Andy ITGuy – Information Security Blog

I’ve tried and tired to avoid getting into the Tavis Ormandy debacle and the whole Irresponsible Disclosure Issue. I’ve voiced my opinion before and it hasn’t changed much but as I continued to think about this I just had to put my 2 dollars into the ring again. I ranted a bit last night when Martin, Steve and I recorded episode 18 of the Southern Fried Security Podcast and then just a few minutes ago I ran across this from the Register. I’ve always said that Full Disclosure is irresponsible and usually hurts more people than it helps and I still believe that is the case. The full disclosure crowd says that it is the only way to get the vendors to respond and release a patch and from time to time they are right but by and far today that is NOT the case. Most vendors, especially the big ones, will work with the researcher and release a patch in a timely manner. If they don’t then I’m much more amiable about releasing PoC or even a full exploit but even then there has to be responsibility. Releasing vulnerability details puts people in danger of having their lives screwed with by others in ways that can drastically impact them in negative ways. Researchers are NOT the gods of the internet and they don’t have the right to say what vulnerabilities should and should not be released regardless of whether or not a patch is available.

Another argument that the full disclosure fans like to make is that the bad guys probably already know about it and are using it. That may be so but in a vast majority of the cases IF they have exploit code it is probably not being used except in limited cases. If it was then there would be noise on the internet that would point to it. It’s better that it be used in limited cases than it to be used on a large scale against anyone who happens to be unlucky enough to go to the wrong web site or click on the wrong link. Not to mention the fact that now instead of being in the hands of a very few it’s now in the hands of anyone who wants it and worse available to every script kiddie who wants to make a name for himself.

Also the argument that many in IT use saying that by knowing the details prior to a patch allows them to be able to test their systems and put controls in place doesn’t hold much water either. Why? Because many if not most companies don’t do this. They don’t even know that the details are available and they don’t have the resources to use the information to protect themselves. So while a select few may be a little better protected the vast majority (including almost 100% of consumers) are left wide open to attack. Is this the best way to secure the internet? I don’t think so.

Peoples finances, reputations and ability to use the internet for legitimate purposes are at stake. When exploit code, PoC code and full details about vulnerabilities are released in an irresponsible manner  then you are increasing the threat landscape and not helping it like you claim to be doing. You are putting them in danger that most likely they would not face if you had acted in a responsible manner. Are you willing to reimburse them for the money that is taken out of their account? Are you willing to go to jail for them b/c their infected system (thanks to you) is not housing child porn? Are you willing to explain to their wife why all of a sudden porn is being shown to the kids when they try to go to pbskids.com? Are you willing to pay them the salary they lost because their compromised computer caused them to lose their job? I didn’t think so. And don’t give me the argument about good forensics being able to clear them b/c in most cases that is not going to happen. Most individuals are not going to hire and forensic expert to prove to their wife that they weren’t looking at porn. Most won’t even know it’s an option. I’d venture to say that most companies, especially small ones, aren’t going to hire a forensics expert to see if what you were doing was you or malware.

In today’s world where much of what happens happens in electronic format and happens on computers that are connected to most every other computer in the world you are messing with peoples lives when you release this kind of information in an irresponsible manner. So what is irresponsible? I can’t define that completely but I can say that when you don’t give a vendor an opportunity to get a patch out you are practicing irresponsible disclosure.

What is responsible disclosure? That is a question that has not and will not be answered. It all depends on who you ask. One researcher will give one answer and another will give another answer. The same goes for those who work in other areas of information technology and information security. Networkers and developers, security pros and server admins. All will give different answers depending on their view of information security and the importance of discovering flaws and disclosing them.

The key word in this discussion is “responsible”. Unfortunately even responsible doesn’t mean the same thing to everyone. I guess in reality the word responsible can/does have a moving definition. If you find a vulnerability and it will take lots of skill, special tools and lots of money to exploit it on a wide scale then the risk of it being exploited is pretty low and disclosing it w/o going to the vendor is not as big a deal. On the other hand if you take the opposite of those things and you disclose without giving the vendor a chance to fix it is irresponsible. Those are the two extreme sides of the debate. It’s all the stuff in the middle that causes the masses to argue over what is responsible and what isn’t.

Here is my take on this with some comments on the MBTA debacle thrown in.

1. As Information Security Professionals it is our responsibility to act in a professional manner and to do all in our power to protect the company that we work for.
2. If you are doing research on your own or for a company then you have a responsibility to protect your client or the company/vendor that you are researching.
3. If you call yourself a White Hat researcher then you have a responsibility to act in responsible manner for all computer users.
4. Responsible disclosure means that you give the vendor/company time to fix the issue before going public with it.
5. The argument that vendors are not responsive a vulnerability is given to them is flawed because this is not the case most times.

In this instance the MIT students didn’t act responsibly in several of these areas. #2, 3, 4 were all ignored for the most part. Giving a company 4 days advance notice is hardly responsible. Although there is some rumor floating around that the MBTA did have notice of some of the issues several months ago. Which if you think about it is true. They may not have known about this particular research from MIT but it has been public knowledge of the Mifare RFID chip being vulnerable since the Dutch researchers wrote their paper about a year ago. Not to mention the fact that the London Oyster Card also used the same chip and it was announced a few months back that it had been hacked.

If anyone would expect that the MBTA would be able to fix this in a short period of time then they are sadly mistaken. An issue such as this involves much more than just changing the encryption on the card. The software and firmware used in the readers and encoders have to be changed. The database has to has to be modified as well as the code in the vending machines that sell the tickets and much more. There has to be testing and QA before it can be rolled out into production. Not to mention that getting new cards is not something that you can just run down to Wal-Mart and pick up. Especially when you are dealing with something as big as this. There are specs that have to be figured out and agreed upon between the MBTA and their Fare collection vendor. Then they probably have to put out a bid on the new cards and give the card vendors time to submit proposals. Then they have to go through a selection process and then wait on a PO to be approved via their procurement process. Then they can place the order. Even at that point they are still not ready to go live. The vendor has to fill the order and once the new cards are in there is still the whole process of replacing the old cards. This means that the new specs will have to be backward compatable with the old ones because they can’t just cut the old cards off and make everyone migrate to the new ones all in a day.

As things such as this and the DNS Metasploit exploit continue to happen it makes me less and less of a fan of disclosure until after vendors have released a patch and adequate time for the patch to be installed has passed. I’m not there yet. I still think that there is a place for researchers to find flaws and get the word to the vendor so they can be fixed. I’m even in favor of researchers releasing exploits prior to a patch if the vendor is ignoring the issue AND the issue is not of a nature that can cause serious widespread pwnage.

I have to admit that one thing that I recently read makes a lot of sense. I don’t remember where I read it or who said it so if you know let me know so I can give them credit. Basically they said that instead of spending so much time looking for and focusing on vulnerabilities that have a very low risk to the public lets focus on fixing the ones we know about that do have the potential to cause serious problems. Let’s also focus on writing better code and deploying more secure applications and infrastructures. This is where we can make a difference. Lets quit trying to make a name for ourselves by being the first to find something and make a name by being the ones who are willing to work together to make things better.