Security

Are we irresponsible in reporting new threats? Are we just wasting space/time?


A reader of my Locksmith newsletter/column brought up a good point in a recent discussion and I suspect other TechRepublic members who don’t read The Locksmith may share the doubts (although why you haven’t subscribed is beyond me (GRIN)) so I wanted to broaden the discussion.

Dukhalion ask what the point is in continually reporting about “threats” and “Bugs” instead of warning the vendor and users as I would if I found a broken door lock on a store. He suggests TR in general myself in particular are letting every wannabe hacker know about the new threats.

(I tried to be responsible in restating Dukhalion’s position and wanted to inform the member directly of this blog post for rebuttal purposes, but there is no contact information in the profile. To be fair you should read Dukalion’s original posts in my recent “Zero Day threat persists” Locksmith (http://www.techrepublic.com/article/5100-1009-6142719.html). I want to be clear I am NOT criticizing Dukalion in any way, simply addressing the important questions raised in the posts.)

To begin, of course what we are doing is metaphorically warning the “store owner” of threats, but a flaw in software potentially affects EVERYONE using it, even people who don’t know they are using it – I can’t knock on everyone’s door and remind them their back door is unlocked. Also, vendors already about any threat I report on because it has already been publicly disclosed or else I don’t post any specifics (as when I recently reported in this blog about a potential new threat to ATM PINs and showed how to temporarily protect yourself but didn’t publish any details. Even that had been privately reported months before but ignored.)

I suspect Dukhalion doesn't understand the real situation here and there are probably other new members who also don’t see the point or think what we do here as reporters is actually exposing them to threats.

When I cover specific threats rather than general procedures, what I report in Locksmith and in the Security blog are problems which are well-known to hackers and usually ones already being exploited for attacks that are already taking place.

I am not reporting anything the bad guys don't know, just bringing reports of the most important new threats to the people who are responsible for the security of networks and other business systems.

That is why I watch dozens of security and hacker boards rather than dissect code myself looking for new threats.

On average there are actually about 100 or more new and publicly disclosed threats each week which I don't report in the column because they either don't apply to any commonly used business platform or are so unlikely to be exploited or so mild a threat that I feel they are unimportant.

I act as a filter to keep security experts from being flooded with unimportant threats every hour of the working day yet still informed of the most critical new threats facing their clients or the networks/users they are responsible for protecting.

That selection process involves a lot of judgment calls (as does all reporting), but I've been involved in computer security since my days as a 360 supervisor and that gives me a certain amount of perspective.

In point of fact, the only time I report on specific vulnerabilities which aren't already being targeted or which aren't so severe that ignoring them would be irresponsible, is when Microsoft or another vendor releases a patch. Even then the vendor doesn’t release proof of concept code and neither do I, even when (as often happens) I have knowledge of the specific way to exploit the vulnerability – THAT would be irresponsible.

Covering vulnerabilities in software isn't like reporting that a single back door has a broken lock, it is reporting that the lock being relied on by thousands of companies has had the master key stolen. Not every situation calls for high-security Medico lock, but security people need to know when someone sells the combination to their model of safe.
My safe cracking books (I actually worked as a REAL locksmith for a major university) have all the possible combinations for various model safes. Often there are only 50 or so for a model and all you need to open a strange safe is try them until one works. I don’t publish those lists and even if someone stole my books, they are all in code.

Dukhalion also challenged the proposition that .DOC file threats to Office are highly vulnerable because of poor design in Word.

Many people don’t understand this situation and it is important.

What you need to know is that .DOC files are designed to retain a lot more hidden code than .RTF files, including macros, and many threats in Word are due to bad guys taking advantage of these macros and other code which are useful in collaborative work within a small group but have no business being in widely distributed documents.

So, back to the original and important question posed by Dukhalion, “What’s the point, techrepublic?”

Since you can’t protect against everything all the time, security experts need to know when to protect a new area because the crooks have found a new way to bypass their security.

That’s the point of warning about new vulnerabilities which are already being exploited by the bad guys or which someone has recklessly and irresponsibly disclosed along with proof of concept code and which, therefore, is almost certainly about to be exploited.

27 comments
Neon Samurai
Neon Samurai

Perhaps it's just me and perhaps it's one of those things like when everything had to be prefaced with "cyber" to be cool a few years back. My ears still bleed a little every time I hear the buzz-word BS such as the more current preface "i" on everything to make it sound cool. Far too often these days, mass media uses the term "hacker" when they mean criminal which does nothing but insite fear among the unknowledgable. A Hacker is a someone with technical skill far and above the norm. Mundains know how to check there email, Geeks can install an email program and config it just right, Hackers want to know, understand and control every step of the applications process. Anyone seeking to derive profit at the expense of flaws and limited knowledge (social eng) is not a Hacker, they're a criminal who happens to use the information medium instead of a crowbar and burgler's mask. I thought the rest of your points where bang-on though. - if a threat is being reported, those who would use it for profit knew about it long ago. The media just reported on the FBI remotely activating cell phones to use the mic as a bug for survelance; this isn't news to those it effects, only the masses it doesn't effect yet some shmuck had to comment "thank you for telling the criminals". - Threats should be reported for public education since the public are the last to know about them. The media reported on Bumpkeys two months ago, criminal and hacker alike have known about Bumpkeys for a year or more at least. Flaws should be disclosed to the vendor/developer initially with a grace period then publicly. My theory is that "security analysts" publicly report found flaws because until recently developers wouldn't believe there oh so high and mighty product could possibly have flaws, unless found by there own staff internally. Hence, viruses (virii) as proof of concept and public disclosure to "motivate" proprietary developers to take reports seriously.

Tech Locksmith
Tech Locksmith

Yes, terminology/semantics is always a problem but no one ever came up with a widely accepted term for the bad guys. Too few people recognize the term "cracker" as a technology bad guy and there has to be some sort of shorthand way of referring to the cyber bad guys so I often use hacker. In my view there are good hackers and bad hackers and I expect my rather sophisticated readers here to know the difference without going into it in detail every time. I am a proud hacker myself from the days when I got a pre-CoCo terminal and connected to the Internet (not the Web) and even more so when the CoCo itself came out - in those practically anyone with a computer at home was a hacker and there were no real bad guys because there was nothing bad you could do. It was only later that hackers divided themselves into good and bad guys, often the line was extremely vague, especially when damage was actually caused accidentally. Nevertheless, people who find computer hardware and software flaws are all hackers in my book, it is just that some are criminals or vandals because of the way they use their knowledge.

apotheon
apotheon

Just use the term "security cracker". That way, you don't offend bona-fide hackers (in the original sense of the term), and don't lose your audience with a term that is more uncertain in distinct meaning such as "cracker" by itself. It has worked for me in the past. Using the term "hacker as it is colloquially misused in many popular media venues actually contributes to confusion beyond the confusion over whether "hacker" is meant in a criminal context: it does not differentiate between security crackers, virus writers, and computer/network vandals who neither write code nor crack security. It's not only a good idea to avoid the term "hacker" in reference to criminal activity just because the reputable hackers find it offensive to be slighted by association -- it's also a good idea because the way the term is used in a blanket application by some writers, it loses almost all meaning even if it's understood to be used in a criminal context.

Tony Hopkinson
Tony Hopkinson

Them QA guys are lax. :D On a more serious note propriety sofware will always have flaws. Whether it's a mistake on the coders part, a necessity for some other feature to work, or the business deemed it uneconomical to fix. I'll hold my hand up for the first one, the other two only the customer can do something about.

Neon Samurai
Neon Samurai

It's getting much better now that security is a focus outside of the uber-techie community and open source has always been far more "open" to reports of flaws. How long did Apple try to supress reports of a flaw in there network code before they finally hushed it up and quietly release an unrelated patch for the network stack? I saw the osX patch hit my wife's machine a few weeks or so back. Proprietary is more often developed under strict deadlines and budgets so the developers (by no fault of there own) have to produce and do so fast. I make a mess in my code, I go back and clean it up. It's a labour if salary not a labour of love. Flaws that enable something else to work should cause one to reconsider what the other thing is and why it's so important. MS wants software from dos to run on winXP so we have the onion OS. That's there design goal and it continues to limit there products. As for flaw fixes not being cost effective, well, that's a big issue with the gross profit driven software houses. (services should be the product, not thw software) It's usually the really big software houses that effice huge swaths of the user base and when they decide fixing the mistake they initially made is not worth while or disregard the report of some "lowly nobody computer geek" then we have a situation where proof of concept and public disclosure is very viable and responsible. It's the shmucks that take the proof code and write an exploit around it that are irresponsible. Everyone on an indavidual basis wants better and wants to produce better. I've met only a very few developers who actually want to produce only "good enough to make a buck" software and I truly thing it's a possition where more true code artists are needed rather than button pushing factory workers.

Tony Hopkinson
Tony Hopkinson

for twenty years. Producing software commercially even in a competitive market is always cost based based. The hardest sells to management are Do it right in the first place. See I told you so, can we sort it out now? It's a mindset, no you don't need to get this in for the new version, you need to get it in for all future versions. A design short cut, always costs you more in the long run. We'll worry about that next time, no you won't, you'll worry about the next flaw next time, the last one will be old news. I'm not prescient, there will always be new features I didn't design for, but can I please have the time to cope with the ones that will come up. Please, just once. Rewrite coming up, I have plans, lets see how many of them fail the practicality test in terms of the requirements for doing business.

Jaqui
Jaqui

that even if some criteria isn't agree with, no-one in this discussion is saying to not post the known exploits.

Tech Locksmith
Tech Locksmith

Of course we weren't going to stop, although I am going to push for more *nix coverage again - we used to do more but didn't get much response - perhaps it is time to try again. But, as you well know from your posts in Locksmith, someone actually did complain that we were being irresponsible by telling hackers about new exploits so the question obviously wasn't moot and needed to be addressed once again.

Jaqui
Jaqui

but some people don't understand that reporting publicly announced exploits is not irresponsible. if you were actively looking for exploits and disbursing the info after finding, but not reporting to the software vendor, that would be irresponsible :D I personally would give the vendor a max of 7 days before publicising the exploit, no matter who the vendor is or for what bit of software. there is no excuse for them taking longer than 7 days to have it patched and tested to insure proper functionality. [ but then, I'm a hardcase, and won't cut any slack for stupidity or laziness ] maybe you can get the PTB to look at expanding it to cover the most sever exploits. all types / platforms. since most companies have websites, the site script exploits can effect a lot of businesses, everyone has a router or two running some form of unix, a lot of shops will have a mac or two, on top of windows. rating on severity only: 1) zero day 2) critical 3) severe 4) high risk would be the levels to report on, the common cross site scripting vulnerability is, to me, at least a high risk level exploit, since the affected sites / scripts are usually ecommerce sites. [ but getting them to approve 30 or 40 website exploits a week might not fly to well :D ]

Jaqui
Jaqui

I know you can't really include everything, even the newsletters from the security groups don't give any real details about most flaws found, and 5 pages of a flaw list is too much for most readers. [ try printing one of secunia's weekly newsletters, 5 pages and it's mostly a list of exploits found with url to more info ] to evaluate any *x exploit, remote code execution on the system level would have to be the highest level. [ like the remote linux kernel exploit I mentioned in an earlier post ] the real problem is knowing if an exploit can leverage root privs and be a system endangering one, or only exploit / endanger user files with any *x, exploits end to be lower in risk than with MS software, simple because of the separation in the services software and that each service is usually it's own limited user, not the root user. :) since most business use of *x is in the server room / network appliances, naturally those will be the ones that will get a higher rating for inclusion, they'll have a wider affect than say a kopete im client exploit.

Tech Locksmith
Tech Locksmith

Actually I passed along your earlier *nix comments to my editor and we will probably start having a seperate *nix section in a lot of the Locksmith issues. One problem before was that we didn't seperate the platforms in an "official" way so with more critical Windows flaws almost always in the mix the others got pushed out. With a seperate *nix section I can post even lower level threats in weeks when there are high-level Windows threats - at least that is the current thinking. I don't have to tell you that it can sometimes be quite difficult to evaluate the threat level of a vulnerability and it is much more difficult for *nix. Of course there ARE also space considerations and we do try to get breaking threats into the Security blog now that the TR blogs are restricted to staff and freelance contributors. Thank you for your suggestions.

bruceslog
bruceslog

Many new threats are found by the people wanting to own my machines. They usually then post the code on sites for everyone else to improve upon. I want to know about the new threats too. In fact, I want to know about them before all of the rest of the bad guys know. Keep up the great work guys. Keep us informed.

Jaqui
Jaqui

then you will have to start hanging out on the crackers websites, reading submitions to security groups, and working from outside your network to break into your systems. by the time they are announced by even the security lists a lot of the crackers know about the exploits already. Tech Locksmith's Security Newsletter is only a short list of the publcised exploits, there are literally hundreds found weekly that will never make it into mainstream view. the saddest part is that 80% of exploits found is for rich media website scripts. [ ajax, flash, javascript being rich media ] the most common being cross site scripting exploits, where the portable relative urls of the script cause another site to gain access to your site's back end.

nighthawk808
nighthawk808

Some arguments never end.

Tech Locksmith
Tech Locksmith

Sure, I had similar arguments in 1982 but a LOT of people in IT today simply weren't around then, or around a decade earlier when I was waiting for an added megabyte of memory to be delivered for a 360-65 (the memory was the size of a small truck and not a really a very small one.) Or a decade earlier waiting for someone to invent the compiler or create Unix or C. I've been through these same arguments so many times... But some people are always new to the problems and the arguments and need to work these things out for themselves.

stress junkie
stress junkie

If people don't hear about exploits then they won't know the extent to which their data is at risk. As you say, people need to know where to put their security efforts. It also helps the wider community to learn about the overall quality of various products via tech support personnel when bugs and vulnerabilities are reported. The average office manager may not seek out reports of software problems but the information is disseminated through the computer user community via security techs like us. We have to remain informed so that we can provide guidance when guidance is requested. When a business manager asks a tech for assistance in designing a long term computer strategy the tech needs to know these sorts of things in order to provide good advise. Yes, reporting vulnerabilities and exploits is important. If nobody reports this kind of information then bad decisions will be made due to ignorance.

donaldcoe
donaldcoe

In recent days I have been caught up in the hoopla about the Zero Day flaw exploits and wondered about how long this subject has captivated the Tech society as a whole. As a member of TechRepublic, I started to see continuing references to Zero Day flaws and I realized that I too had no clue to what Zero Day meant and wanted to know more about the subject. So to stay better informed, I did a search through tech site achieves to find the what?s, when?s and the fixes for this issue and to my amazement, blog responses dated back more than a year. I know that Microsoft has released so many updates, patches and service packs on it?s product lines of Operating Systems and Office Suites that could stretch the globe. Seeing myself as a patch happy Tech and fool, I wondered why I haven?t had any problems to my user base. This BIG issue and battery of question(s) of: What is Broke? Who Broke It? Who is Continuingly Breaking It? Why are they trying to Break It? and Who is being affected by the Breaks? Now in the categories of these heated discussions there are: the Bashers, the Whiners, the Wise and Reasoners, and the Fixers A Few - Groups. I believe I rank myself with the Wise and Reasoners with a little fixing group. I found some excellent Zero Day blogs dating back to Sept 2005 entitled: Reality Check by Matthew Longmate - and Get A Grip On Reality By Dryflies ? , that have gone to the heart of the matter. Matthew_Longmate quotes: Software development is nothing more than another arm of manufacturing. Cars are created all the time which have bits that fall off, Toys are mass produced which can be potentially fatal, Foods sold which can cause illness. There is no such thing as an fool proof system, Development is a taxing thing and bug checking is even harder. There are probably thousands of combinations of OS / Hardware combinations out there which then need to be multiplied by the number of settings which can be altered on a machine and in the registry and that doesn?t even take into account other software which interacts with the OS creating vulnerabilities which may or may not interact with your application. You demand new versions of software with cutting edge functionality and you demand it ASAP (As soon as possible). Dryflies quotes: The first reality is that the developer usually does not know about the bug until they are told about it. The second reality is that regardless of the depth of testing it is impossible to find all of the defects in a piece of code given our current state of technology The third reality is that most vulnerabilities are not dangerous until they are announced. Yes, the black hats do occasionally find vulnerabilities on their own and create exploits before the vulnerability is announced or patched but the vast majority of exploits only appear after the public announcement of a vulnerability. That announcement is usually accompanied with an example of the exploit code. There are more realities out there such as the reality that the behavior of software is no longer completely deterministic. There are an infinite number of paths through any given piece of software and except in the most trivial cases developers are not able to test all of them. I too believe that the wisdoms of man still exist and ?If you look hard enough for TRASH and Garbage you will get Trashed with the Bugs the Garbage Attracts . Rather than complain about what we know that has been broken for a long time, immediately suggest changes and fixes for the collective good.

Jaqui
Jaqui

yes, be more responsible. As I'm sure you know from reading a number of my comments, I follow a lot of the same sources you do for Security Issues, I just think you may need to re evaluate your criteria for commonly used applications, it seems a little narrow. like the critical flaw found in the linux kernel friday or saturday does affect a large number of organisations, should the admin wait for the distro patch or get the patch from the kernel developers and build their own kernel to fix the problem? Only the admin can answer, since only they know how critical their linux systems are to their operations, but they do deserve to know that the flaw is there. in many cases, the os level flaws are far more important, because they have a greater effect than the flaw in MS Office binary file formats. and there is not a single company network that is not at some level of risk from a linux kernel flaw, 75% of network appliances are linux powered, including the wireless ones. Cisco uses embedded Linux. I'm not disagreeing with the importance of reporting the zero day problems with MS Office formats, I already refuse any such format because they are known to carry viral payloads in the macro area of the file. It's people taking the time to pound some sense into those who are at risk that is needed. MS Office is a critical security flaw on any system, lock it down, kill it's internet access is the minimal response to protect yourself. getting rid of MS Office and going with any of the 30 office suites available other than MS office is a better option.

Neon Samurai
Neon Samurai

In most cases, MS OS and Applications are the flaw in security, productivity and data integrety (piss poor code, everybody has a browsser and lock-ins, lock-ins, lock-ins). But hey, it's pretty and well marketted and that's usually what counts for decision makers it seems. I'll make Office or whatever run like an F1 racer at work but it's not touching my home network for anything more than is absalutely forced; win32 for gaming, msOffice for "homework" work files.

Tech Locksmith
Tech Locksmith

Hi, a couple points - actually I do post occasional *nix security notes but there are two main prolbems there. First, there are so many varieties of *nix that it really is a more fragmented market than you might suspect so I try to identify both critical and widespread threats. Second, is the old chicken and egg problem. Locksmith tends to cover mostly Windows because the readers are mostly Windows users. Sometimes this is simply a space problem and the *nix threats get cut before publication. Most widespread threats are simply in the Windows world today - it used to be MS-DOS and someday it will probably be *nix. Today, for example, the top 7 "notable" advisories on FrSIRT are Yahoo Messenger (ActiveX) Microsoft Word IE Word Sophos AV scan engine CA BrightStor and MS Media Player. With Apple there is a two-fold problem - first, there usually isn't much people can do until Apple posts a fix and, more importantly, despite what Mac users tend to complain about, it is a small part of the business market. Not an excuse, just explaining my reasoning.

Neon Samurai
Neon Samurai

All software has flaws; it's written by human developers, it has flaws somewhere. The difference is that, if the flaw where bacterium, Windows has traditionally been like a nice warm steak where *nix architecture is more like a fridge with no oxygen. Bacterium flourishes in the richly oxygenated warm meat while it has a much harder time existing in the cold un-oxygenated environment. The old ?but everyone is targeting poor Windows? argument doesn?t hold up. If Vista is truly a better product and the focus switches to *nix/osX, there will still be a shorter list of threats/flaws. There very design of the OS is based around security from its start of evolution 30+ years ago; none of this internet explorer touching the kernel crap. The old ?but poor windows has a bigger market share so it?s a larger target? argument doesn?t do it either. Windows (including Vista) is an onion wrapped around msDos with a layer for win95 on through winXP. XP still supports dos applications and flaws. It?s evolved from a system that was never meant to be on a network and now employs ongoing Band-Aids to try and make it a network OS. I really hope Vista (and if they create an OS afterward) runs more securely for the uneducated home user?s sake but even if computer crime focus changed to *nix, your dealing with a better design at the fundamental levels.

Neon Samurai
Neon Samurai

My focus was more on the "we'll see a dramatic increase in found flaws when *nix get's the attention instead of win32/64" part. Full Disclosure. Absalutely all flaws should be reported and loudly with at least an attempt to aproach the developer to offer a grace period. "Wait until we fix it" doesn't count, I mean like "found this bannana in your software, it's being published in seven days. Hop too it." And even then, my *nix is secure rant left out the multitudes of variance of OS (each is seporate after all) based on the Unix or Linux kernel. Ubuntu alone is making a Microsoft mistake in running any user as an administrator.

Jaqui
Jaqui

even though unix, and all unix like operating systems, were designed from the ground up for secure, multiuser, networked use, the developers are still human, and they do make mistakes. bugs to exist, and can create exploitable errors for the *x operating systems. We do deserve to be informed about something as critical as a remotely exploitable kernel bug, so we can tke whatever steps are needed to protect our systems. Tech Locksmith wasn't saying that *x doesn't get exploits, only that the PTB killed the exploits for it because of a lack of reader response on them. [ see his comment to my Tech Locksmith" post below ] I'm poking the TR PTB to be more os agnostic in reporting, it does everyone more good to see stuff about all software, than to just see stuff about one company's products.

Jaqui
Jaqui

since it's used in the network hardware [ routers, firewalls etc ] I know that there are many forms of unix, linux being the most common variant used, specially for cell phones, routers / firewalls, and mission critical servers. I'm not saying list every unix exploit, any more than every windows or mac exploit. [ gods, the exploit patch list for one linux exploit is over 300 items, one for each distro. that is insane to try to list :) ] but a remote execution and corruption of code exploit for the linux kernel is something that has an impact for even windows shops, your network can go down..or be compriomised because of it.. linux powered routers. the two kernel level bluetooth exploits published on the lists today aren't critical, since they don't affect any system with no bluetooth devices. [ except for those distros of linux stupid enough to buy into the bloat is good model of apple and microsoft, like Ubuntu, Edubuntu, Kubuntu and Xubuntu. ] when the headline title is for a windows app, I don't read it, since I don't use windows, only linux. I never see anything but windows exploit headlines. [ the reason I cancelled the newsletter after last issue, I hadn't read one in months, all windows headlines / titles ]

Neil Higgins
Neil Higgins

Its never afected my keebord.It spels curectly,and u kant mak eny erors?