Security pros: We must track the hacks
Two security incidents last week have polarized the parties debating the thorny issue of
reporting vulnerabilities and exploits, but help may be on the way in the form of an industry
group with established protocols.
An ad hoc association of security and general-purpose software vendors headed by Russ Cooper,
moderator of the NTBugtraq mailing list and surgeon general at TruSecure, in Reston, Va., is
working to establish such an industry group. The panel would formalize the way researchers
handle the reporting of new vulnerabilities and would dispense vulnerability and exploit information,
first to its members and then to the general public, once patches are available.
Currently, as no such standardized method exists, vulnerabilities and their exploit code are
sometimes released to the general public before vendors are notified, greatly enhancing a hacker's
ability to exploit security holes.
Other groups have attempted
this feat with varying degrees
of success, most notably the
CERT Coordination Center at
Carnegie Mellon University, in
Pittsburgh. But Cooper said
he believes that an
industry-led group could
significantly reduce the
number of attacks against
computer networks.
"It's better for everyone if we
keep [this data] to ourselves,"
Cooper said. "Why not keep it
amongst the people who are
considered responsible
security practitioners? Most
attackers aren't smart enough
to write exploits themselves,
so they rely on other people to release them."
Cooper has spoken with representatives from Microsoft Corp., Sun Microsystems Inc. and others
about his plans and said he hopes to have a final blueprint within two months.
His efforts come at a time when more and more so-called researchers are ignoring the industry
practice of notifying and working with the vendor to verify a new vulnerability and holding off on
disclosing it until a patch is ready.
Cisco flaw
Just last week, a company called Sentry Research Labs posted an advisory on the Bugtraq mailing
list about a new flaw in Cisco Systems's Trivial FTP Daemon server, apparently without first
notifying Cisco of the problem. Earlier in the week, eEye Digital Security Inc. released a bulletin
about a new hole in Microsoft's Internet Information Services Web server.
While eEye did wait to release its advisory until a patch was ready, the company has come under
fire from security professionals for releasing sample exploit code and providing the exact number of
bytes needed to cause the new buffer overflow.
"The release of the exploit code is what causes all of the problems," said William Arbaugh,
assistant professor of computer science at the University of Maryland, in College Park. Arbaugh is
also the co-author of a paper that analyzes the effect that releasing exploits has on the number of
attacks on a given vulnerability. "But there's always someone who will do it, arguing that the bad
guys are going to get it anyway," he said.
However, some administrators argue that disclosing vulnerabilities as soon as possible keeps the
vendors honest and informs a greater number of people about the problem.
"If no one posted these, how would we ever know about it? The vendors wouldn't tell us," said one
security specialist, who asked to remain anonymous.
Vendors, not surprisingly, said they reject this notion and maintain that it's in everyone's best
interests for vulnerability data to be handled carefully.
"It doesn't do any good to tell the whole world, because you're just letting in the people who will
exploit it," said Scott Culp, security program manager at Microsoft, in Redmond, Wash. "There
should be a code of ethics for security professionals, with an end goal of keeping the users safe."
