Create Free Account
 From time to time Stickley publishes articles on a broad range of security related issues. Included here are some of those articles. • Vendors Need To Take Responsibility Problem Defined Corporations and home users rely on public announcements from vendors, security firms and other public forums to receive critical information about security vulnerabilities in software running on their systems. Unfortunately over the past several years it has become evident that some manufacturers would rather cover up vulnerabilities than tarnish their reputation by making them public. Proper Etiquette When a new vulnerability is discovered and reported to the corporation that has written and maintains that particular application, there are generic rules that are expected to be followed by all involved. These rules, though not mandated by any specific law, guide all parties involved in proper response, resolution and ultimately public notification. When a new vulnerability is discovered, the individual or corporation that discovers the vulnerability will contact the corporation of the software and give detailed information about the issue. This information is generally very detailed in nature to help guide the corporation directly to the source of the problem. Sometimes, proof of concept code is supplied at the time of disclosure to further explain the vulnerability and potential threat level. It is understood by all parties involved that this information will not be released to the general public until the corporation has had sufficient time to review the issue(s) and create a patch or workaround to the problem. The term “sufficient time” is vague but is generally understood to be a maximum of 30 days from notification to public announcement. This time will vary depending on the corporation’s response or lack thereof. When followed properly, this system works well. The corporation can resolve the issue before the mainstream public and possible hackers and or cyber-terrorists are made aware that the issue exists. When the public is notified, the announcement states the threat clearly including possible consequences if this issue were to be exploited. In addition, relevant patch information is often included in this announcement. In the event that the corporation chooses not to resolve the issue, the public is still notified with a warning that the issue exists and potential consequences if the issue were to be exploited. It is then left up to the public to create its own solution to the issue or disable the affected service. Corporations that hide behind attorneys It is rare that a corporation will want to notify the public about a vulnerability related to its product or service but they understand the security risks that the users of its products would face if they did not. Unfortunately some corporations have preferred not let the public know of any such vulnerabilities and are going to great lengths to make sure these issues remain a secret and or are buried where no one can find them. The most commonly used tactic is the threat of legal action. When the corporation is notified of an issue, rather than resolve the issue and notify the public, the corporation will respond back to the company or individual that originally discovered the vulnerability and inform them if it is made public the corporation will have no choice but to pursue legal remedies available to them. The threats vary and there is always some reason why they feel this is acceptable behavior. In some cases the corporation will take matters to the next level and start contacting other companies that may have been involved during testing when the vulnerability was discovered and threaten them with legal action as well if this information is released by anyone. By using this tactic they generally can cause enough concern to all parties involved, causing the matter to be dropped rather than risk any legal action. In these cases the corporation may still create a patch to resolve the issue, though no public disclosure is made available about the security ramifications. Public Disclosure Because new patches are released by corporations almost daily, it is difficult for the public to know what patches are truly important. Because of this, most staff and diligent home users watch for public notices about security related patches. Several organizations offer patch services based on security related patches and there are a number of email lists that users can subscribe to that give out information about new vulnerabilities and where the security patch can be found. If a patch is released that is not listed as a fix to a security issue, it will be overlooked by the majority of these services and therefore will not be resolved by those who are looking to these services for guidance. In addition, Corporations do not apply all patches released. Mission critical servers for example (generally the systems that house the confidential data such as banking information, credit card numbers, sales transactions, etc.) are too critical to daily operations to risk applying a non-critical patch. Firewalls, routers, switches and other infrastructure on the corporate network are also seen as mission critical and must maintain 99.9% up time. If a patch is released for any of these systems and is not seen as a critical security related patch, in most cases it will not be applied. The theory of “if it ain’t broke, don’t fix it,” plays in perfectly here. In many cases, when a non-critical patch is released and applied it can cause issues to other parts of the system and ultimately take servers off-line. This has caused many administrators to be very hesitant about applying any new patches unless absolutely necessary. When an organization releases a patch and does not mention the security ramifications, it is guaranteeing that a large percentage of corporations in the US will not apply the patch with any urgency. As a result, critical systems are left exposed and vulnerable, unbeknownst to system administrators. Example cases As an example, I notified a corporation that markets a firewall as never having a single vulnerability, about two separate vulnerabilities. One would allow anyone on the Internet to gain access to the firewall and take control of it. The second vulnerability would allow anyone behind the firewall (on the internal network) to gain access to the firewall and take control of it. Both of these vulnerabilities would be seen as major issues to the public. The corporation responded that they had recently released a patch update for the product which would resolve the issues. The patch update was for some product enhancements and made no mention of security issues in the product. When the corporation was notified that an announcement would be sent to the public to warn them to be certain to apply this patch, its attorneys immediately contacted me and warned of serious legal ramifications were I, or the company I worked for, to publish or make any mention of these security issues to the public. To this day there is no mention of these major vulnerabilities and this company continues to advertise that they have never had a vulnerability. In another instance, I informed a corporation that offers an online banking application that is used by hundreds of banks throughout the United States of a security vulnerability. This issue could allow anyone with hacking knowledge to gain user names and passwords to online banking accounts of banks that use this application. The company made no real effort to respond to the issue for several weeks. Finally, after feeling the company was making no effort to resolve the issues, we notified them that the banking industry would be made aware of the issues through a press release by our company. At that point our company was called and informed that legal action would be taken if this information was given out to anyone in the public, including anyone in the banking industry. This corporation subsequently contacted the bank who had originally hired us to test for potential security flaws on their network. The bank was told there could be legal action against them as well if my company released this information. To date this issue has not been made public. This issue has not been completely resolved at the time of writing this document though the corporation has been aware of the problem for over a month at the time of this writing. Conclusion Cyber-crime and cyber-terrorism cannot be reduced or eliminated when corporations are free to hide major security issues from a public that uses their software. Companies such as ours are not large enough to endure a legal battle with a billion dollar corporation and therefore are left to allow these issues to go undetected and unprotected by most. In a time when the United States is trying to stay one step ahead of cyber crime, it is dangerous and reckless that corporations such as these are using the legal system and other stronghold tactics to prevent the distribution of necessary security warnings to an already poorly informed public. If you enjoyed this article, be sure to check out Stickley's book "The Truth About Identity Theft" |
Archives
-Security, Switches and the Idiot -Vendors Need To Take Responsibility -Who's Accessing Your Information? -IT & Physical Security-When worlds collide -Biometrics, not just for the movies -Ignoring the patch -Time for a new firewall -Keep an eye out for "Vishing" attacks -Beware of "Pharming" attacks through DNS Cache vulnerabilities   
|
