July 30, 2003 4:00 AM PDT
Security pros talk, but can they walk?
A serious vulnerability in key Internet hardware was found July 16, and another affecting most computers running Microsoft Windows had network administrators scrambling to patch their systems a week later. Those vulnerabilities and a slew of others discovered in the past year underscore some critics' assertions that information security remains an oxymoron despite all the attention it gets.
"People are making security a bigger topic of conversation than it was, but in the end I think it's been mostly talk, and not a whole lot of action," said Marc Maiffret, chief hacking officer for network protection company eEye Digital Security.
That lack of progress is especially worrisome as hackers and security experts gather in Las Vegas this week for Black Hat Briefings, which begins Wednesday, and the security industry's most infamous confab, DefCon, which starts Friday.
The DefCon convention--a celebration of hacker culture and security knowledge--brings together experts from the hacker underground, security-industry stars and a monochromatic gathering of geek groupies. The convention has frequently acted as a catalyst for online mischief but also for a spirited discussion among companies, government officials and hackers about how to protect the Internet from attack.
But that's part of the problem--lots of talk but plenty of lingering problems.
"I think some of the more apparent issues are being resolved--viruses propagating through e-mail, for example," said Pete Lindstrom, research director for consultancy Spire Security, who added that he doesn't think that "we have seen progress other than that in any specific way."
The failures persist despite government intervention and corporate attention. In February, the Bush administration delivered the National Strategy to Secure Cyberspace, a document that describes where the United States is in terms of Internet security. But critics said it contained few concrete proposals, and the two people who had the largest role in creating the document have since departed: Richard Clarke in March, and Howard Schmidt in April.
The industry has had its share of security black eyes as well. More than a year into its Trustworthy Computing initiative, Microsoft had to deal with major flaws in its Passport identity services, the Slammer worm's attack on vulnerable Microsoft SQL servers and a major flaw that created the possibility of another serious worm incident.
Meanwhile, Cisco Systems warned its customers that a serious flaw in its routers--the network hardware that directs data around the Internet--could allow an attacker to shut down the devices.
Jeff Jones, senior director for Microsoft's Trustworthy Computing initiative, conceded that there is much work to do.
"I think the industry is improving overall," Jones said. "But a single year is too short of a time for anyone to declare success. I don't think anyone said that (our track record) was going to be perfect."
The disclosure debate
Of the many topics to be debated this week, the most contentious is likely to center on notification. Specifically, there is a deep split about whether serious flaws should be publicized before vendors can fix them.
When giants such as Microsoft and Cisco falter, security researchers are quick to point out the flaws, arguing that the public's need to know outweighs the companies' desire to quietly work on a patch.
The Organization for Internet Safety released on Tuesday its final guidelines for disclosure, a document that the group of software and security companies hopes the research community will adopt. The document calls for researchers to give software companies at least 30 days to fix a vulnerability and release a patch, and to let at least another 30 days pass before releasing significant details of the vulnerability.
Such guidelines are necessary to give software makers time to fix their problems before putting their customers at risk, said Mary Ann Davidson, chief security officer for database software maker Oracle, a member of the group.
"My biggest concern is about recklessness in the research community--it's really scary." Davidson said. "They need to understand that exploits have real consequences. The vendors want to do it faster too, but they want to do it faster without destabilizing things."
People and process secure the enterprise
Last week, Microsoft and Cisco announced two
vulnerabilities that could be devastating to enterprises.
Davidson will take part in a panel discussion Wednesday at the Black Hat conference that will focus on the need for restraint in releasing details about security vulnerabilities.
Though some security companies already are playing by the proposed rules, many independent security researchers and hackers continue to compete to see who can get the most detailed exploit out the fastest. Within a week of a major flaw being announced in Cisco's routers, researchers had created code to exploit the vulnerability. And nine days after the major flaw was found in Microsoft's operating system, the research community had produced an easy-to-use program to attack Windows-based computers.
HD Moore, a security researcher and founder of the Metasploit.com security Web site, improved on a program from a Chinese hacking group that exploited the Windows vulnerability.
"Companies don't want anyone to write an exploit at all," Moore said. "That's understandable. They don't want a worm written into the code, and they don't want their customers mad at them."
Moore believes that having exploit code available to the public forces companies to keep their systems current, thus improving security. Whether that's true is debatable, he admitted. However, the pressure on the hacking community not to release exploit code has had a negative side effect: Increasingly hacking groups are keeping the code to themselves and using it to cause harm to systems or to trade for other programs. For example, before X-Focus released its program to exploit the recent Windows flaw, at least three other groups had already created their own.
"A year ago, there was a 50-50 split between private and public exploits," Moore said. "Now it's more like 90 percent of the vulnerabilities are private. (The Microsoft vulnerability) is one of the few that made it into the public 10 percent."
By Moore's reasoning, the public program makes the Microsoft vulnerability far less of a threat than the 90 percent of the exploit programs people don't know about.