Re: Leaked Bug Alerts Cause a Stir

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

> http://www.wired.com/news/infostructure/0,1377,58106,00.html
>
> By Brian McWilliams
> March 19, 2003
>
> Riley Hassell was bewildered this week when details from a
> confidential bug report he had written mysteriously showed up on a
> popular security mailing list.

> Hack4life apparently intercepted both documents from the Computer
> Emergency Response Team, a federally funded security information
> clearinghouse. CERT officials confirmed this week that CERT had been
> working with eEye and MIT researchers to coordinate the release of
> the advisories. According to CERT, intruders may have hacked into
> systems operated by any of the dozens of affected vendors who
> received advance copies of the advisories.
>
> "It is possible that these messages were posted as a result of a
> compromise of a vendor's system, and we are advising them to look
> for signs of a compromise," said Shawn Hernan, vulnerability
> handling team leader for CERT.

> CERT also gives an advance warning about flaws to members of the
> Internet Security Alliance, an information-sharing consortium. ISA
> members pay a fee to CERT to receive early notification of
> vulnerability information.

Shawn Hernan simply can't be that naive .. can he? These pre-warnings
go to vendors AND members of the ISA, a vulnerability cartel (aka
information-sharing consortium). Yet he suggests that the vendors
notified look at their systems for compromise? It had to occur to him
that one of the vulnerability cartel members has an insecure system or
upstream that allowed this comropmise.

But hey, they are paying customers, can't shine any negative light on
them right? That's what they are paying for.

> In January, Mark Litchfield, a security researcher with NGS
> Software, threatened to boycott CERT after learning that information
> his company confidentially provided to the clearinghouse was
> distributed first to ISA, and only weeks later to the general
> public.

How many times has this happened? When is this *federally funded*
group going to be held accountable for their actions? Our tax dollars
are funding them to put this information in the hands of people paying
them money, and not in my hands in a timely fashion.

> In a posting to the list Monday, Rose said he refused Yu's request,
> because such a move would violate the editorial integrity of the
> list's archives. Yu was not immediately available for comment.

That and the post would pop up on a dozen web sites within minutes of
it being pulled down. Does Yu forget this is a mailing list and copies
of the posts get distributed to thousands of people?

> CERT representatives declined to say when the organization planned
> to release official versions of the leaked advisories.

Even with leaked draft copies, CERT still can't release anything
ontime. Go figure.



Previous Cert antics:

CERT Rides the Short Bus
http://www.attrition.org/security/rant/z/jericho.002.html

Cashing in on Vaporware
http://www.attrition.org/security/rant/z/jericho.007.html




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.