[ISN] The Black Hat Wi-Fi exploit coverup?

From: InfoSec News (alerts@private)
Date: Wed Aug 09 2006 - 07:25:21 PDT


http://software.newsforge.com/article.pl?sid=06/08/08/1351256&from=rss

By: Joe Barr
August 08, 2006

Commentary -- You've probably heard of full disclosure, the security 
philosophy that calls for making public all details of vulnerabilities. It 
has been the subject of debates among researchers, vendors, and security 
firms. But the story that grabbed most of the headlines at the Black Hat 
Briefings in Las Vegas last week was based on a different type of 
disclosure. For lack of a better name, I'll call it faux disclosure. 
Here's why.

Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon 
Ellch -- demonstrated an exploit that allowed them to install a rootkit on 
an Apple laptop in less than a minute. Well, sort of; they showed a video 
of it, and also noted that they'd used a third-party Wi-Fi card in the 
demo of the exploit, rather than the MacBook's internal Wi-Fi card. But 
they said that the exploit would work whether the third-party card -- 
which they declined to identify -- was inserted in a Mac, Windows, or 
Linux laptop.

How is that for murky and non-transparent? The whole world is at risk -- 
if the exploit is real -- whenever the unidentified card is used. But they 
won't say which card, although many sources presume the card is based on 
the Atheros chipset, which Apple employs.

It gets worse. Brian Krebs of the Washington Post, who first reported on 
the exploit, updated his original story and has reported that Maynor said, 
"Apple had leaned on Maynor and Ellch pretty hard not to make this an 
issue about the Mac drivers -- mainly because Apple had not fixed the 
problem yet."

That's part of what is meant by full disclosure these days -- giving the 
vendor a chance fix the vulnerability before letting the whole world know 
about it. That way, the thinking goes, the only people who get hurt by it 
are the people who get exploited by it. But damage to the responsible 
vendor's image is mitigated somewhat, and many in the security business 
seem to think that damage control is more important than anything that 
might happen to any of the vendor's customers.

Big deal. Publicly traded corporations like Apple and Microsoft and all 
the rest have been known to ignore ethics, morality, any consideration of 
right or wrong, or anything at all that might divert them from their 
ultimate goal: to maximize profits. Because of this, some corporations 
only speak the truth when it is in their best interest. Otherwise, they 
lie or maintain silence.

I asked Lynn Fox, Apple's director of Mac public relations, two very 
direct questions.

    1. Are Apple MacBook users at risk using their built-in Wi-Fi 
       capability?

    2. Is Krebs' Washington Post report about Apple pressuring researchers 
       not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?

I've received no response to that query. Nor do I expect one.

Why don't the researchers disclose what they know anyway? They are not, as 
far as we know, on the payroll of Apple or the hardware vendor making the 
Wi-Fi gear. I got a clue about a possible reason while chatting with "dead 
addict," one of the original organizers of DEFCON.

"dead addict" reminded me of the big blow-up at Black Hat last year, when 
Cisco was threatening to shut down the conference in its entirety if part 
of a scheduled presentation on a Cisco exploit wasn't removed. By a 
strange coincidence, ISS and one of its employees was involved in that 
situation, too. The researcher, Michael Lynn, resigned from ISS and then 
gave the presentation anyway.

That act threw Cisco and ISS into a stone cold fury. Injunctions were 
filed, and the FBI was called in. To me it looks like every legal maneuver 
those bad boys at corporate could dream up were hurled at Lynn and Black 
Hat.

To protect Cisco's customers? I don't think so. Cisco's customers would 
have been better served with the truth, not a coverup.

The point "dead addict" was making is that some researchers can afford to 
leave their jobs, or be fired, or be arrested, and some can't. Those are 
pretty good reasons not to speak out. They are also a testament to how 
corrupt and rotten our system is, when corporate greed and gluttony trump 
virtue, and the FBI acts as corporate muscle.

I tried to query Maynor on the subject, to ask him if Krebs' reporting 
that pressure from Apple kept him from identifying the MacBook hardware as 
being vulnerable to the exploit he demoed at Black Hat was correct. He 
hasn't answered either, and I can't say that I blame him. Not everyone can 
afford to act like Michael Lynn.

At press time, millions of end users may be using Wi-Fi so insecure that 
an attacker could install a rootkit on their system in less than a minute. 
Those who know, or at least claim to know -- the researchers, Apple, and 
perhaps ISS -- are keeping mum, for reasons known only to Baud and their 
lawyers. So at the moment, Apple's current ad campaign about being more 
secure than Windows is being kept safe from harm.

But what about the users? Who speaks for them? Remember, we are not 
talking about a matter of a few days. This exploit has been trumpeted in 
the press at least since June 22, when Robert McMillan first reported on 
it and the fact that it would be disclosed at Black Hat. Presumably, the 
researchers, or ISS, would have notified the responsible vendors prior to 
publication of that story.

If any laptops are compromised as a result of the cone of silence that 
apparently has been slapped down on this issue, their lawyers may choose 
to call it something other than faux disclosure. Maybe something like 
depraved indifference.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 07:40:38 PDT