[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] How much Net security info is too much?
From:       William Knowles <wk () C4I ! ORG>
Date:       2000-08-29 6:39:56
[Download RAW message or body]

http://www.usatoday.com/life/cyber/tech/cti448.htm

08/28/00- Updated 11:10 AM ET

Software security experts wonder whether early
warning of Net security flaws might help hackers

WASHINGTON (AP)  Some ''bug hunters'' who uncover security flaws in
computer software and rush to issue public warnings may be helping
hackers more than consumers, industry officials worry.

It's a thorny issue that divides security specialists. Many argue that
fast, full disclosure of a vulnerability alerts computer users to take
precautions and pushes software makers to provide a quick solution.

Others say telling about how software is vulnerable to hackers before
companies have a chance to fix the problem only invites attack.

''There needs to be a Hippocratic Oath for security professionals,''
said Joel de la Garza of the Internet security company Securify. ''A
rule like 'first, do no harm' would be a very good thing, but highly
unlikely.''

Bug hunters, often working free-lance and spread across the globe,
operate by their own personal codes. Some rush out information
immediately, others give the maker a day's notice before a public
announcement and still others will wait a week or more for a solution
to be found.

Most are eager to be the first to claim credit for their discoveries.

Ron Moritz, chief technical officer for Symantec Corp., which makes
antivirus software, takes the side of full disclosure, ready or not.

''Sometimes the threat is something that can't be solved
instantaneously or immediately,'' he said. By exposing a hole as soon
as it is found, Moritz said, ''the good guys and bad guys know,
instead of just the bad guys.''

Recently, a security company found a major hole in Microsoft Outlook
e-mail that could allow a hacker to break into a person's computer by
merely sending the victim an e-mail message.

Microsoft was notified by the security company, and started to work on
a patch. But another bug hunter found the problem and made it public
without notifying the company. The remedy was still days away.

''By putting that kind of information out, the info may reach some
people who could use it to take preventative steps,'' said Microsoft's
security guru, Scott Culp. ''But it will definitely reach people who
are going to use it to attack other customers.''

Culp wants bug hunters to first help Microsoft find a solution to a
security hole then take credit for the discovery. He said his group
has received about 5,000 security hole reports so far this year. After
weeding out customer errors, they resulted in 58 software patches and
e-mailed bulletins.

''We're not averse to talking about vulnerabilities, but there's a
right way to do it,'' Culp said.

Of course, few companies want an outsider publicizing glitches in
their products. Likewise, bug hunters have their own self-interests,
such as promoting themselves and their line of work.

''People like to see their name in the newspapers,'' said Richard
Smith, chief technology officer for the Privacy Foundation, a research
center at the University of Denver.

Smith, who has found many bugs himself, said security free-lancers
perform a valuable service to software makers, often for free. But he
doesn't believe discoverers should divulge enough to tip off hackers.

''I'm dead set against full disclosure, I think it's really wrong. If
Microsoft has a bug, it's a good thing to give just vague details,''
not a blueprint for exploiting it, he said.

Georgi Guninski, a Bulgarian security expert who has found numerous
bugs, says he typically gives companies about 24 hours to fix a
problem before revealing it to the world, and offers interim solutions
until it can be solved.

''I do not think that making a hole public does harm,'' said Guninski,
who works for Netscape. ''I think that by discovering bugs I make
products more secure.''

Elias Levy, who manages the BugTraq e-mail list, has seen software
vendors get stung.

''There will always be people that simply forget about the vendor
altogether or publish the vulnerability information with the full
knowledge that they have not notified the vendor, simply to make them
look bad,'' Levy said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]