http://software.newsforge.com/article.pl?sid=06/08/08/1351256&from=rss
By: Joe Barr
August 08, 2006
Commentary -- You've probably heard of full disclosure, the security
philosophy that calls for making public all details of vulnerabilities. It
has been the subject of debates among researchers, vendors, and security
firms. But the story that grabbed most of the headlines at the Black Hat
Briefings in Las Vegas last week was based on a different type of
disclosure. For lack of a better name, I'll call it faux disclosure.
Here's why.
Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon
Ellch -- demonstrated an exploit that allowed them to install a rootkit on
an Apple laptop in less than a minute. Well, sort of; they showed a video
of it, and also noted that they'd used a third-party Wi-Fi card in the
demo of the exploit, rather than the MacBook's internal Wi-Fi card. But
they said that the exploit would work whether the third-party card --
which they declined to identify -- was inserted in a Mac, Windows, or
Linux laptop.
How is that for murky and non-transparent? The whole world is at risk --
if the exploit is real -- whenever the unidentified card is used. But they
won't say which card, although many sources presume the card is based on
the Atheros chipset, which Apple employs.
It gets worse. Brian Krebs of the Washington Post, who first reported on
the exploit, updated his original story and has reported that Maynor said,
"Apple had leaned on Maynor and Ellch pretty hard not to make this an
issue about the Mac drivers -- mainly because Apple had not fixed the
problem yet."
That's part of what is meant by full disclosure these days -- giving the
vendor a chance fix the vulnerability before letting the whole world know
about it. That way, the thinking goes, the only people who get hurt by it
are the people who get exploited by it. But damage to the responsible
vendor's image is mitigated somewhat, and many in the security business
seem to think that damage control is more important than anything that
might happen to any of the vendor's customers.
Big deal. Publicly traded corporations like Apple and Microsoft and all
the rest have been known to ignore ethics, morality, any consideration of
right or wrong, or anything at all that might divert them from their
ultimate goal: to maximize profits. Because of this, some corporations
only speak the truth when it is in their best interest. Otherwise, they
lie or maintain silence.
I asked Lynn Fox, Apple's director of Mac public relations, two very
direct questions.
1. Are Apple MacBook users at risk using their built-in Wi-Fi
capability?
2. Is Krebs' Washington Post report about Apple pressuring researchers
not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?
I've received no response to that query. Nor do I expect one.
Why don't the researchers disclose what they know anyway? They are not, as
far as we know, on the payroll of Apple or the hardware vendor making the
Wi-Fi gear. I got a clue about a possible reason while chatting with "dead
addict," one of the original organizers of DEFCON.
"dead addict" reminded me of the big blow-up at Black Hat last year, when
Cisco was threatening to shut down the conference in its entirety if part
of a scheduled presentation on a Cisco exploit wasn't removed. By a
strange coincidence, ISS and one of its employees was involved in that
situation, too. The researcher, Michael Lynn, resigned from ISS and then
gave the presentation anyway.
That act threw Cisco and ISS into a stone cold fury. Injunctions were
filed, and the FBI was called in. To me it looks like every legal maneuver
those bad boys at corporate could dream up were hurled at Lynn and Black
Hat.
To protect Cisco's customers? I don't think so. Cisco's customers would
have been better served with the truth, not a coverup.
The point "dead addict" was making is that some researchers can afford to
leave their jobs, or be fired, or be arrested, and some can't. Those are
pretty good reasons not to speak out. They are also a testament to how
corrupt and rotten our system is, when corporate greed and gluttony trump
virtue, and the FBI acts as corporate muscle.
I tried to query Maynor on the subject, to ask him if Krebs' reporting
that pressure from Apple kept him from identifying the MacBook hardware as
being vulnerable to the exploit he demoed at Black Hat was correct. He
hasn't answered either, and I can't say that I blame him. Not everyone can
afford to act like Michael Lynn.
At press time, millions of end users may be using Wi-Fi so insecure that
an attacker could install a rootkit on their system in less than a minute.
Those who know, or at least claim to know -- the researchers, Apple, and
perhaps ISS -- are keeping mum, for reasons known only to Baud and their
lawyers. So at the moment, Apple's current ad campaign about being more
secure than Windows is being kept safe from harm.
But what about the users? Who speaks for them? Remember, we are not
talking about a matter of a few days. This exploit has been trumpeted in
the press at least since June 22, when Robert McMillan first reported on
it and the fact that it would be disclosed at Black Hat. Presumably, the
researchers, or ISS, would have notified the responsible vendors prior to
publication of that story.
If any laptops are compromised as a result of the cone of silence that
apparently has been slapped down on this issue, their lawyers may choose
to call it something other than faux disclosure. Maybe something like
depraved indifference.
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 07:40:38 PDT