When to Shed Light

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1128749,00.asp

By Dennis Fisher
June 16, 2003 

Until recently, software security vulnerabilities were discovered
mostly by chance and by developers, security specialists or other
professionals. Once the flaw was discovered, news about it spread
slowly and typically by word of mouth on bulletin boards or perhaps
the occasional security lecture.

The huge network of security researchers - independent or otherwise -
who race to find the next big vulnerability in Windows or Apache, for
example, is a recent phenomenon.

So, too, are the overlapping and interconnected mailing lists on which
the researchers publish their vulnerability bulletins. Lists such as
BugTraq and Full Disclosure were founded to give administrators and
other IT professionals a place to get early information on developing
software problems.

But the amount of publicity and attention security has commanded in
recent years has brought new, less experienced and less disciplined
people into the security community. This, in turn, has led to
vulnerability reports being published before patches are available,
bulletins being stolen from researchers' computers and posted without
their knowledge, and a litany of other problems.

This chaos has led some in the community to question whether
vulnerability research and disclosure, in its current form, does more
harm than good. One side of the debate argues that because there is
essentially an infinite number of potential vulnerabilities in
software, finding and fixing a handful every year has no effect on the
overall security landscape. On the other hand, since disclosing a
vulnerability to the public means that good guys and bad guys alike
get the information, disclosure can actually cause a great deal of
damage.

"The point is not to say that these folks don't have the right to 
disclose anything they want - of course, they do. In fact, we must 
assume that, in general, people are finding vulnerabilities and not 
disclosing them and [that] they can be used against us," said Pete 
Lindstrom, research director at Spire Security LLC, in Malvern, Pa. 
"The point is to demonstrate that those folks that say full disclosure 
is in some way good for us are actually doing more harm than good. 
Just think how much better our security might be if the highly skilled 
people who spend all day, every day, searching for vulnerabilities in 
software would try to design a security solution."

Other disclosure opponents cite behavioral problems. First, studies 
and anecdotal evidence have shown that people are slow to apply 
patches for vulnerabilities, even when the flaw is a high-risk one. A 
prime example of this is the flaw in Microsoft Corp.'s SQL Server 2000 
software that became the breeding ground for the Slammer worm. 
Microsoft issued a patch for the vulnerability in July 2002, warning 
customers that anyone who exploited the problem would be able to run 
code on compromised machines.

Six months later, in January of this year, the Slammer worm tore 
through the Internet, infecting hundreds of thousands of unpatched 
machines in less than 15 minutes.

Second, attackers rarely, if ever, attack networks by using 
vulnerabilities that are unknown to the security community. With so 
many documented, unpatched flaws out there, why bother finding your 
own?

However, the most-often-repeated counter to these arguments is that 
disclosing vulnerabilities crackers may already be exploiting gives 
administrators a chance to catch up and patch their systems. In other 
words, it is always better to know than to be in the dark.

"Let's not kid ourselves. The bad guys are looking for security bugs, 
too, and when they find them, they keep the new holes to themselves. 
They can go around taking over machines at will," said David 
Litchfield, co-founder of Next Generation Security Software Ltd., in 
Surrey, England, and a prominent security researcher. "At least with 
the good guys finding bugs and working with the vendor to get out 
patches, the battle is somewhat more balanced. Finding new bugs is a 
considerably harder task than it was a year ago. All the low-hanging 
fruit, so to speak, has already been plucked. This is a good thing. 
The bad guys have to invest much more time and resource into finding 
their new secret hole, and the chances of finding something are 
reduced."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.