[ISN] Black Hat: Joining Forces to Fight Hacking

From: InfoSec News (isnat_private)
Date: Wed Aug 06 2003 - 00:28:26 PDT

  • Next message: InfoSec News: "[ISN] US AIDS researcher mugged on way to talk"

    http://www.eweek.com/article2/0,3959,1205941,00.asp
    
    By Dennis Fisher
    July 28, 2003 
    
    The last few months have seen the revelation of a rash of critical 
    vulnerabilities in a wide variety of software, from Oracle Corp.'s 
    database packages to Windows to Cisco Systems Inc.'s IOS code. And if 
    2003 is to be remembered for being one of the worst years on record 
    for such problems, this week's Black Hat Briefings in Las Vegas may 
    well go down as the event where security researchers began to turn the 
    tide in the fight against faulty code. 
    
    Vulnerability research right now is something of a black art. Its 
    practitioners are often fiercely independent who typically log long 
    hours poring through lines of code and prying into the darkest corners 
    of modern computer systems, searching for the smallest crack, that 
    sliver of daylight that could allow a cracker to slither into the 
    machine and make it his own. And the job is often a thankless one. The 
    security community is sharply divided over the value of independent 
    vulnerability research; some observers feel it leads to better coding 
    practices and more secure networks, while others believe it does 
    nothing but hand crackers a detailed instruction set for breaking into 
    systems. 
    
    Two panel discussions on Wednesday will take on the topic of 
    vulnerability research and try to inject some structure and analysis 
    into the process. In the morning, the Organization for Internet Safety 
    will formally unveil the final version of its long-awaited and 
    much-discussed plan for handling security vulnerability disclosure and 
    reporting. OIS, which is made up of security vendors and software 
    makers including Microsoft Corp., @stake Inc. and BindView Corp. among 
    others, released a draft version of the plan in early June and 
    accepted public comments until July 4. The final version was posted to 
    the group's Web site Monday. 
    
    The "Security Vulnerability Reporting and Response Process" lays out a 
    regimented timeline and set of steps for the interaction between the 
    person who discovers a vulnerability and the vendor or vendors 
    affected by the problem. It addresses a wide range of issues, 
    including how and when to notify the vendor, how the vendor should 
    respond, how long the researcher should wait for a response and how to 
    resolve communications problems or disputes. OIS members said they 
    were happy with the way the comment period went and are satisfied with 
    the final version. 
    
    "Everyone gave a little bit and got their ideas in there. A lot of 
    time when you go through a process like this you end up with something 
    that no one is happy with," said Scott Blake, vice president of 
    information security at Houston-based BindView, who will be on the OIS 
    panel at Black Hat. "That didn't happen here. Everyone is pretty happy 
    with it." 
    
    The goal of all of the structure in OIS' plan is to prevent details of 
    new vulnerabilities from being leaked publicly before vendors and 
    customers have a chance to fix them. To that end, the draft 
    specifically prohibits including "proof of concept code or test code 
    that could readily be turned into an exploit, or detailed technical 
    information such as exact data inputs, buffer offsets or shell code 
    strategies." 
    
    The release of exploit code is a widely criticized practice that 
    infuriates many researchers and virtually all software vendors. 
    Hackers have released exploits for two recent severe vulnerabilities—a 
    severe weakness in Cisco's IOS software and a buffer overrun in the 
    Remote Procedure Call service in Windows—and such code is often used 
    as the basis for worms. 
    
    In an afternoon session at Black Hat Wednesday, Gerhard Eschelbeck, 
    CTO at Qualys Inc., will discuss a year-long research project he's 
    been conducting on the nature, lifetime, severity and other defining 
    characteristics of vulnerabilities. Eschelbeck has been collecting 
    data from more than 185,000 systems and has compiled information on 
    about 1.1 million vulnerabilities. He will discuss his newly defined 
    "Law of Vulnerabilities" and will also unveil the creation of a free 
    tool related to the research effort. 
    
    Sitting in on a panel discussion of Eschelbeck's research will be Mary 
    Ann Davidson, chief security officer of Oracle; Phil Zimmermann, 
    creator of PGP; Simple Nomad, a senior security analyst at BindView 
    and noted researcher; Richard Thieme, a business consultant; Jeff 
    Moss, CEO of Black Hat Inc.; and JD Glaser, president and CEO of NT 
    Objectives Inc., a security company. 
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 03:02:22 PDT