There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.
There is growing concern that the self publicity and public grandstanding is beginning to hurt the whole idea of open disclosure and mature handling of vulnerabilities. Disclosing at a conference might help the conference organisers and be seen as a publicity boost to the presenter / discoverer, but are we to expect the average Information Security practitioner to attend every Information Security conference on the off chance that a self-aggrandiser will be presenting information on a vulnerability that may or may not actually be relevant?
Setting aside the venue for disclosure, the actual content of the vulnerabilities that have been disclosed via partial disclosure in recent months has not been enough to support the idea that partial disclosure is what we're going to have to get used to. This is especially the case once the hype circuit has been allowed to build up to the point that it seems the world is going to end if we all don't suddenly run out and fix the problem that has no public solution and no public definition.
If "ClickJacking" and Daminsky's DNS flaw are anything to go by, the idea that not disclosing is going to hide anything from the "bad guys" falls flat on its face. The same can be said of the TCP Denial of Service and Web application appliance vulnerabilities that are also being bandied about at the moment. What the discoverers tried (and are trying) to hide was quickly worked out by others who publicly speculated on open mailing lists, and enough information was leaked in the partial disclosures and online demonstrations (where they were provided) to give enough to go on for suitably skilled "bad guys" to find and target. Unfortunately, the baseline skill level required to find the vulnerability isn't high enough to effectively claim that the partial-disclosure works. Fortunately, there are plenty of script kiddies out there who are too lazy and unskilled to be able to find it on their own, but it only takes one who can in order for the approach to fail.
One of the most respected voices in Information Security, Fyodor, has singled out the recent TCP Denial of Service non-disclosure for special attention, using it to voice his displeasure at the increasing use of the non-Disclosure as a means of disclosing vulnerability data. Fyodor's opinion on partial disclosure is simply stated as "put up or shut up!".
Looking at the TCP Denial of Service vulnerability that has only partially been disclosed (Full Disclosure promised, later this month, at a Security Conference), Fyodor's assessment (and that of others) is that it has all been seen and done before - mostly by people who then didn't run around claiming the world was going to end. Fyodor steps through and explains how his particular take on the vulnerability (at least how he sees it) works and how it achieved the same goals.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. How to improve employee productivity in small and medium businesses
Discover the advantages of an open architecture multi-vendor network solution
Everything you need to know about email and web security (but were afraid to ask)
CRM your salespeople will love
Solve Exchange Mailbox Storage Issues Once and for All
Taking On Demand CRM Integration to the Next Level
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Fortinet November Threatscape Report Shows Calm Before Holiday Storm 2008-12-05 16:00:00+11
Epicor® Cited as an Order Management Solutions Leader by Independent Research Firm 2008-12-05 15:52:00+11
F-Secure: Growth In Internet Crime Calls For Growth In Punishment 2008-12-05 13:00:00+11
International researchers gather in Sydney to preview the clever web 2008-12-05 09:48:00+11
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
Discover the advantages of an open architecture multi-vendor network solution
View this webcast and discover the drivers for changing network design practices, why many organisations are changing their approach to network architecture and how enterprises should be moving forward with open architecture multi-vendor network solutions. Register now and learn how your business can maximize the business value of the enterprise network.
Buying Guides
Buying Guides
