Security pros: We must track the hacks

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2779503,00.html

By Dennis Fisher
eWEEK 
June 24, 2001 9:00 PM PT
 
Two security incidents last week have polarized the parties debating
the thorny issue of reporting vulnerabilities and exploits, but help
may be on the way in the form of an industry group with established
protocols.

An ad hoc association of security and general-purpose software vendors
headed by Russ Cooper, moderator of the NTBugtraq mailing list and
surgeon general at TruSecure, in Reston, Va., is working to establish
such an industry group. The panel would formalize the way researchers
handle the reporting of new vulnerabilities and would dispense
vulnerability and exploit information, first to its members and then
to the general public, once patches are available.

Currently, as no such standardized method exists, vulnerabilities and
their exploit code are sometimes released to the general public before
vendors are notified, greatly enhancing a hacker's ability to exploit
security holes.

Other groups have attempted this feat with varying degrees of success,
most notably the CERT Coordination Center at Carnegie Mellon
University, in Pittsburgh. But Cooper said he believes that an
industry-led group could significantly reduce the number of attacks
against computer networks.

"It's better for everyone if we keep [this data] to ourselves," Cooper
said. "Why not keep it amongst the people who are considered
responsible security practitioners? Most attackers aren't smart enough
to write exploits themselves, so they rely on other people to release
them."

Cooper has spoken with representatives from Microsoft Corp., Sun
Microsystems Inc. and others about his plans and said he hopes to have
a final blueprint within two months.

His efforts come at a time when more and more so-called researchers
are ignoring the industry practice of notifying and working with the
vendor to verify a new vulnerability and holding off on disclosing it
until a patch is ready.

Cisco flaw

Just last week, a company called Sentry Research Labs posted an
advisory on the Bugtraq mailing list about a new flaw in Cisco
Systems's Trivial FTP Daemon server, apparently without first
notifying Cisco of the problem. Earlier in the week, eEye Digital
Security Inc. released a bulletin about a new hole in Microsoft's
Internet Information Services Web server.

While eEye did wait to release its advisory until a patch was ready,
the company has come under fire from security professionals for
releasing sample exploit code and providing the exact number of bytes
needed to cause the new buffer overflow.

"The release of the exploit code is what causes all of the problems,"
said William Arbaugh, assistant professor of computer science at the
University of Maryland, in College Park. Arbaugh is also the co-author
of a paper that analyzes the effect that releasing exploits has on the
number of attacks on a given vulnerability. "But there's always
someone who will do it, arguing that the bad guys are going to get it
anyway," he said.

However, some administrators argue that disclosing vulnerabilities as
soon as possible keeps the vendors honest and informs a greater number
of people about the problem.

"If no one posted these, how would we ever know about it? The vendors
wouldn't tell us," said one security specialist, who asked to remain
anonymous.

Vendors, not surprisingly, said they reject this notion and maintain
that it's in everyone's best interests for vulnerability data to be
handled carefully.

"It doesn't do any good to tell the whole world, because you're just
letting in the people who will exploit it," said Scott Culp, security
program manager at Microsoft, in Redmond, Wash. "There should be a
code of ethics for security professionals, with an end goal of keeping
the users safe."

 


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.