[ISN] CERT, Feds Consider New Reporting Process

From: InfoSec News (isnat_private)
Date: Tue Mar 25 2003 - 00:25:34 PST

  • Next message: InfoSec News: "Re: [ISN] Is SSL safe?"

    Forwarded from: William Knowles <wkat_private>
    By Dennis Fisher
    March 24, 2003 
    Government officials and private organizations alike are reviewing 
    their vulnerability disclosure processes after several incidents over 
    the past 10 days exposed major shortcomings in the way new bugs are 
    The most dramatic case for change came early last week when an 
    anonymous member of a security mailing list posted three unpublished 
    vulnerability advisories. None of the advisories had been released by 
    the authors - or by a third party such as the CERT Coordination 
    Center - who typically handle such announcements. The posts were taken 
    from advance copies of the advisories that CERT had shared with a 
    select group of software vendors, something that has angered CERT 
    "We know that the text was taken directly from messages we shared with 
    the vendor community," said Shawn Hernan, team leader for 
    vulnerability handling at CERT, based at Carnegie Mellon University, 
    in Pittsburgh. "We've always believed that the vendors need advance 
    notice. But in this case, someone with access decided to [go] public."
    CERT is now considering whether changes can be made to its process for 
    handling vulnerabilities. The federal government, meanwhile, is 
    discussing ways to centralize vulnerability reporting.
    The government is considering a plan to establish a single point of 
    contact for vulnerability reporting; researchers would submit 
    discoveries to the contact. The government would then work with the 
    researcher and the affected vendors to coordinate release of the 
    The hope is to avoid leaks and to speed vendor response to security 
    problems. However, the Information Assurance and Infrastructure 
    Protection division of the Department of Homeland Security is still 
    without a leader, clogging any major initiatives, insiders said.
    While the Bush administration has found it difficult to fill the top 
    information security job, sources say Bob Liscouski, director of 
    information integrity and assurance at The Coca-Cola Co., in Atlanta, 
    is slated to take the job of assistant undersecretary for IAIP.
    Officials at DHS did not respond to requests for comment.
    The trouble began when a member of the Full-Disclosure mailing list 
    posted three vulnerability reports. Only one of the problems had been 
    disclosed previously, and patches were not yet available. All the 
    advisories detailed the vulnerabilities and affected products.
    All the vulnerability reports were serious. The first, posted March 
    15, warned of a cryptographic weakness in the popular Kerberos 
    protocol. The second message discussed a timing attack on 
    cryptographic keys. The third, posted March 16, concerned a problem in 
    a code library contained in Unix-based software from Sun Microsystems 
    Inc. and other vendors. The Kerberos bulletin was officially released 
    March 17; the details of the timing attack were published on another 
    Web site the previous Friday.
    The Sun advisory was not released until late Wednesday.
    CERT's Hernan estimated there are about 50 vendors that had access to 
    all three vulnerability reports. The person who posted the advisories 
    to the Full-Disclosure list used an anonymous, secure e-mail service, 
    Hushmail, which makes it hard to track the individual down.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 02:50:26 PST