[SecurityRatty] tag: refusal

Arkansas man posts county e-mail records in privacy fight

Tue, 09 Sep 2008 20:00:00 +0000

An Arkansas resident is posting the internal e-mail records of various officials in the Pulaski County clerk's office on his Web site in retaliation for what he calls the county's refusal to remove certain public documents containing Social Security Numbers from its Web site.

No one ever gets fired for buying Cisco ...

Fri, 23 May 2008 17:55:48 +0000

... but I am not sure no one ever gets promoted either. Andy IT Guy had a good article up today called "You can use any vendor you want as long as it's Cisco", that talks about people who choose a Cisco solution without really considering if it is the best solution for your own unique needs. Andy was inspired by an article by John Maxwell talking about Henry Ford's reluctance to build any car that was not black. This refusal to change ultimately cost Ford business. Andy has some great quotes in the article, here are a few:

1. Evaluate them and make a choice based on what works best for you. If you don't answer these questions and just pick a solution based on who the vendor is, what it cost, it's the "industry standard", or how easy it is to deploy and maintain then you are not solving a problem, you're just wasting money.

2. It's our job and responsibility to make decisions based on what is best for the company. ... Just because it's considered 'industry standard' or it's made by a big company doesn't mean it's good for us.

and perhaps best of all:

3. So if you've fallen into this trap step back and take a long, hard look at your selection process and refine it to best meet your needs. If it turns out that you still choose Cisco or whoever you would have chosen by "default" then that's great. However, if you discover that there are other vendors who can meet you needs better then you have a feather to put in your hat.

Amen Andy! I wish that more people would have the insight to practice this. But the fact is that picking Cisco or IBM or what have you is the easy no risk choice. However, I also believe that picking the "safe choice" will come back to bite you now and again. I don't think it shows any initiative or concern about doing what is best for your company. I think the fast track to promotion and success is not choosing what the safe bet is, but what is the best bet for your needs.

Stopbadware Scolds Apple Over Safari Carpet Bomb

Fri, 23 May 2008 14:11:43 +0000

From Network World:

An antimalware organization has called on Apple to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user’s desktop.

Stopbadware.org, a group founded by Google, Chinese computer maker Lenovo Group and Sun, on Monday asked Apple to reconsider its refusal to address the flaw as a security problem.

“StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is,” Stopbadware.org said in an appeal posted to its Web site.

Read on.

Article Link

What If All Vulnerabilities Had This Disclosure Timeline?

Wed, 06 Feb 2008 23:08:33 +0000

There is an heap overflow vulnerability in RealPlayer 11 build 6.0.14.74. It allows for code execution when RealPlayer opens a malicious song file.

Timeline

Dec 16, 2007: Gleg customers notified of vulnerability and given exploit code

Jan 1, 2008: Public disclosure (no details) with online demonstration

Feb 6, 2008: Vulnerability still not patched

It’s not your typical disclosure time line. In recent years we have become accustomed to a disclosure time line that goes something like this:

Typical Timeline

Dec 16, 2007: Vendor notified of vulnerability and given exploit code

Feb 6, 2008: Public disclosure with details and vendor patch available

Feb 7, 2008: Some customers patched

We don’t know when this unpatched RealPlayer vulnerability was introduced into the code. It has probably been latent for many months. Real’s customers were vulnerable as soon as they downloaded this version of RealPlayer. Certainly, Real needs to increase its efforts to reduce security vulnerabilities in its shipping products. Still, the first disclosure time line is troubling.

Gleg knew how to reproduce this problem at least a month before yet they didn’t tell the vendor, just their customers. It’s unclear what benefit Gleg’s customers get from the vendor not knowing this information unless they use this information to compromise other systems, especially with this being a client side vulnerability.

In an eWeek article Gleg founder explains:

Gleg founder Evgeny Legerov confirmed his company’s refusal to share the RealPlayer exploit details, arguing that he needs “exclusivity” for a few months to help his customers understand the level of risk they face.

I guess I don’t quite get it. Without being a Gleg customer, even from the minimum information available, I already know I need a fixed RealPlayer and until then I need to block these files at my perimeter and disable RealPlayer. I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I’m not sure what additional value I would get as a Gleg customer.

Now on the other hand Real could simply become a Gleg customer, pay for the exploit, run it in their lab and diagnose the vulnerability. Then they could fix the vulnerability and we would have a time line closer to the second one. Still I don’t see the value, even in this scenario, of more organizations than the vendor knowing about the vulnerability details and getting the exploit.

A protocol that better protects the security of our software ecosystem would be for vulnerability finders to contract directly with the vendor to find vulnerabilities. Customers of the vendor could get high level summary information that the vulnerability exists and its type so they could weigh the risks of using the product and the vendor would get the details they need to remediate the vulnerability.

The above is how Veracode’s Vendor SecurityReview service works. Customers that are concerned about the security of software they are purchasing use Veracode as a 3rd party assessment service. We will contact the vendor and have them upload their software binary executable to our portal. We analyze the software and deliver a detailed report of the security issues we find in the code. We also generate a summary report for the customer to understand the security risks of the software.

A cooperative solution is a much safer way for customers to understand the risks of the code they run. After all do you want to know about just one vulnerability or see the summary of a comprehensive assessment. A cooperative solution also promotes good security hygiene on the vendor side. We have found that once vendors know that their big customers are using Veracode’s Vendor SecurityReview service they are more likely to proactively start doing security testing within their SDLC. A vendor can’t bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know.

UPDATE 2/09/08: It seems the RealPlayer vulnerability being used in mass website attacks as reported by SANS ISC is not the same vulnerability at the unpatched Gleg RealPlayer vulnerability. As far as we know knowledge of this vulnerability is not being used in current attacks.

Lessons from the Norwegian ATM System

Mon, 07 Jan 2008 06:15:52 +0000

This case study focuses on real-world ATM card misuse, illustrating how too much secrecy led to a deterioration of PIN-based authentication procedures, and why a bank's refusal to share technical information is a threat to a customer during a conflict.