[Infowarrior] - The Black Hat Wi-Fi exploit coverup?

Richard Forno rforno at infowarrior.org
Tue Aug 8 20:00:48 EDT 2006 

The Black Hat Wi-Fi exploit coverup
Tuesday August 08, 2006 (05:00 PM GMT)
By: Joe Barr

http://software.newsforge.com/article.pl?sid=06/08/08/1351256&from=rss

Commentary -- You've probably heard of full disclosure, the security
philosophy that calls for making public all details of vulnerabilities. It
has been the subject of debates among researchers, vendors, and security
firms. But the story that grabbed most of the headlines at the Black Hat
Briefings in Las Vegas last week was based on a different type of
disclosure. For lack of a better name, I'll call it faux disclosure. Here's
why.

Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch
-- demonstrated an exploit that allowed them to install a rootkit on an
Apple laptop in less than a minute. Well, sort of; they showed a video of
it, and also noted that they'd used a third-party Wi-Fi card in the demo of
the exploit, rather than the MacBook's internal Wi-Fi card. But they said
that the exploit would work whether the third-party card -- which they
declined to identify -- was inserted in a Mac, Windows, or Linux laptop.

How is that for murky and non-transparent? The whole world is at risk -- if
the exploit is real -- whenever the unidentified card is used. But they
won't say which card, although many sources presume the card is based on the
Atheros chipset, which Apple employs.

It gets worse. Brian Krebs of the Washington Post, who first reported on the
exploit, updated his original story and has reported that Maynor said,
"Apple had leaned on Maynor and Ellch pretty hard not to make this an issue
about the Mac drivers -- mainly because Apple had not fixed the problem
yet."

That's part of what is meant by full disclosure these days -- giving the
vendor a chance fix the vulnerability before letting the whole world know
about it. That way, the thinking goes, the only people who get hurt by it
are the people who get exploited by it. But damage to the responsible
vendor's image is mitigated somewhat, and many in the security business seem
to think that damage control is more important than anything that might
happen to any of the vendor's customers.

Big deal. Publicly traded corporations like Apple and Microsoft and all the
rest have been known to ignore ethics, morality, any consideration of right
or wrong, or anything at all that might divert them from their ultimate
goal: to maximize profits. Because of this, some corporations only speak the
truth when it is in their best interest. Otherwise, they lie or maintain
silence.

I asked Lynn Fox, Apple's director of Mac public relations, two very direct
questions.

    1. Are Apple MacBook users at risk using their built-in Wi-Fi
capability?

    2. Is Krebs' Washington Post report about Apple pressuring researchers
not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?

I've received no response to that query. Nor do I expect one.

Why don't the researchers disclose what they know anyway? They are not, as
far as we know, on the payroll of Apple or the hardware vendor making the
Wi-Fi gear. I got a clue about a possible reason while chatting with "dead
addict," one of the original organizers of DEFCON.

"dead addict" reminded me of the big blow-up at Black Hat last year, when
Cisco was threatening to shut down the conference in its entirety if part of
a scheduled presentation on a Cisco exploit wasn't removed. By a strange
coincidence, ISS and one of its employees was involved in that situation,
too. The researcher, Michael Lynn, resigned from ISS and then gave the
presentation anyway.

That act threw Cisco and ISS into a stone cold fury. Injunctions were filed,
and the FBI was called in. To me it looks like every legal maneuver those
bad boys at corporate could dream up were hurled at Lynn and Black Hat.

To protect Cisco's customers? I don't think so. Cisco's customers would have
been better served with the truth, not a coverup.

The point "dead addict" was making is that some researchers can afford to
leave their jobs, or be fired, or be arrested, and some can't. Those are
pretty good reasons not to speak out. They are also a testament to how
corrupt and rotten our system is, when corporate greed and gluttony trump
virtue, and the FBI acts as corporate muscle.

I tried to query Maynor on the subject, to ask him if Krebs' reporting that
pressure from Apple kept him from identifying the MacBook hardware as being
vulnerable to the exploit he demoed at Black Hat was correct. He hasn't
answered either, and I can't say that I blame him. Not everyone can afford
to act like Michael Lynn.

At press time, millions of end users may be using Wi-Fi so insecure that an
attacker could install a rootkit on their system in less than a minute.
Those who know, or at least claim to know -- the researchers, Apple, and
perhaps ISS -- are keeping mum, for reasons known only to Baud and their
lawyers. So at the moment, Apple's current ad campaign about being more
secure than Windows is being kept safe from harm.

But what about the users? Who speaks for them? Remember, we are not talking
about a matter of a few days. This exploit has been trumpeted in the press
at least since June 22, when Robert McMillan first reported on it and the
fact that it would be disclosed at Black Hat. Presumably, the researchers,
or ISS, would have notified the responsible vendors prior to publication of
that story.

If any laptops are compromised as a result of the cone of silence that
apparently has been slapped down on this issue, their lawyers may choose to
call it something other than faux disclosure. Maybe something like depraved
indifference.

More information about the Infowarrior mailing list