Miscommunication after flaw found in Apache server software

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/437951p-3506299c.html

By D. IAN HOPPER, AP Technology Writer 
 
WASHINGTON (June 18, 2002 6:47 a.m. EDT) - A security bug was found in
software used by millions of Web sites. Private experts alerted users
and the FBI's computer security division.

The problem is, they didn't tell the maker of the software. Then they
issued the wrong prescription for fixing the problem.

The incident Monday involving Apache's Web software shows that the
system to insulate the Internet from attack - a joint effort of the
government and private companies - is still a long way from perfect.

"It would be good if people would agree on some standards," said Chris
Wysopal of Boston security firm AtStake. "People can't be put at risk
like this again and again."

Internet Security Systems of Atlanta published a warning early Monday
about vulnerabilities in Apache on some computer operating systems.  
Apache is used on about 60 percent of Web servers, the computers that
deliver Web pages to the Internet. Many companies, including IBM and
Oracle, create products that rely in part on Apache.

Now ISS is under fire for breaking informal industry agreements by
rushing out the warning - and a partial fix - before coordinating with
Apache developers.

The issue reveals infighting and hasty decisions that have become
common in the computer security industry. Experts say the effect is to
confuse users and possibly cause even more security problems.

Several third-party groups are designed to coordinate computer
security information. But there may be too many - ISS and the Apache
developers chose different ones, and never coordinated with each
other.

ISS researcher Chris Rouland said the company talked to the National
Infrastructure Protection Center, part of the FBI. Apache developer
Mark Cox said his group spoke with researchers at the CERT
Coordination Center, based at Carnegie Mellon University in Pittsburgh
and partially funded by the Defense Department.

Spokesman Bill Pollak said CERT does share information with NIPC, but
would give no specific details on the Apache hole. A spokeswoman for
NIPC had no comment.

The Bush administration has called for the consolidation of government
computer security groups under the proposed Homeland Security
Department, and Bush advisers have admonished the technology community
to share more information with government to protect consumers.

Rouland said ISS was rushing to beat hackers to the punch.

"We didn't set out to burn Apache," Rouland said. "We want to make
sure we notify our customers appropriately."

Rouland said he didn't notify the developers of Apache because they
aren't a formal company. Apache is open-source, meaning that the
software and its blueprints are free and managed by programmers who
coordinate its evolution.

Complicating the matter, Rouland said he didn't trust Cox, who along
with his Apache duties is the senior director of engineering at Red
Hat Software, which distributes the open source Linux operating
system. Rouland accused Red Hat of taking credit for earlier ISS
research.

Cox said he already knew about the hole from a different researcher,
and that the ISS fix doesn't repair the entire problem.

"If ISS had told us before going public, we could have told them their
patch was insufficient," Cox said. "The fact that they didn't has
caused some problems."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.