CERT, Feds Consider New Reporting Process

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article2/0,3959,967586,00.asp

By Dennis Fisher
March 24, 2003 

Government officials and private organizations alike are reviewing 
their vulnerability disclosure processes after several incidents over 
the past 10 days exposed major shortcomings in the way new bugs are 
handled. 

The most dramatic case for change came early last week when an 
anonymous member of a security mailing list posted three unpublished 
vulnerability advisories. None of the advisories had been released by 
the authors - or by a third party such as the CERT Coordination 
Center - who typically handle such announcements. The posts were taken 
from advance copies of the advisories that CERT had shared with a 
select group of software vendors, something that has angered CERT 
officials.

"We know that the text was taken directly from messages we shared with 
the vendor community," said Shawn Hernan, team leader for 
vulnerability handling at CERT, based at Carnegie Mellon University, 
in Pittsburgh. "We've always believed that the vendors need advance 
notice. But in this case, someone with access decided to [go] public."

CERT is now considering whether changes can be made to its process for 
handling vulnerabilities. The federal government, meanwhile, is 
discussing ways to centralize vulnerability reporting.

The government is considering a plan to establish a single point of 
contact for vulnerability reporting; researchers would submit 
discoveries to the contact. The government would then work with the 
researcher and the affected vendors to coordinate release of the 
information.

The hope is to avoid leaks and to speed vendor response to security 
problems. However, the Information Assurance and Infrastructure 
Protection division of the Department of Homeland Security is still 
without a leader, clogging any major initiatives, insiders said.

While the Bush administration has found it difficult to fill the top 
information security job, sources say Bob Liscouski, director of 
information integrity and assurance at The Coca-Cola Co., in Atlanta, 
is slated to take the job of assistant undersecretary for IAIP.

Officials at DHS did not respond to requests for comment.

The trouble began when a member of the Full-Disclosure mailing list 
posted three vulnerability reports. Only one of the problems had been 
disclosed previously, and patches were not yet available. All the 
advisories detailed the vulnerabilities and affected products.

All the vulnerability reports were serious. The first, posted March 
15, warned of a cryptographic weakness in the popular Kerberos 
protocol. The second message discussed a timing attack on 
cryptographic keys. The third, posted March 16, concerned a problem in 
a code library contained in Unix-based software from Sun Microsystems 
Inc. and other vendors. The Kerberos bulletin was officially released 
March 17; the details of the timing attack were published on another 
Web site the previous Friday.

The Sun advisory was not released until late Wednesday.

CERT's Hernan estimated there are about 50 vendors that had access to 
all three vulnerability reports. The person who posted the advisories 
to the Full-Disclosure list used an anonymous, secure e-mail service, 
Hushmail, which makes it hard to track the individual down.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.