Weekly Edition
Return to the Front page
| |||||||||||
|
| |||||||||||
Vulnerability disclosure and government
The nasty remotely exploitable vulnerability in sendmail is covered in this week's Security Page. There is one aspect
of this episode, however, which deserves a separate look: the involvement
of the new U.S. Department of Homeland Security (DHS).
The disclosure of this vulnerability was, it seems, coordinated by the DHS Information Analysis & Infrastructure Protection Directorate. This is new: government agencies have not generally handled the response to vulnerabilities in the past. Given that the government's security interests have not always aligned all that well with everybody else's interests (consider the whole issue of cryptographic code), this involvement should be watched closely. On the face of it, the sendmail disclosure was handled reasonably well. The process took a little while (the vulnerability was first discovered in December), but the information release went as it should. There were no early disclosures (which have occasionally been a problem in the past), and almost everybody was in a position to have an update available when the disclosure did happen. System administrators who are paying attention should not get hit when the vulnerability is (inevitably) exploited. There is an interesting statement in InfoWorld's coverage of the disclosure process, however:
When Sendmail patches were ready, the coordinating team managed
their release to the DoD, providing early protection to military
sites on February 25 and 26, four days before the general public
was informed, SANS said. Warnings were more widely issued to
government groups in the U.S. and in other countries on February 27
and 28, including U.S. Cabinet level departments, national cyber
security offices in other countries and Information Sharing and
Analysis Centers (ISACs) for critical infrastructure, SANS said.
In other words, the military got to hear about the problem before anybody else, and the rest of the government also got a couple of days of lead time. The DHS put the needs of the government above those of everybody else, including "critical infrastructure companies." Things worked out in the sendmail case. As the DHS gets itself established, however, we should be concerned about how it might handle vulnerabilities in the future. It does not take a great deal of paranoia to imagine that disclosure of some problems could be suppressed altogether. It is also not hard to imagine future regulations criminalizing the disclosure of vulnerabilities without governmental approval. After all, that is the sort of thing governments do, and the current U.S. administration is rather more inclined in that direction than many. True information systems security requires disclosure of vulnerabilities. One can imagine a governmental role in the coordination of that disclosure to effect a quick and universal availability of patches - though it is far from clear that this role is truly necessary. But a high level of vigilance will be required to keep the governmental role from expanding to where it subverts the disclosure process altogether. (Log in to post comments)
Vulnerability disclosure and government Posted Mar 6, 2003 6:21 UTC (Thu) by grahammm (subscriber, #773) [Link] The problem with having governments involved is that they almost invariably put their own interests first. Vulnerabilities do not just effect people in one country, so why should any ONE government control the disclosure?
Vulnerability disclosure and government Posted Mar 6, 2003 8:38 UTC (Thu) by MathFox (subscriber, #6104) [Link] I don't think any government can control (prevent) disclosure in this Internet age. It is too easy to get a few hints out to a reputable security researcher in another country.What has happened here is that one government agency coordinated disclosure. Why shouldn't the Open Source community divert such boring tasks to an organisation suited for it.
Vulnerability disclosure and government Posted Mar 6, 2003 11:52 UTC (Thu) by svachi (guest, #2177) [Link] When Sendmail patches were ready, the coordinating team managed their release to the DoD, providing early protection to military sites on February 25 and 26, four days before the general public was informed, SANS said.Here's what I think. DoD patches up the US sites, then release a worm into the wild to cause havoc in rival countries, then release information a day later. Blame crackers and bad timing for all the damage. A scenario for cyber-attack without getting hands dirty (at least in outsiders' eyes). You know I hate Bush Administration and the whole "homeland security" stuff when you read my post :-) Of course, I am not an American ;-)
Vulnerability disclosure and government Posted Mar 6, 2003 15:59 UTC (Thu) by jeff@uclinux.org (subscriber, #8024) [Link] "You know I hate Bush Administration and the whole "homeland security" stuff when you read my post :-) Of course, I am not an American ;-)"It is sometimes easy to have that point of view for those of us on the outside of the USA, but I can tell you from first hand experience that there are many US citizens that also have a balanced world view as well. And we can thank our lucky stars for that, not to mention giving them all the support possible to make sure Rights and Freedoms survive until this dark time passes and an Administration "...of and for the people" again takes the reigns of power. In the mean time, this particular security issue was handled without damage, but IMHO organizations outside the US are of even greater importance than usual in the role of watchdog and independant security auditor (with emphasis on independant).
Vulnerability disclosure and government Posted Mar 6, 2003 17:02 UTC (Thu) by kunitz (guest, #3965) [Link] This article raises a number of questions. Is somebody able to answer these?Which authority has the US government, particularly a department of homeland security, regarding a problem, that affects the security of computer systems around the globe? Could you call the policy making of the department of homeland security regarding Internet security an act of global regulation without representation? Are the United States liable for damages resulting from an information leak by their armed forces during the pre-publication period? How smart is the ex ante information of the armed forces, given the fact that foreign intelligence activity is particular strong there?
Vulnerability disclosure and government Posted Mar 6, 2003 17:53 UTC (Thu) by johnchx (guest, #4262) [Link] > Which authority has the US government, particularly a department of> homeland security, regarding a problem, that affects the security of > computer systems around the globe? None at all. What authority do you believe was exercised? That is, who ordered whom to do what? From the press accounts, it appears that Internet Security Systems, a private company headquartered in Atlanta, GA, decided to disclose a vulnerability it had discovered to a US government agency. It further decided not to disclose that vulnerability to anyone else for several months. Now, it would be interesting if DHS actually ORDERED ISS not to disclose the vulnerability more widely, but there's no indication that this happened. If someone is unhappy with the role that ISS chose to give DHS in managing the public disclosure of the vulnerability, they should probably take it up with ISS's board of directors. > Are the United States liable for damages resulting from an information You mean legally liable? Probably not. It's quite difficult to sue a federal agency for money damages for anything. Sovereign immunity, and all that. > Could you call the policy making of the department of homeland Well, I suppose you can call it anything you like. :-) But seriously -- where's the regulation? Whose behavior was regulated? At most (and there's no indication that this happened) a US government agency ordered an American company not to disclose certain information. What's global about that?
What about Debian??? Posted Mar 6, 2003 18:07 UTC (Thu) by pflugstad (subscriber, #224) [Link] I've read several accounts that the Debian project was NOT given a heads up about this and had to scramble when the announcement came out to get a bug fix out ASAP.IMO, that's wrong. If you're going to warn other distro's, such as Red Hat and SuSE, why not Debian. What, just becuase they don't pay taxes (they're non-profit) they don't get early warning. And what about the other distro's that have sizeable installed bases - was Slackware warned ahead of time? What about Mandrake? But then, how big an installed base do you need before you get these warnings ahead of the general announcement. That's quite a can of worms to open up. All of which argues for letting everyone know all at the same time. Picking and chosing who get's to be in the know and not is just going to lead to chaos, lots of exploits and more problems.
What about Debian??? Posted Mar 7, 2003 20:23 UTC (Fri) by Peter (guest, #1127) [Link] I've read several accounts that the Debian project was NOT given a heads up about this and had to scramble when the announcement came out to get a bug fix out ASAP. That would probably be because the Debian project doesn't have any actual "employees", so it might be hard to trust that the security team can keep their mouths shut. Sure, I trust the Debian security team with that sort of thing. But the US Dept of Homeland Security probably doesn't trust them. Debian is just a band of Communists, you know.
What about Debian??? Posted Mar 14, 2003 3:38 UTC (Fri) by MLKahnt (subscriber, #6642) [Link] While I didn't get the Sendmail advisory from DHS, I did get one a couple days later on a different matter from an address I didn't recognise and did not connect with the US government or someone else I might presume as being authoritative, claiming to be a division of the Department of Homeland Security. It honestly left me wondering if someone was trying to coax me to install some strange patch without any idea of the credibility of the source. There wasn't even some attempt at using an authoritative encrypted signature such as with PGP or GPG.I act on alerts from CERT and from Debian - DHS will need to work *hard* to earn my trust and respect.
DHS actions were a disaster, from Linux view Posted Mar 8, 2003 15:52 UTC (Sat) by jschrod (subscriber, #1646) [Link] I don't understand why everybody thinks the handling was good.There was an email from SANS that I have deleted by now, and I cannot find it on their web site. This email presented a very good chronology of the actions. It mentioned that only companies were contacted by DHS. Only after CERT/CC got into the game (why haven't they been in from the start?!), distributors of free software systems got contacted. It was mentioned explicitely that this deferred the whole distribution of patches by another week. Even then, authors of popular distributions like Slackware and Debian were not notified. DHS has proven to ignore the free software world deliberately and concentrate only on proprietary vendors. And you call this good? Last, but not least: the vulnerability was discovered in December. The sendmail team is said to develop the patch within 4 hours. That the Unix and commercial Linux vendors need until March 3 (that's more than 2 months, folks!) to distribute patches -- this is a disaster for DHS, not a success! If this would have happened to Microsoft, all Open Source sites would shout about the inability to handle a security incident properly -- and they would be right. LWN, the premium Linux news sites, should take a look on the Linux side of this security incident. It doesn't look good there, in particular with the ignorance of this important platform by DHS. DHS is to fight, not to congratulate. (Compare also this Inforworld article about braindraw at DHS.)
Vulnerability disclosure and government Posted Mar 9, 2003 17:57 UTC (Sun) by mikeh (subscriber, #5951) [Link] Why wouldn't DHS make sure that defense and government systems are secure before the announcement is made? They would look like complete idiots if they announce a major vulnerability (for which patches finally exist) but had not done their job which is making sure that systems they directly coordinate security with are actually secure when its announced.
|
|||||||||||