[ISN] When to Shed Light

From: InfoSec News (isnat_private)
Date: Tue Jun 17 2003 - 00:14:25 PDT

  • Next message: InfoSec News: "[ISN] Never mind the hacker outside, beware the hacker within"

    http://www.eweek.com/article2/0,3959,1128749,00.asp
    
    By Dennis Fisher
    June 16, 2003 
    
    Until recently, software security vulnerabilities were discovered
    mostly by chance and by developers, security specialists or other
    professionals. Once the flaw was discovered, news about it spread
    slowly and typically by word of mouth on bulletin boards or perhaps
    the occasional security lecture.
    
    The huge network of security researchers - independent or otherwise -
    who race to find the next big vulnerability in Windows or Apache, for
    example, is a recent phenomenon.
    
    So, too, are the overlapping and interconnected mailing lists on which
    the researchers publish their vulnerability bulletins. Lists such as
    BugTraq and Full Disclosure were founded to give administrators and
    other IT professionals a place to get early information on developing
    software problems.
    
    But the amount of publicity and attention security has commanded in
    recent years has brought new, less experienced and less disciplined
    people into the security community. This, in turn, has led to
    vulnerability reports being published before patches are available,
    bulletins being stolen from researchers' computers and posted without
    their knowledge, and a litany of other problems.
    
    This chaos has led some in the community to question whether
    vulnerability research and disclosure, in its current form, does more
    harm than good. One side of the debate argues that because there is
    essentially an infinite number of potential vulnerabilities in
    software, finding and fixing a handful every year has no effect on the
    overall security landscape. On the other hand, since disclosing a
    vulnerability to the public means that good guys and bad guys alike
    get the information, disclosure can actually cause a great deal of
    damage.
    
    "The point is not to say that these folks don't have the right to 
    disclose anything they want - of course, they do. In fact, we must 
    assume that, in general, people are finding vulnerabilities and not 
    disclosing them and [that] they can be used against us," said Pete 
    Lindstrom, research director at Spire Security LLC, in Malvern, Pa. 
    "The point is to demonstrate that those folks that say full disclosure 
    is in some way good for us are actually doing more harm than good. 
    Just think how much better our security might be if the highly skilled 
    people who spend all day, every day, searching for vulnerabilities in 
    software would try to design a security solution."
    
    Other disclosure opponents cite behavioral problems. First, studies 
    and anecdotal evidence have shown that people are slow to apply 
    patches for vulnerabilities, even when the flaw is a high-risk one. A 
    prime example of this is the flaw in Microsoft Corp.'s SQL Server 2000 
    software that became the breeding ground for the Slammer worm. 
    Microsoft issued a patch for the vulnerability in July 2002, warning 
    customers that anyone who exploited the problem would be able to run 
    code on compromised machines.
    
    Six months later, in January of this year, the Slammer worm tore 
    through the Internet, infecting hundreds of thousands of unpatched 
    machines in less than 15 minutes.
    
    Second, attackers rarely, if ever, attack networks by using 
    vulnerabilities that are unknown to the security community. With so 
    many documented, unpatched flaws out there, why bother finding your 
    own?
    
    However, the most-often-repeated counter to these arguments is that 
    disclosing vulnerabilities crackers may already be exploiting gives 
    administrators a chance to catch up and patch their systems. In other 
    words, it is always better to know than to be in the dark.
    
    "Let's not kid ourselves. The bad guys are looking for security bugs, 
    too, and when they find them, they keep the new holes to themselves. 
    They can go around taking over machines at will," said David 
    Litchfield, co-founder of Next Generation Security Software Ltd., in 
    Surrey, England, and a prominent security researcher. "At least with 
    the good guys finding bugs and working with the vendor to get out 
    patches, the battle is somewhat more balanced. Finding new bugs is a 
    considerably harder task than it was a year ago. All the low-hanging 
    fruit, so to speak, has already been plucked. This is a good thing. 
    The bad guys have to invest much more time and resource into finding 
    their new secret hole, and the chances of finding something are 
    reduced."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:26:34 PDT