Slashdot Mirror
Firm To Release Database, Web Server 0-Days
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
The alternative to responsible disclosure is irresponsible disclosure. Is that really better?
Firm To Drop Database, Web Server 0-Days
The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:
Fed-up security firm to release Database & Web Server vulnerabilities publicly
Look at how much more information is conveyed in that second title. A work of beauty, it is.
coding is life
FTFA:
At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret
Hasn't this been proven to be true - and legal?
In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.
To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all. That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.
Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.
Right, what are they selling again?
"I use a Mac because I'm just better than you are."
"Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.
Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???
But you need to gove the vendors hard disclosuyre dates not too long in the future and you need to publish at these dates stating when you informed the vendor. If the vendor does not patch, publish the vulnerability anyways, you have done your part.
As others have already said here, this strikes me as a publicity stunt, or they wanted money from vendors and did not get any.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I welcome this.
In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
to "Here is how you fail... here is how to make you fail... FAIL!!!"
'responsible disclosure' is just wearing the nice guy badge...
You're the only one wearing the nice guy badge.
I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).
This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.
I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.
Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.
I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.
I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.
Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.
During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.
This guy should rename his name to Bobby Tables at the same time. Imagine the number of newspapers that would try to do a press release, but couldn't.
It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.
RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it. If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could provide additional encouragement to address the problem.
At the expense, of course, of being a really crappy way to treat companies who ARE proactive about their security issues, especially as a security researcher doesn't always necessarily have the full picture of what's necessary to fix the problem in cases where it's intertwined with required software features. That's probably the most significant aspect of RFPolicy -- the dialogue and collaboration between security researcher and software developer to determine the scope of the problem and the potential solutions.
While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities. Give them six months and then release them, but give them time. This does as great a disservice to users as those firms do by not fixing the vulnerabilities.
Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?
Ask me about repetitive DNA
If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines. There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm. One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals. And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides. If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.
Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog. The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem. Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.
Comment removed based on user account deletion
You are asserting that the exploit is '"theoretical" (why the quotes?) and might be used in the future without any evidence that this is even the most common case much less the only case. The problem with an undisclosed vulnerability is that unsuspecting users believe they have more security than in fact they do. They expect, at very least, to be informed when a vulnerability is discovered. While this may be an unrealistic expectation in the current market place, customers should be able make informed decisions and thus operate in the market as their roll demands.
But... if these were vulnerabilities that this firm has known about for products which have been released for some time now, plus they've been sitting on this information for a while, how exactly are they 0-day exploits?
Demanding constant attention will only lead to attention.
This requires an awful lot of patience and a fair degree of bookkeeping on the part of the submitter. And you're assuming that the organization on the other end of the bug report is actually learning from past mistakes in a cause-and-effect kind of way. "Hey! His report-to-release times are getting shorter! Maybe we should adjust!" In an organization of any size, this will be unnoticed even when pointed out plainly.
The more I think about it, the more receptive I get to this fellow's approach. Maybe after a while of "irresponsible disclosure" vendors will pay attention and he can fall back to giving advance notice.
Get off my lawn.
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches. Not the best business practices all the way around, but it's the way it is.
I'd feed better if, rather than lumping all the vendors together and 0-day disclosing vulnerabilities found in any of them, Intevydis tracked which vendors failed to respond and continued to give the others warning.
Maybe a 3-strikes policy. Or (for vendors with large products and lots of opportunities for bugs) a percentage of slow/no vs. fast fixes.
And the newbies should be assumed responsive until proven otherwise.
Seems to me that would put even more pressure on companies to be responsive, by giving the responsive among their competitors two additional advantages:
- time to fix the bug, and
- customer perception that the unresponsive vendor might be subject to sudden attacks due to disclosed vulnerabilities when the responsive vendor would both get warnings and have a track record of fixing before disclosure.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Clearly the balance of incentives has been wildly off for some time now. Researchers finding possibly big-cost vulnerabilities and reporting them to vendors/middlemen have found that the responses to their discoveries have been slow. Additionally, the payouts for these researchers has been relatively low.
They've been slow because companies have very little incentive to actually fix these bugs, provided that the rate of exploitation of these bugs is sufficiently low.
The incentives for a company using commercial software are stacked heavily against disclosure (do they discover the intrusion? angry customers upon disclosure? etc.), and software vendors are rarely motivated by costs that are, probabilistically, very low. Only once companies are hit by the overwhelming stigma of wide-spread exploits, and the long tail of consumer distrust, do they take greater care in the future.
Companies these days get the sense that they can dodge 180 days of exposure for the price of a used Honda Accord, but the reality is that knowledge of the bug may not be a significant contributor to the risk of exploitation. If one honest researcher has found a vulnerability, can we be confident that no malicious researchers have? Hell, every little wanna-be hacker and future programmer among us used to have floppies and notebooks of vulnerabilities, some collected, some personally discovered. The vulnerability is the source of risk. Put the blame back on the companies that have failed to fix them. More accurately, shift the incentives . With huge shake-ups like mass disclosures, the effect on all companies could be a shift toward more attention being paid to security. To me, it seems like a net win.
In Soviat Russia information is releasing YOU!
Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”
I think that apparently the vendors aren't doing a damn thing to patch a good amount of these reported vulnerabilities if they are being reported in a proactive manner. Seems as if once the exploits are running rampant in the wild then the vendors scramble to develop patches
It's most likely a case of resource management and insufficient resources available.
One word can solve the difference between responsible reporting and 0-day motivation:
embargo
The reporting security group still goes through responsible reporting methodology, but add proposed date the details will be reported more fully to the public.
I work for an enterprise-level network device manufacturer, and anyone in that line of work knows damn well that remote vulnerabilities are the harbinger of death if they're not addressed in a timely fashion. Yet, motivation to assign resources to fix it still relies (in part) on whether there is a public exploit or not. So it's with that background that I can say that embargoes work.
We don't know the details, but apparently Intevydis didn't give embargo dates along with their reported vulnerabilities. Now they see what kind of motivation that produces, and so they've set a pseudo-embargo: any time between Jan. 11th and Feb. 1st.
This signature intentionally left unblank.
Slashdot'ers don't know IT security obviously. These guys are one of the top professional exploit writing crews on the planet. They have been selling VulnDisco an awesome 0day exploit addon pack for Immunity Sec's CANVAS exploitation framework for years. We are not talking about some silly little company, the Intevydis guys are hardcore... they are selling a bunch of nice 0day exploits and simply being generous by giving away such valuable information for free this month. All the people bashing their disclosure choices are fools; this caliber of security crew is not going to give away all of their valuable intellectual property for free, get over it.. stop living in fantasy land, those guys are not morally obligated to spend their life slaving away doing basically free high quality QA work for big multinational mega-software giants. They do their work, they write their 0day, they sell it and pentesters and intelligence agencies and everyone who cares, buys it. Note, the vendors in question could also buy VulnDisco and CANVAS and then they would have the 0day (with proof of concept / exploit code) for a cheap price (much less than trying to hire a security analyst of that caliber) and they could have detailed information about the vulnerability and be a couple steps closer to fixing the vulnerabilities they want to pretend like they care about.
Firm To Drop Database, Web Server 0-Days
Maybe it's just me, but does it make sense to use newspaper headline style, which was designed a century ago to convey information in minimal horizontal space, in an electronic format? What would have been the cost of writing this headline as "Firm to Drop 0-Day Exploits for Databases and Web Servers"? As it is, I thought that some firm was dropping their database and going back to 100% paper records, and I couldn't really make sense of the phrase after the comma.
Surely the beta stage is the time for 'responsible disclosure'? Once it's publicly released, then you're not likely to be the only person aware of the vuln. Why should you act responsibly on behalf of the guys who are taking your money for the privelige? If it's fit for sale, it's fit for purpose.
Responsible Disclosure [...] is a deliberately positive term for purely demagogic reasons.
Which is why I advocate calling it "Limited disclosure". That's a value-neutral term that fairly accurately describes it---and about as precisely as you can be in only two words.
Or call that other thing "Effective disclosure" if you feel a need to play the game of rhetoric.
So, what's wrong with bug bounties? Why can't russian hackers expect to be paid for their hard work hacking american software and documenting vulnerabilities?
The fact is, there's already a bug market. If you're a hacker without morals, you can already make good money off security flaws, by selling them to criminals directly. But, if you should do the world a public service by pointing out these security breaches to the software vendor, not only will they threaten you to sue if you publish, but no reward will be coming.
Of course, by offering rewards, you're creating perverse incentives for people to find bugs. Also, you're creating a bidding war between the criminals who want to know bugs to exploit them, and the legitimate software vendors...
You know there is one more choice.
What if they disclosed them responsibility, and the vendors responsibility evaluated them and came to the conclusion they are no threat. That would be irrelevant disclosure.
Living in Chile
Maybe his remarks are just missing something in translation.
You tell 'em Legerov. You have absolutely no obligation to work with vendors or projects. If they don't help you fix bugs, they should expect to hear from you in the comment at the top of your PoC.
"He's a step ahead of you. He's tried doing it the right way and gotten no results. So he's going to skip the part where he wastes his time.
If companies want responsible disclosure, they should respond in some way to the disclosure. Maybe companies will actually fix bugs instead of sitting on them, and he can go back to doing it the right way. He also warned the companies he's going to do it, so they have a chance to fix things before then.
Here's a tip for you. In the real world, sometimes you have to force the other party's hand to get them to act responsibly. He's to that point, and fortunately has leverage. By making this choice public, he shames the irresponsible software companies which allow security problems to sit around unfixed.
Hopefully they'll scramble to release some fixes, which they haven't done yet, which is a net improvement over the current situation where millions of people have unpatched vulnerabilities.
In short, I don't see a problem here. I use software, it has security problems, I expect those to be fixed. Whatever it takes to get there, I'm all for it." - by b4dc0d3r (1268512) on Monday January 11, @03:57PM (#30728526)
Agreed, 110%, per my subject-line above... it works (quoting Tony Stark there, on his "arc reactor technology", because what I turned an MS mgr. onto here, Foredecker, results in the same idea (smaller & faster HOSTS files)):
http://slashdot.org/comments.pl?sid=1467692&cid=30384918
I had to "hound" the guy here, which IS unfortunate, but... he is now looking into it on his end with his people @ Microsoft finally (which is great - my goal? Simply to make Windows VISTA/Server 2008 & yes, Windows 7 THAT MUCH BETTER really).
APK
P.S.=> I had "sort of troll" he here though (albeit with GOOD MOTIVES - to improve MS' latest OS' really) &, for months here actually, until he replied here, & we "debated it", & he "saw the light" of what I was stating is poorer than it ought to be in HSOTS files (which are INVALUABLE for speed online, but moreso for SECURITY online).
So, he finally wrote me personally via email a couple days back & he notified me he is going to find out WHY 0 was removed as a valid blocking address in HOSTS files @ last, with his IP stack team @ MS (he has the pull, he is senior mgt. there apparently which is great imo, & I hope this even helps the guy get a promotion there).
The use of 0, vs. 0.0.0.0 & especially vs. 127.0.0.1 as blocking addresses in HOSTS vs. KNOWN bad adbanners &/or malicious sites + botnet "C&C servers", works & on a VERY SIMPLE PRINCIPLE, the blacklist ("you can't get burned if you can't go into the fire" type thinking).
It matters, for efficiency & performance, & literally "HUGELY" for the speed of its internal parsings, line-by-line, as well as the filesize on disk!
(I.E.-> Using 0 as a blocking address in HOSTS files yields FAR smaller HOSTS files, especially in HOSTS file with many thousands of lines as mine is @ 655,500++ lines or so currently, vs. those that use the 0.0.0.0 (which is the tiniest you can use on VISTA/Server 2008/Windows 7 only), & especially vs. 127.0.0.1, which also incurs a "loopback operation" too).
So, E.G.-> I used the SAME BASIC TECHNIQUE to get to MS' folks on this, because they "blew me off" here on their "Engineering Windows 7" blogs here -> http://blogs.msdn.com/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx?CommentPosted=true#commentmessage
Hopefully? Foredecker will do the job & get this fixed with his people @ MS... apk
WTF has happened? I remember when reasonable disclosure ment that the vendor was notified
and given 3 days to release a patch. AND that public was notified right away with no details.
Now some people speak about "responsible" (whatever that means) disclosure of 90(sic!) days!
Are you all gone mad collectivly?
Another approach might be that of the general winners in the iterated Prisoner's Dilemma game contests. The simplest stable winning strategy has turned out to be what is called "tit for tat", in which you're a nice guy and cooperate the first time you face a new opponent; thereafter, you do to them what they did to you the last time. In the long run, crowds of players using this strategy tend to collect all of the game's rewards.
With the current topic, you'd express it as giving a company advanced notice the first time you find a security issue with a product, and only make a public release after talking to them (or trying to) for a few months. If they respond reasonably, you do the same thing next time. If they ignore you, then the next time you release your find without notifying them (and maybe send them a note explaining why you did that).
One useful thing about this strategy is that you only need to remember the most recent incident for each company. It is interesting that in the periodic contests pitting strategies against each other, the general winner is a strategy with a fairly low memory requirement.
Of course, IANAGT (I Am Not A Game Theorist), and I can't tell you whether this result actually applies in the security-bug scenario. Maybe there are some game theorists here who can tell us.
The main complexity is the need to recognize previous opponents. This might be tricky, since it's really not the company that responds or doesn't. It's actually (groups of) specific people working for that company. From the outside, it can be difficult to learn who actually decides how to handle a bug report, and you could easily end up "punishing" a group who were trying to cooperate but were ordered by a superior to ignore you.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I am currently in the midst of a "responsible disclosure" nightmare, involving NDAs, the FBI, SEC and an online investment bank. For as much work, no pay and no recognition this "responsible" behavior is getting me, I don't know what is worth it.
Also, any advice on responsible disclosure in online financial situations would be appreciated.
Thanks.
-- I was raised on the command line, bitch