[ISN] Gartner: Hack contests bad for business

From: InfoSec News (alerts@private)
Date: Wed May 02 2007 - 00:21:08 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018378

By Gregg Keizer
May 01, 2007
Computerworld

A pair of Gartner analysts today denounced a recent hack challenge that 
uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" 
and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for 
the QuickTime vulnerability and its associated exploit, rebutted by 
saying that at no time was there any danger of the vulnerability 
escaping from responsible parties.

Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a 
Vancouver security conference held two weeks ago. For his trouble, Dai 
Zovi took home the $10,000 prize offered by TippingPoint's Zero Day 
Initiative, a bug bounty program that's been in operation nearly two 
years.

Security researchers have called the QuickTime bug, which can be 
exploited through any Java-enabled browser, "very serious." Apple Inc. 
has yet to patch, or announce when it will patch, the vulnerability.

"Public vulnerability research and 'hacking contests' are risky 
endeavors, and can run contrary to responsible disclosure practices, 
whereby vendors are given an opportunity to develop patches or 
remediation before any public announcements," said analysts Rich Mogull 
and Greg Young in a research note published by Gartner Inc. yesterday.

"Vulnerability research is an extremely valuable endeavor for ensuring 
more secure IT. However, conducting vulnerability research in a public 
venue ... could potentially lead to mishandling or treating too lightly 
these vulnerabilities -- which can turn a well-intentioned action into a 
more ambiguous one, or inadvertently provide assistance to attackers."

"There are a lot of definitions of 'responsible disclosure,'" retorted 
Terri Forslof, TippingPoint's manager of security research. "What it 
means to us is that the vulnerability and its exploit are kept quiet and 
the vendor's given the time to patch the issue.

"It comes down to the facts of the case. The [CanSecWest] organizers 
took great pains to secure the network that was actually used for the 
challenge. As for the idea that this added some risk [that the 
vulnerability would be made public], I don't find it to be the case."

Mogull and Young recommended that security vendors call an end to public 
contests. "Consider ending public vulnerability marketing events, which 
may lead to unanticipated consequences that endanger IT users," they 
concluded.

"This wasn't our idea," Forslof said. "We didn't host this challenge, 
and we didn't organize it. It was an on-the-spot decision [to offer the 
prize]."

Dai Zovi, who dug up the QuickTime bug and crafted an exploit in a 9- to 
10-hour stretch, has said the money wasn't his motivation. "The 
challenge, especially with the time constraint, was the real draw," he 
said last Friday in an e-mail interview.

"On the record, I think all vulnerabilities should be disclosed only 
through the vendor or through a responsible third party," said Forslof. 
"But users were never at risk here."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Wed May 02 2007 - 00:36:18 PDT