[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] CERT, Feds Consider New Reporting Process
From: InfoSec News <isn () c4i ! org>
Date: 2003-03-25 8:25:34
[Download RAW message or body]
Forwarded from: William Knowles <wk@c4i.org>
http://www.eweek.com/article2/0,3959,967586,00.asp
By Dennis Fisher
March 24, 2003
Government officials and private organizations alike are reviewing
their vulnerability disclosure processes after several incidents over
the past 10 days exposed major shortcomings in the way new bugs are
handled.
The most dramatic case for change came early last week when an
anonymous member of a security mailing list posted three unpublished
vulnerability advisories. None of the advisories had been released by
the authors - or by a third party such as the CERT Coordination
Center - who typically handle such announcements. The posts were taken
from advance copies of the advisories that CERT had shared with a
select group of software vendors, something that has angered CERT
officials.
"We know that the text was taken directly from messages we shared with
the vendor community," said Shawn Hernan, team leader for
vulnerability handling at CERT, based at Carnegie Mellon University,
in Pittsburgh. "We've always believed that the vendors need advance
notice. But in this case, someone with access decided to [go] public."
CERT is now considering whether changes can be made to its process for
handling vulnerabilities. The federal government, meanwhile, is
discussing ways to centralize vulnerability reporting.
The government is considering a plan to establish a single point of
contact for vulnerability reporting; researchers would submit
discoveries to the contact. The government would then work with the
researcher and the affected vendors to coordinate release of the
information.
The hope is to avoid leaks and to speed vendor response to security
problems. However, the Information Assurance and Infrastructure
Protection division of the Department of Homeland Security is still
without a leader, clogging any major initiatives, insiders said.
While the Bush administration has found it difficult to fill the top
information security job, sources say Bob Liscouski, director of
information integrity and assurance at The Coca-Cola Co., in Atlanta,
is slated to take the job of assistant undersecretary for IAIP.
Officials at DHS did not respond to requests for comment.
The trouble began when a member of the Full-Disclosure mailing list
posted three vulnerability reports. Only one of the problems had been
disclosed previously, and patches were not yet available. All the
advisories detailed the vulnerabilities and affected products.
All the vulnerability reports were serious. The first, posted March
15, warned of a cryptographic weakness in the popular Kerberos
protocol. The second message discussed a timing attack on
cryptographic keys. The third, posted March 16, concerned a problem in
a code library contained in Unix-based software from Sun Microsystems
Inc. and other vendors. The Kerberos bulletin was officially released
March 17; the details of the timing attack were published on another
Web site the previous Friday.
The Sun advisory was not released until late Wednesday.
CERT's Hernan estimated there are about 50 vendors that had access to
all three vulnerability reports. The person who posted the advisories
to the Full-Disclosure list used an anonymous, secure e-mail service,
Hushmail, which makes it hard to track the individual down.
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic