From: Alfred Huger (ah@securityfocus.com)
Date: Tue May 28 2002 - 18:38:02 EDT
On Tue, 28 May 2002, Ryan Russell wrote:
> On Tue, 28 May 2002, Alfred Huger wrote:
> I would suspect this wouldn't have much of an impact on the pen-testing
> community, but I'll leave it to the professional pen-testers to answer how
> often the very latest vulnerabilities come into play in their work.
Being able to show a potential or current customer that they have
vulnerabilities in a production environment comes at a premium in
particular if this client cannot get this information elsewhere. The folks
at NGSSoftware feel that if they are aware of a vulnerability there is
more than a passing chance that someone else (likely with less than
sterling motives) is also aware of this. I concur 100% based on personal
experiance. Through SecurityFocus, SNI and NAI I've been involved in
reporting dozens of security bugs to vendors. The amount of times my
report came in alongside others who had discovered the same isssue was
fairly high. In a recent example which comes to mind a vulnerability
SecurityFocus was working on for CORE ST to report to a series of vendors
was discovered by about 5 other parties at almost exactly the same time.
Each of the parties was unrelated and their motives were pure (all things
being relative I suppose). What do you think the odds are that someone in
the blackhat community was also sitting on the bug? I would guess pretty
high. Vulnerability research does not now nor has it ever taken place in a
vacuum.
> What it boils down to is the rest of us will have the information, just a
> little later. I suppose part of the controversy is that NGSSoftware is
> presumably going to benefit from holding back information, i.e. if you
> want to check for the vulns they found, you have to buy their product.
Yep, that is what I suspected most people would take umbrage with. In this
case however I think NGSSoftware is perfectly within their rights. Firstly
I do think their motives are above board. Having said this I see nothing
wrong with it even if their motives are purely commercial. The Internet
like anywhere is driven off business concerns. If NGSSoftware can provide
a valuable service by alerting their customer base of flaws in production
software - power to them. This is after all about paying the rent. I
understand that a fair number of folks in this industry are still waiting
for the Great Leap Forward to sweep us all into some digital eutopia where
information wants to be free and where breaking into someones computer can
be painted in a benevolent light (you know - just trying to help). I am
not buying. I'd take advance notice from NGSSoftware over idealism. One
keeps me my job while the other makes for good coffee shop banter but
little else.
> This isn't new, either. A few years ago at a previous employer, I was a
> licensed user of ISS' Internet Scanner. They had a check for a statd bug
> (which came to my attention because it was getting positive matches) that
> I could find no public documentation on. I.e. I was doing an internal
> penetration test, and having a potential hole, I wanted to go ahead and
> exploit it fully.
Yes and ISS is not alone there. It's been done by other scanner vendors.
SNI in particular did this a few times. We also alerted our customers
about vulnerabilties we had in the pipes with vendors as a matter of
course.
> can't, in which case, they would just have to do so anonymously. Second,
> people really can reverse-engineer the problem by diffing patches, source
> or object. So, anyone who wants the hole can still have it, they just
> have to spend more time and/or money. Take a look at the recent set of IE
> holes Microsoft fixed. Several of them were discovered by MS themselves,
> and I know for a fact that some people outside of MS now know how the
> holes work.
Yep good points.
> So, I don't see how their policy really changes anything. We'll all still
> have access to the holes, good guys and bad. Once there is a hint that
> there's a problem somewhere, it will be ferreted out.
Yes and that is IMO a good thing. Vendors by and large need encouragement
to address security bugs in their software. Regardless of what is said to
the public the base reality is that without prompting they are likely to
not prioritize this. Full Disclosure while being horribly flawed and often
as harmful as it is helpful came about for a reason.
-al
I should cap this out by saying that my above opinions are my own.
>
> Ryan
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
>
>
VP Engineering
SecurityFocus
"Vae Victis"
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT