Posted by jericho
Wed, 05 Oct 2005 07:13:13 GMT
http://news.ft.com/cms/s/48307322-28d9-11da-8a5e-00000e2511c8.html
Disclosure of risk is an ethical dilemma
Published: September 20 2005 16:54 | Last updated: September 20 2005 16:54
When Donald Rumsfeld spoke of “known knowns”, “known unknowns” and “unknown unknowns” the world laughed. But the concepts he outlined are familiar to risk managers.
Computer security knowns and unknowns correspond to risks within systems. A risk exists when a system has a vulnerability and a mechanism exists to exploit it.
Vulnerabilities that can be exploited are quantifiable risks (known knowns), while for those for which there is no exploitation (known unknowns) the impact is unquantifiable.
[..]
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Fri, 16 Sep 2005 10:42:33 GMT
ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments.
My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed to get quoted again. As usual, she still seems to have this serious disconnect between “responsible disclosure” and “responsible patching”. Let me quote a small portion of the article, see if it jumps out at you too.
Mary Ann Davidson, chief security officer at Oracle, sees security researchers who threaten vendors with disclosure of bugs as a problem, she wrote in a recent perspective piece on News.com. “The reality is that most vendors are trying to do better in vulnerability handling. Most don’t need threats to do so,” Davidson said.
Alexander Kornbrust specializes in security of Oracle products. He went public with details on six security vulnerabilities in Oracle software in July, about two years after he reported the bugs to the software maker and fixes still had not been provided.
Oracle chided Kornbrust as irresponsible for disclosing the data.
These vulnerabilities were disclosed to Oracle on 2003-07-31 and disclosed to the public on 2005-07-19. Three of them were Cross-Site Scripting (XSS), considered by most to be trivial to patch. Who is irresponsible here?
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Wed, 14 Sep 2005 08:23:44 GMT
Recently, Juha-Matti Laurio questioned if there is a trend in releasing vulnerability information via blog entry. While he is right that we are seeing it a bit more frequently, I don’t think it is any different than the dozens of “hacker” or security message forums that consistantly seem to be the first point of disclosure. The other point in the post was how such disclosures may suffer from varying report formats, unofficial comments and vendors not being able to keep up with such blogs. My thoughts:
There is already a huge disparity in vulnerability disclosures as far as the format. Even vendor advisories can vary quite a bit, making it increasingly difficult to parse the information, receive the same type of info, etc. There have been several attempts to standardize such disclosures, and it is even something I harped on at the last CanSec conference. Trying to get such a diverse group of researchers to use a single format, or even include a base amount of information is likely a pipe dream.
Unofficial comments are something that would affect not only blogs, but message forums and even mail lists. There are times when someone will post to Bugtraq, but subsequent replies are cross-posted to Vuln-Dev or other lists for further discussion. Some vulnerability databases also tend to miss new information (and even new vulnerabilities) in such replies, as if anything with “re:” in the subject gets ignored.
Vendors can’t keep up with blog entries, there is no question about it. Hell, *we* can’t either as there are dozens of blogs and message forums where people disclose new vulnerabilities. That is a value of having one or two primary sources for such information (Bugtraq & Full-Disclosure for example). One thing folks can do to help this is if they run across such a blog/forum post, dump the contents to one of the bigger mail lists. Include not only the URL, but the text as well (many sites tend to vanish, mail list archives are all over).
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Tue, 02 Aug 2005 07:46:58 GMT
There are far too many articles covering this topic to justify me rewriting the story in my own words. So in summary, relevant links with background. End up with Schneier’s commentary for a good summary and additional links.
BlackHat Briefings: Cisco IOS Security Architecture by Michael Lynn
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-schedule.html
Security researcher quits job and blows whistle on Cisco’s fatal flaws
http://www.boingboing.net/2005/07/27/securityresearcher.html
Cisco, ISS file suit against rogue researcher
http://www.securityfocus.com/news/11259
Cisco Security Hole a Whopper
http://www.wired.com/news/privacy/0,1848,68328,00.html
Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
Cisco, ISS, Michael Lynn and Black Hat sign legal accord
http://www.networkworld.com/news/2005/072805-cisco-settlement.html
Cisco settles dispute with flaw researcher
http://news.com.com/2061-10789_3-5809295.html?part=rss&tag=5809295&subj=news
Text of the Cisco-ISS-Lynn-Black Hat Agreement
http://blogs.washingtonpost.com/securityfix/2005/07/textof_thecis.html
Rick Forno hosts Lynn PDF, gets C&D from ISS
http://www.infowarrior.org/users/rforno/lynn-cisco.pdf
Cisco Harasses Security Researcher
http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Thu, 30 Jun 2005 09:42:14 GMT
http://infosecon.net/workshop/pdf/41.pdf
http://infosecon.net/workshop/slides/weis83.ppt
An Empirical Analysis of Vendor Response to Disclosure Policy
Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang
This version: March 4, 2005
Abstract Software vulnerability disclosure has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and Security Focus databases to answer this question. Our results suggest that early disclosure has significant positive impact on the vendor patching speed. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond slower to vulnerabilities not disclosed by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the vulnerability analysis by CERT/CC. We also find that vendors are more responsible after the 9/11 event.
Keywords: Security vulnerability, disclosure policy, patching speed
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Fri, 24 Jun 2005 08:44:32 GMT
http://infosecon.net/workshop/pdf/10.pdf
The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting
by Andy Ozment
Abstract
Initial attempts to apply software reliability growth models to the process of vulnerability finding relied upon noisy data. Here, a more appropriate data collection process is discussed and employed to identify the age of vulnerabilities in OpenBSD 2.2. A number of models are tested against the data and two are found to have acceptable goodness-of-fit. These models indicate that the pool of vulnerabilities in the system is being depleted. However, models that also fit the data but do not indicate depletion may also exist. While this result is thus not conclusive, it does suggest that more investigation is needed and that, contrary to prior work, vulnerability depletion cannot yet be ruled out. It is thus possible that vulnerability hunting can result in a more secure product and can provide a social benefit. Patch announcements and vulnerability reports are also used to quantitatively (albeit roughly) demonstrate that vulnerabilities are often independently rediscovered within a relatively short time span. This finding provides a quantitative and qualitative rationale for vulnerability disclosure policies intended to pressure vendors into more rapidly providing patches. Although neither result is conclusive, both contradict previous work by providing support for the conclusion that vulnerability hunting is socially useful.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Wed, 15 Jun 2005 09:52:50 GMT
http://infosecon.net/workshop/pdf/cavusoglu.pdf
http://infosecon.net/workshop/slides/weis43.ppt
EMERGING ISSUES IN RESPONSIBLE VULNERABILITY DISCLOSURE
Hasan Cavusoglu, Huseyin Cavusoglu, Srinivasan Raghunathan
Abstract
Security vulnerability in software is the primary reason for security breaches, and an important challenge for IT professionals is how to manage the disclosure of vulnerability information. The IT security community has proposed several disclosure policies, such as full vendor, immediate public and hybrid, and has debated which of these should be adopted by coordinating agencies such as CERT. Our early study (Cavusoglu et al. 2004a) analyzed the optimal disclosure policy that minimizes social loss when vulnerability affects only one software vendor. In this paper, we extend our early work into three directions in order to sled light on current issues in vulnerability disclosure process. (i) When the vulnerability affects multiple vendors, we show that the coordinator’s optimal policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator’s grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. (ii)
We analyze the impact of an early discovery, which can be encouraged with proper incentive mechanisms, on the release time of the patch, the grace period, and the social welfare. (iii) We also investigate the impact of an early warning system that provides privileged vulnerability information to selected users before the release of a patch for the vulnerability on the social welfare. Finally, we explore the several policy implications of our results and their relationship with current disclosure practices.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Fri, 22 Apr 2005 06:24:58 GMT
The last few months have seen a lot more talk about the “Days of Risk”. In short, vendors like Microsoft say the days of risk are the time between vulnerability information (or an exploit) being released and a system being patched. So if a new vulnerability is announced on Tuesday, and I patch on Friday, there were three days of risk. This makes sense.. and this is also why many vendors advocate responsible disclosure and coordinated vulnerability announcements.
So what has been happening lately? I’ve noticed that my Windows XP systems “auto-update” feature is lagging heavily. Vulnerabilities are announced on a Tuesday, and it is as many as six days before my machine will alert me, download and install the patches. The point of this post is to question, is six days a lot of risk? To get an idea, lets look at a few of the recent vulnerabilities announced by Microsoft.
MS05-016, Windows MSHTA Shell Application Association Arbitrary Remote Script Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-13
MS05-021, Exchange Server SMTP Extended Verb Remote Overflow
Disclosure: 2005-04-12 // Exploit: 2005-04-19
MS05-020, IE DHTML Object Memory Corruption Code Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-12
So we have 0 days, 1 day and 7 days. Due to the lag in Microsoft making the patches available (I honestly don’t care what their excuse is), my computers are vulnerable and there is nothing I can do about it. I don’t think I need to address the fact that many of these vulnerabilities had fully working exploit code developed long before the Microsoft advisories either. Sure, they were held by the researchers and not disclosed, but information is shared, information is leaked, and information is stolen. Fact of life that only increases days of risk.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Sat, 02 Apr 2005 20:09:34 GMT
Software Vendors Should Come Clean on Security Holes
By Jim Rapoza
March 28, 2005
Opinion: When it comes to fixing bugs and vulnerabilities, the Sgt. Schultz approach amounts to nothing.
Most people tend to agree with the old adage: Knowledge is power. But there are some groups that think knowledge is a bad thing— knowledge on the part of others, at least—and these groups work hard to keep people in a state of blissful ignorance.
[..]
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Sat, 02 Apr 2005 04:59:38 GMT
Legal threat stops flaw info release
By Jaikumar Vijayan
MARCH 25, 2005
COMPUTERWORLD
A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase’s database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information “would set a bad precedent” for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said. “Preventing disclosure through the threat of legal action can only hurt security,” he said.
[..]
Posted in Vulnerability Disclosure | 2 comments
