0,1377,58106,00.html
    >
    > By Brian McWilliams
    > March 19, 2003
    >
    > Riley Hassell was bewildered this week when details from a
    > confidential bug report he had written mysteriously showed up on a
    > popular security mailing list.
    
    > Hack4life apparently intercepted both documents from the Computer
    > Emergency Response Team, a federally funded security information
    > clearinghouse. CERT officials confirmed this week that CERT had been
    > working with eEye and MIT researchers to coordinate the release of
    > the advisories. According to CERT, intruders may have hacked into
    > systems operated by any of the dozens of affected vendors who
    > received advance copies of the advisories.
    >
    > "It is possible that these messages were posted as a result of a
    > compromise of a vendor's system, and we are advising them to look
    > for signs of a compromise," said Shawn Hernan, vulnerability
    > handling team leader for CERT.
    
    > CERT also gives an advance warning about flaws to members of the
    > Internet Security Alliance, an information-sharing consortium. ISA
    > members pay a fee to CERT to receive early notification of
    > vulnerability information.
    
    Shawn Hernan simply can't be that naive .. can he? These pre-warnings
    go to vendors AND members of the ISA, a vulnerability cartel (aka
    information-sharing consortium). Yet he suggests that the vendors
    notified look at their systems for compromise? It had to occur to him
    that one of the vulnerability cartel members has an insecure system or
    upstream that allowed this comropmise.
    
    But hey, they are paying customers, can't shine any negative light on
    them right? That's what they are paying for.
    
    > In January, Mark Litchfield, a security researcher with NGS
    > Software, threatened to boycott CERT after learning that information
    > his company confidentially provided to the clearinghouse was
    > distributed first to ISA, and only weeks later to the general
    > public.
    
    How many times has this happened? When is this *federally funded*
    group going to be held accountable for their actions? Our tax dollars
    are funding them to put this information in the hands of people paying
    them money, and not in my hands in a timely fashion.
    
    > In a posting to the list Monday, Rose said he refused Yu's request,
    > because such a move would violate the editorial integrity of the
    > list's archives. Yu was not immediately available for comment.
    
    That and the post would pop up on a dozen web sites within minutes of
    it being pulled down. Does Yu forget this is a mailing list and copies
    of the posts get distributed to thousands of people?
    
    > CERT representatives declined to say when the organization planned
    > to release official versions of the leaked advisories.
    
    Even with leaked draft copies, CERT still can't release anything
    ontime. Go figure.
    
    
    
    Previous Cert antics:
    
    CERT Rides the Short Bus
    http://www.attrition.org/security/rant/z/jericho.002.html
    
    Cashing in on Vaporware
    http://www.attrition.org/security/rant/z/jericho.007.html
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 03:43:35 PST