[Dshield] Security Firm May Stay Mum on Vulnerabilities in theFuture

Chris Brenton cbrenton at chrisbrenton.org
Tue Aug 9 13:14:24 GMT 2005


On Mon, 2005-08-08 at 23:24, Roger A. Grimes wrote:
>
> I don't want to start a flame war, but I'm in the small camp that
> doesn't necessarily see the big benefit of public disclosure.

Public disclosure serves two purposes:
1) Motivate the vendor to fix the problem
2) Inform the public at large that there is something that needs to be
addressed

I think the whole fiasco with Cisco as of late is a good example of why
both are important, especially #2.

> I found
> dozens of serious bugs over the years and reported them to vendors who
> usually fixed them. Some fixed them right away, some took awhile, and a
> few have never been closed.  But that's okay, I don't need the bragging
> rights, and most of the bugs were fixed without a single PUBLISHED
> exploit. 

I think the keyword here (as you indicated) is "published". If you found
it, the probability is high that someone else did as well. They however
may have chosen to actually use it.

> Two examples are
> NTFS alternate data streams and macro viruses. AV vendors (Paul, you
> know this better than anyone) knew about these exploit avenues years
> before the first public exploit came out. 

Good example! Let's look at the timeline on this one:
I reported this problem to all major AV vendors in the Spring of 2000.

By the summer, only one of them actually fixed the problem so I released
it as public disclosure.

In 2002 I ran across my first case of an insider using streams to hide
information from corporate IT.

In late 2002 I ran across my first case of a custom virus using streams
to hide keystroke logging information.

In late 2003 is when we saw the first widespread virus that used
streams.

Prior to 2003, in every case where I found streams being used for
malicious purposes the IT staff had zero clue that they existed or could
be a security concern. So if nothing else I would argue that we need
*better* public disclosure if for no other reason than to address item
#2 I mentioned above. Security is a whole lot harder to implement when
you are unable to make informed decisions.

> By not public disclosing
> them, the vast majority of the world may have slept with false comfort,
> but they also probably didn't get compromised.

Problem is we'll never know because many people fear disclosing such
information. That or since they didn't know what to look for they just
formatted the drive and restarted from scratch.

Look at the Israeli and UK key logging episode that was announced in the
Spring. Reports are its been going on for *3 years*. They are certainly
not the only ones who have been having this problem for that long.
Problem is people have not really started talking about it till
recently. Had the information been out there sooner, the compromises may
not have gone on as long as they had.

> All I see is public disclosure after public disclosure, followed by POC
> and new worms in days. 

I think part of the problem here is that we've become too good at
finding problems. The constant stream of remote exploits has made us
somewhat numb to their potential implications. Vendors have picked up on
this and just consider it free QC that has little effect on the bottom
line.

With that said, I think evil worms serve their purpose. What's worse, a
highly public worm that your AV software can clean, or an attack that
can fly under the wire because people don't know how/what to look for?
If we all stick our head in the sand, we all end up fighting this battle
alone. If we share information, we're not re-inventing the wheel over
and over and over and over again.

> I've yet to find evidence of a non-disclosed
> zero-day exploit used to compromise my computers,

Consider yourself lucky. I've been directly involved with enough cases
for the both of us. ;-)

> I'm not even arguing about how public disclosure does force vendors to
> respond sooner than they otherwise would. I'm just saying that in
> practical work hours wasted fighting malware, public disclosure has
> NEVER been my friend.

Please don't take this the wrong way, but I think your anger is a bit
displaced. Your problem seems to be with the people who find exploits
and then talk about them. Really it should be with the organization that
created the conditions for the exploit to exist in the first place. Till
we *all* do that, and express that anger with our purchasing dollars,
things will never get any better. 

Cheers,
Chris




More information about the list mailing list