A reader of my Locksmith newsletter/column brought up a good point in a recent discussion and I suspect other TechRepublic members who don’t read The Locksmith may share the doubts (although why you haven’t subscribed is beyond me (GRIN)) so I wanted to broaden the discussion.
Dukhalion ask what the point is in continually reporting about “threats” and “Bugs” instead of warning the vendor and users as I would if I found a broken door lock on a store. He suggests TR in general myself in particular are letting every wannabe hacker know about the new threats.
(I tried to be responsible in restating Dukhalion’s position and wanted to inform the member directly of this blog post for rebuttal purposes, but there is no contact information in the profile. To be fair you should read Dukalion’s original posts in my recent “Zero Day threat persists” Locksmith (http://www.techrepublic.com/article/5100-1009-6142719.html). I want to be clear I am NOT criticizing Dukalion in any way, simply addressing the important questions raised in the posts.)
To begin, of course what we are doing is metaphorically warning the “store owner” of threats, but a flaw in software potentially affects EVERYONE using it, even people who don’t know they are using it – I can’t knock on everyone’s door and remind them their back door is unlocked. Also, vendors already about any threat I report on because it has already been publicly disclosed or else I don’t post any specifics (as when I recently reported in this blog about a potential new threat to ATM PINs and showed how to temporarily protect yourself but didn’t publish any details. Even that had been privately reported months before but ignored.)
I suspect Dukhalion doesn't understand the real situation here and there are probably other new members who also don’t see the point or think what we do here as reporters is actually exposing them to threats.
When I cover specific threats rather than general procedures, what I report in Locksmith and in the Security blog are problems which are well-known to hackers and usually ones already being exploited for attacks that are already taking place.
I am not reporting anything the bad guys don't know, just bringing reports of the most important new threats to the people who are responsible for the security of networks and other business systems.
That is why I watch dozens of security and hacker boards rather than dissect code myself looking for new threats.
On average there are actually about 100 or more new and publicly disclosed threats each week which I don't report in the column because they either don't apply to any commonly used business platform or are so unlikely to be exploited or so mild a threat that I feel they are unimportant.
I act as a filter to keep security experts from being flooded with unimportant threats every hour of the working day yet still informed of the most critical new threats facing their clients or the networks/users they are responsible for protecting.
That selection process involves a lot of judgment calls (as does all reporting), but I've been involved in computer security since my days as a 360 supervisor and that gives me a certain amount of perspective.
In point of fact, the only time I report on specific vulnerabilities which aren't already being targeted or which aren't so severe that ignoring them would be irresponsible, is when Microsoft or another vendor releases a patch. Even then the vendor doesn’t release proof of concept code and neither do I, even when (as often happens) I have knowledge of the specific way to exploit the vulnerability – THAT would be irresponsible.
Covering vulnerabilities in software isn't like reporting that a single back door has a broken lock, it is reporting that the lock being relied on by thousands of companies has had the master key stolen. Not every situation calls for high-security Medico lock, but security people need to know when someone sells the combination to their model of safe.
My safe cracking books (I actually worked as a REAL locksmith for a major university) have all the possible combinations for various model safes. Often there are only 50 or so for a model and all you need to open a strange safe is try them until one works. I don’t publish those lists and even if someone stole my books, they are all in code.
Dukhalion also challenged the proposition that .DOC file threats to Office are highly vulnerable because of poor design in Word.
Many people don’t understand this situation and it is important.
What you need to know is that .DOC files are designed to retain a lot more hidden code than .RTF files, including macros, and many threats in Word are due to bad guys taking advantage of these macros and other code which are useful in collaborative work within a small group but have no business being in widely distributed documents.
So, back to the original and important question posed by Dukhalion, “What’s the point, techrepublic?”
Since you can’t protect against everything all the time, security experts need to know when to protect a new area because the crooks have found a new way to bypass their security.
That’s the point of warning about new vulnerabilities which are already being exploited by the bad guys or which someone has recklessly and irresponsibly disclosed along with proof of concept code and which, therefore, is almost certainly about to be exploited.