HP Exploit Suit Threat Has Holes

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,54297,00.html

By Brian McWilliams 
11:00 a.m. Aug. 2, 2002 PDT 

When Patrick Mueller got a phone call Wednesday from a Hewlett-Packard 
engineer looking for a program to test the security of his Web server, 
alarm bells went off in his head. 

"My first impression was that he was trying to trap us," said Mueller, 
a security analyst with Neohapsis, a network and security consulting 
group located in Chicago. 

Under ordinary circumstances, the HP engineer's request for OpenSSL 
"exploit code" would not have raised eyebrows. But earlier this week, 
HP sent shock waves through the industry when it threatened a lawsuit 
against Secure Network Operations (SnoSoft), a small security firm 
based in Massachusetts. 

In a novel legal argument, HP claimed SnoSoft violated the 1998 
Digital Millennium Copyright Act when one of its researchers released 
an exploit in mid-July that could give remote attackers control of 
systems running HP's Tru64 Unix operating system. In a July 29 letter 
to SnoSoft, HP warned that the incident exposed SnoSoft to potential 
imprisonment and half a million dollars in fines. 

HP's request for help from Neohapsis probably was spurred on by 
Neohapsis being credited Tuesday with discovering a serious security 
bug in OpenSSL, a popular open-source Internet application. 

After warily conversing with the HP engineer, who identified himself 
as Peter Bobco, a webmaster with the company's Compaq headquarters in 
Houston, Mueller decided the request was legit and passed it on to his 
boss. 

"Sure, we've got an exploit for the OpenSSL bug, but no way are we 
going to let it out, and definitely not to someone from HP," said Greg 
Shipley, Neohapsis’ chief technology officer. 

Bobco declined a telephone interview with Wired News Thursday. An HP 
spokesperson said the company was investigating the situation and had 
no immediate comment. 

By threatening SnoSoft with legal action, HP has awkwardly stepped 
into the middle of the debate over what security professionals call 
"full disclosure." At issue is what constitutes the responsible 
handling of vulnerable information. 

To SnoSoft co-founder Adriel T. Desautels, the bizarre timing of 
Bobco's request for Neohapsis' OpenSSL exploit code was like a slap in 
the face. 

"I almost feel insulted by it. We offered to work with HP and help 
them harden their systems in a big way. Yet HP refused our help. And 
now they are out digging for exploit code?" Desautels said Thursday. 

SnoSoft had been working privately with HP for several months on a 
handful of Tru64 bug reports when a SnoSoft researcher without 
authorization posted the exploit to the Bugtraq security mailing list, 
according to Desautels. 

In response to public outcry, HP appears to be backing away from its 
legal threats. According to Desautels, SnoSoft held "positive" talks 
with HP on Thursday that suggested the big computer maker will not 
move ahead with legal action against SnoSoft. 

An HP representative declined to comment on the SnoSoft discussions, 
but did provide a statement that said the letter to SnoSoft "was not 
consistent or indicative of HP's policy. We can say emphatically that 
HP will not use the DMCA to stifle research or impede the flow of 
information that would benefit our customers and improve their system 
security." 

According to Shipley, HP's attempt to make exploit code illegal could 
seriously harm computer security. 

"That's what exploit code is good for -- helping companies develop 
fixes," said Shipley, who noted that Neohapsis only releases such 
proof-of-concept programs to affected vendors and not to the public or 
to researchers who privately request them. 

Accepting demonstration code from bug finders appears to be standard 
practice at HP. A page at the firm's site for reporting security 
vulnerabilities in HP software provides instructions for submitting 
exploits to the company. 

In some instances, new exploits, also known as "zero-days," are also a 
means by which security researchers can privately prod vendors who 
deny vulnerabilities exist. 

"When we told HP that we found (the bugs in Tru64 Unix), they didn't 
take us seriously. Then we created some proof-of-concept-code, and 
their attitude changed," said Desautels. He said SnoSoft's disclosure 
policy generally gives vendors eight days to respond to a 
vulnerability report before going public. In the case of HP, SnoSoft 
agreed to a 45-day grace period, he said. 

System administrators and software developers also rely on such 
programs to test their applications for security flaws. A couple dozen 
U.S. government and military sites have already downloaded the leaked 
SnoSoft exploit, according to a log at the download site. 

Mueller said the irony of Bobco's exploit request was not lost on the 
HP engineer. 

"He was sympathetic and said HP's handling of the whole SnoSoft thing 
made HP look bad but he pointed out that HP was a big company and not 
everyone feels the same way," Mueller said. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.