Disclosure – the Debate Continues
With the dawn of networked computing, users were granted on-demand access to their data and computing infrastructure. The gained connectivity, of course, led to an increased exposure to attacks. Attackers no longer required any physical access to the machines or to the portable media. Establishing a connection to the network (PSTN, Tymnet, DATAPAC or the Internet) and knowing the target’s network address accomplished the same task remotely—thus beginning the information arms race between the attackers and the administrators. While one side was gathering information for gaining access and circumventing restrictions, the other was trying to patch vulnerabilities and protect their assets.
During this time, factions began to form as those with similar interests gravitated towards each other, resulting in the formation of groups that would privately pool their knowledge regarding new vulnerabilities. These groups of hackers started releasing text files under collective banners, allowing those with access to such libraries to become proficient with various tricks of the trade (LOD, MOD, CDC, L0pht, Metal Shop).
The administrators marched together in retaliation, sharing advisories (Zardoz, Core ‘Security Mailing’) detailing information about security risks associated with their networks and working with vendors to address the issues. In this cat and mouse game, each group adhered to a policy of non-disclosure for fear aiding the other’s efforts. This policy of non-disclosure resulted in a large segment of the public that was totally unaware of their exposure. The gap increased further when some vendors were found to be less concerned about the vulnerabilities and slow to respond with patches.
By the early 90’s, it was clear that with the increased dependence on computers and rapid growth in computer networks, a central and open forum was needed; a forum where administrators, vendors, and researchers could share information regarding the increasing number of vulnerabilities being discovered. Out of this need the first full-disclosure mailing list, Bugtraq, was created on Friday November 5th, 1993. Bugtraq quickly became a fixture in the security community. On this list, administrators could get information regarding the latest vulnerabilities being discovered, researchers could post their findings, and vendors could be notified of vulnerabilities.
Ten years later, in 2003, what was once a small niche market had grown into a full-fledged industry, as it became clear to business how reliant they are on their IT infrastructure. During this time, a series of worms (W32.SQLExp.Worm, Sasser, W32.Blaster.Worm) and bots (W32.SpyBot.Worm, W32.Goabot) were a painful affirmation of how critical that reliance had become.
At the same time, organized crime was stepping up its efforts to capitalize on insecure infrastructure. Fortunately, many vendors had created teams dedicated to handling externally reported vulnerabilities and researchers had shifted towards practicing ‘responsible disclosure’. Responsible disclosure tries to strike a balance between informing the public while giving vendors lead time to produce a patch, reducing the window of exposure where attackers could know new vectors of attack and target vulnerable users.
A short four years later, the debate on disclosure practices continues, profit driven attacks try to stay off the radar, and non-disclosure is making a comeback. Rather than reporting their findings, some researchers are now choosing to keep the vulnerabilities private, only sharing with customers who can pay for their subscription-based services. While other researchers are choosing to sell their discoveries to for-purchase programs such as the Zero Day Initiative and Vulnerability Sharing Club, which may or may not be disclosed. Others still may decide to sell their discoveries directly to independent buyers through the newly created vulnerability auction house created by WabiSabi.
So it seems as though trends in disclosure may be coming full circle, but this time around both sides’ motivation for non-disclosure is driven by the desire for profits.
Message Edited by SR Blog Moderator on 06-19-2008 01:01 PM