Slashdot Mirror
X-Force Changes Vulnerability Disclosure Policy
BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""
No wonder we spent $40 billion on ISS!
They needed to research and develop their policies.
Whoops.... wrong ISS
What were their old ones? In most circumstances 30 days notice to the vendor is the only responsible way to go. Most companies are responsible enough to turn around a fix in that time.
BTW, the ISS press release is here.
Never approach a vast undertaking with a half-vast plan.
Their criteria sound pretty reasonable to me. They've tried to reach a balance between the rights of sysadmins to know their systems are vulnerable and their responsibility when the tell script kiddies about exploits before they've been fixed.
This appears to be a well-thought-out and practical approach to dealing with security problems in a responsible fashion. Kudos to ISS for the new policy, and for their recent successful docking with the Space Shuttle. Great job, guys!
Heh.. where is YOU FAIL IT! when ya need him? ;)
slashdot!=valid HTML
The only new aspect of this is that the Open Source projects will now be treated like the commercial vendors have been. They've always given the commercial guys lots of time but, there have been several occurrances where open source projects were given the shaft.
The first to come to mind was when Apache was given less than a days notice before they disclosed the vulnerability.
Under the new policy Apache will be given the same 30 days that Microsoft has gotten. Fair's fair.
exploit discovered by people looking for exploits; exploit get exploited and appears in 2600; vendors deny exploit until fix is built; dumb people open all email attachments looking for funny pictures; Anti virus and firewall companies make money; Questionable fix is released but some new exploit has taken the limelight; exploit is denied by vendors...
With an uncertain future, high pricing, and alternatives out there, why do people care what ISS says? Just because "X-Force" sounds cool?
I want to delete my account but Slashdot doesn't allow it.
Did it occur to the powers at ISS that this rule basically just enlarges the window for exploits to be exploited? The real danger zone is the time between the discovery (not necessarily the disclosure!) of the vulnerability, and the point when a certain critical mass of vulnerable boxes are patched.
How many people patch their systems the day the patch is released? Certainly, I do, but does even the majority do so? I doubt it. Moreover, they're giving 30 days for the script kiddies to run amok while we are clueless. They will certainly find out, if there is even an inkling of information about the exploit. IRC is much more effective than ISS anyway.
Nice to know that black hats will always have better information than us. Thanks ISS. Another step backward in the fight to preserve our systems.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
This opens the door to massive corruption if insecure firms pay off security reporters.
The same could (should!) be said about the police. Should we abolish policemen?
Anarchy is a better answer than corporation-cum-government forced secrecy, but it's still uncivilized. It should be someone's job to tread that tricky middle ground where the vulnerability is not irresponsibly publicized, but the vendors of the insecure software are not allowed to unreasonably suppress the details of the vulnerability. In other words, someone to maintain the threat of publicity just long enough to force the vendor to patch the wares as fast as possible, but not at the expense of end users everywhere.
Sounds like the ISS is stepping up to the plate and doing just that.
It sounds eminently reasonable - the best for all concerned. 30 days is not a long embargo, and their list of exceptions seems to me extremely thorough. This appears to answer criticism that "premature disclosure" is irresponsible (a criticism which I don't give much merit, but others disagree) with an intelligent and nuanced policy.
The message to vendors: we'll cooperate with you, if you act responsibly and respond quickly.
Quickly being the operative word. The tragic thing in the disclosure and response-time debate is the assumption that if the white-hat side discovers a flaw, they're the only ones who've found it... and just because you can't find a paper or an exploit after a bit of looking doesn't mean it's not out there.
Certainly, there is a long history of big vendors (I wont name any names... ah, whatever, Microsoft) who completely ignore (i.e. wont return calls) or yes the helpful hackers to death (i.e. yes, it's on the list, we'll have a new patch _any day now_ - rinse, repeat for 6 months), and then whine when the disclosure becomes public... even as the publicity stings them to finally bestir themselves to release a patch. So I'm very glad to hear of those in the security community making a logical response to it all.
Want to Know How to Cheat the GPL? Read On!
So, they give the vendors 30 days to respond -- unless the vendor doesn't respond sooner? Immediately? What's the point of the "30 day" rule if response is required BEFORE then?
Sounds like a completely arbiratry process to me.
Really good:
Disclosure for the most part, is a good thing. Even with things such as smb, whereas the samba team found a way to shut down a server remotely with it, aren't disclosed, unless there is a threat of disclosure, in which you need to go ahead and patch your hole or you will be seen as, well, uncaring by those who care.
This also allows for faster knowledge, i.e., if there is an active mailing list on it, but I am not on that list, then iss will inform me of the problem, this is in the mailing list, or whatever form of communication said project uses.
The Cons
As mentioned in comments already, I am assuming, people will be able to blackmail one another in order to keep said hack/hole/easter bunny out of the lime light. A little bit of cash can go a long way sometimes. Be wary of what is, and what isn't, reported.
Why this is important to you:
It gives you a more defined description of how things are going to go, and how much salt grain you should take with each hack. You should know that each hack/hole out there has already been out there for a month, and that it could have been out there for a lot longer. Joe blackhat just doesn't give up his tools, unless they are not useful.
Why this is not important:
ISS is not the only security site, and it should not be your only site to get updates from, either. Do a google...
Send in the real, original X-Force !
(Boy, did that headline have me confused or what?)
-MT.
I'd like to know that there was XYZ vunrablilty in a service I was running, so that I could implment a work-around until a patch comes alongs(assuming that one does).
thank God the internet isn't a human right.
This opens the door to massive corruption if insecure firms pay off security reporters.
Your argument is that this open change in their disclosure policy is a slippery slope to behind-the-scenes cash-for-silence deals. In my mind, the threat of such deals is not influenced whatsoever by the open and stated policy of ISS but rather by their corporate ethics. ISS and other security companies which deal with the government gain vast swaths of revenue due to the fact that they retain their integrity by laying out rules and following them. A single deal of the type that you mention would put the profits of the entire company and all its public shareholders at risk. In short, I believe your hypothesis is unfounded.
Kill Trolls Dead. Here's
so i cable going to rejoin the team or what? heck domino would be good too
The war with islam is a war on the beast
The war on terror is a war for peace
Didn't they change their name to X-Statix? (Way back when, they used to be the New Mutants. Sigh . . . .)
Well, these "guidelines" are common sense to every researcher who has a bit of heart for the field of work. I guess their partners were finally able to beat some reason into these ISS people. The recent BIND fiasco proved once and again that these "security researchers" value headlines more than their supposed mission statement. (Yes, I know, we all like to earn a buck, but in every profession you have your moral obligations.) ISS deliberately rushed advisories, and I don't think the issue was due to a lack of guidelines - this policy was a strategic move to get news stories at the expense of the users worldwide. These malicious practices are a disgrace to the security community that has come such a long way, and although ISS are not the only ones, they have probably been the most high-profile commercial predators.
;)
Anyway, we've heard similar promises before from OIS (of which ISS is a founding member) and it never stopped ISS from unethical behavior. But now apparently it bit them in the ass. I am surprised that nobody of their "alliances" denounced ISS for their malpractices earlier; I suspect this has been done behind the curtains, but granted, as long as it's effective, fine with me!
So way to go ISS, but I wouldn't already sing hallelujah - they were always wrong and this is just normal.
I'm waiting for the day when someone decides to threaten the software security agencies into silence, claiming "it's a feature, not a bug" and the DMCA gives them the right to silence public discussion about how to exploit the flaw.
Hey, if Wal-Mart can invoke it because people are pre-announcing their sale prices....
It almost seems the 30-day limit is a pretty reasonable one both for vendors as for bughunters. Just yesterday in this article the PGP-foundation announced the same period as desirable for releasing exploit-information to the public. coincidence or not?
In any case. The period looks pretty reasonable to me. The firm will have enough time to investigate and release a patch before the scriptkiddies out there will get their hands on exploit code. Now if all bughunters out there would follow this policy...
/(bb|[^b]{2})/
Does this include open source projects? Aren't these the guys who released an apache hole a while back without telling them because they weren't a small cohesive group (or something like that?)
Well the guidelines are not bad at all but 30 days may be too much. We know that are frequent parallel discoveries and that there are some organisations that are quite stubborn to change their behaviour toward security. While 30 days might be a acceptable span for most problems, I would prefer a more graduated exposure timeline, based on some criteria. For example:
If the exploit is highly dangerous, but complex, it would be preferrable a step-by-step disclosure in a period up to 30 days.
If there are middle-term solutions capable of making a temporary solution, then the problem is disclosed in a shorter period.
If the vendor/developer has a terrible record of playing "it's a feature not a bug", then no pitty on him. Either disclose ASAP or in shorter periods. This could be a good instrument to punish their lamerness.
If the vendor/developer comes up with half-measures and dubious patches, disclose without pitty.
And, besides, I believe it would be good to get some early warning stuff. Or disclosure may catch many people asleep. Maybe it would be good to get a standarized warning message 24 or 48 hours before disclosure, that something wrong may have happened with that or that app. This message should n no way be similar to press releases the Mass Media uses to pump over the crowd. Or else we may risk having information spoiled by some journalists trying to gain points in their careers.
ISS has been complained about and complained about from both sides of the Full Disclosure issue. Full disclosure to Bugtraq is great, but when ISS or certain others release without vendor notification/vendor acknowledgment, it's just dangerous and rude.
I'm personally glad that they aren't held up as the norm in the community. Most people seem to follow some variation of Rain Forest Puppys RFPolicy concerning vendor contact and reasonable time tables for releasing to the community when faced with unresponsive/uncaring vendors.
Good for X-Force, good for the community for browbeating X-Force.
I like music
Let's not forget the way things *used* to be. A few years back, the rule was that a small cadre of elite people knew about the vulnerability before the rest of the world. This caused lots of problems, which was one of the reasons for rfp to push for responsible full disclosure in the first place.
The ISS policy represents a regression back to the old way of doing things, except now the cadre of people "in the know" are the ones who can afford to pay ISS for advanced vulnerability information. Presumably the rest of the world has to suffer and get hacked. Support companies and organizations who TRULY practice responsible full disclosure -- don't support companies trying to make a quick buck off this kind of extortion.
Especially not after Cable tried to kill Dr. Xavier.
In Capitalist America, bank robs you!
Of course if you pay ISS money you can be a customer of theirs then you will find out about security issues in advance, a day after the vendor is notified (or an attempt is made to notify).
How can this be responsible disclosure unless they make sure that all their customers are "good guys"?
--it's a bad idea. for two reasons, one, it allows a vulnerability to exist WAY too long potentially, and there is NO guarantee that the exploit hasn't been spread around extremely sub rosa by blackhats. People running the software DESERVE to know if it's vulnerable, in a timely manner, not some arbitrary picked point in the future that one month" represents. The time to announce a vulnerability is when it's found, period. If my car springs a fluid leak I want to know about it now, if a fire starts I want to know about it now, if a manufacturer discovers a safety issue I want to know about it now, right after they find out, this gives me a CHOICE of what do I want to do.
Two, the companies NEED to keep getting hammered with emergency DO IT NOW-NOW-NOW work, because EVENTUALLY it will sink in to code once, troubleshoot, audit, bugfix, do it again, do it again, THEN release it. It won't eliminate all bad code, that isn't happening, but it sure will slow it doen to a manageable level. We need bored maytag repairmen security guys because stuff is "a lot more secure outta the box", not this make work growth industry model we have now, releasing buggy stuff to create jobs is what it looks like to me. We need FEWER releases of BETTER audited code, not faster releases of still buggy stuff. I could care less if releases of this or that software were once a year, or once every two years, and extremely robust and stable and secure, as compared to willy nilly constantly needing bugfix after bugfix. Closed source or open source. Hardware or software. Less releases of much better quality.
--generic rant--
Same with detroit and tokyo, new models every other year, or even 5 years, not every single year, and I don't care what happens to the evolution of that industry either, there's too much crapola gets released all across the manufacturing spectrum, throw-away-itis and almost constant obsolesence is not a good idea, it simply costs too much in terms of money and resources. The world is credit-maxed out from this push to constantly throw away still useful stuff for "new and improved". It's ridiculous. Here's an example, I got a pile of older cellphones, the reason? Because they have made it so it costs twice as much for a new battery as buying yet again another phone! ALL my old phones still work swell, if they only had a battery that worked for more than 30 seconds. It's silly. Durable goods and software is the same. Yes, I know that at some point older stuff just needs to get chunked by geez loweez it's gotten out of hand with stuff only two years old being classed as antique worthless throw it away and replace it.
Lets say the Linux kernel develops a vulnerability (noo, never). So they tell Linus. What happens next? All the developers related to the problem have to discuss the problem somehow, and lkml is very very public.
Ok so the kernel people might be able to keep quiet, but what about a smaller project that's more in the open and less critical? Sourceforge lists are public, so are CVS commits..
This really only works with closed software. Open source stuff has such a public development process that keeping it quiet is next to impossible.
Brian
Why do people pay good money to ISS for their Internet Scanner tool? It seems that this tool is very popular, but don't most people involved at these levels of security work know about the Nessus project? I personally find the ability to customize the system to the Nth degree and build my own triggers blows away most commercial systems. I've used ISS's scanner, Cybercop, and a few others. Some of the reporting tools are good out of the box, but I always find myself returning to Nessus.
Let's look at two recent widely publicized vulnerabilities:
A) Apache Chunked Encoding Overflow
ISS released an advisory with less then 24-hour notice and no vendor-approved patch. As it turns out, the ISS patch was wrong. X-Force coordinator Chris Rouland claimed that it wasn't neccessary to do so because Apache is a 'virtual organization' and he didn't trust the Apache project lead anyway.
B) BIND Overflow
ISS released an advisory before BIND patches were publicly available.
Whew! I was scared... for a second I thought this article was going to say that ISS hires black hats...
But as we all know, that's just ludicrous, right?
It takes only one black-hatter, his installed base of zombies and a newly invented exploit to take out enormous quantities of vulnerable servers. Automagically. In under a day. Make that in under an hour. Ergo, you don't need script-kiddies. The only thing that saves us is that most black-hatters are not willing to risk getting caught so easily by doing the attacks themselves. They usually just want their fellow black-hatters to know how smart they are. 80% of the rest of them never even make their exploit known. They use it to their (financial) gain and get out. They are not going to tell anybody if they have any clue.
Karma? What's that again?
I expect that noone has objections. However, if I'd only add these entries :)
to the list because `I think it's the right thing to do', I'd get a lot of
flames afterwards
-- Christian Schwarz
- this post brought to you by the Automated Last Post Generator...