Cashing in on Vaporware
Thu Apr 19 09:17:21 MDT 2001
Jericho
"The CERT Coordination Center is a center of Internet security
expertise", and they have a new product to sell you. Only it isn't really
new - and it was never a stellar product to begin with.
For years, CERT has been a federally funded group handling incident
response, vulnerability analysis and published security alerts. They are
perhaps the most well known for their advisories
which enjoy a wide distribution.
The Product: Advisories
Many in the security community dismiss the CERT advisories as either old news
or too vague to be of any practical use.
The two major faults continually seen in their
work are tardiness and complete lack of detail.
CERT advisories often
come weeks or months after the information has been made public in other forums such as
Bugtraq or mainstream news outlets.
For those in the security field who keep an eye on both sides of the fence,
the notion that CERT provides useful information is a bigger joke.
There have been many cases where vulnerabilities with working exploit code
circulated in both underground and public security circles for months (in a few
cases, years) before CERT responded with an advisory.
This was seen with various Solaris RPC exploits, multivendor
POP/IMAP exploits, and more recently with WU-FTP exploits. While some hackers are
abusing these vulnerabilties and compromising
a wide variety of hosts, CERT is often not aware of the vulnerability until they begin
to correlate incident reports.
Worse, when CERT finally manages to
release an advisory, it is vague and offers
no technical details about the vulnerability.
This prevents some administrators from being able to
mitigate the risk with an efficient and effective solution.
Essentially, it forces administrators to make drastic changes to their network,
break necessary functionality, wait for a patch that may be weeks away, or
audit tens of thousands of lines of source code to find out exactly where
the problem is and if it truly affects them. Administrators are further
burdened with trying to convince management or
developers of the necessity for downtime without any facts to justify it.
The Product: Incident Handling and Response
Simple and straightforward. In their own words:
"The CERT/CC is a major reporting center for Internet security problems. Staff members provide technical assistance and
coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to
identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product
vulnerabilities, publishes technical documents, and presents training courses."
In order to examine and report on computer intrusion and security incidents, you have
to have knowledge of them. The bigger your dataset (reported incidents) is, the better
the analysis should be. For a body such as CERT, receiving any report of computer security
incident benefits them.
In the process of running a mirror that archives and records defaced web
sites (a computer security incident), we took it upon ourselves to notify
CERT of the intrusions as we learned about them.
As we take a mirror of a defaced site, we send mail to CERT
to let them know the site that has been compromised with the same information
that is sent to our
defaced-l mailing list.
In response to our mail, they politely asked us NOT to report such
incidents to them. Only after quoting their posted mission statement and
questioning such an action did they finally agree to receive our mail.
CERT asks us to stop sending incident reports
I question their mail
I quote their web page and ask for clarification
CERT responds and changes their stance
Selling Out Without a Product
Original Article: http://interactive.wsj.com/articles/SB987631116473064994.htm
Better copy: http://www.msnbc.com/news/561513.asp
Government's CERT Plans to Sell
Early Warnings on Web Threats
By TED BRIDIS and GLENN SIMPSON
WASHINGTON -- One of the U.S. government's front-line defenses against
cyber-sabotage will begin selling its early warnings about the latest
Internet threats, something it used to share only with federal agencies.
The shift comes as the taxpayer-funded CERT Coordination Center, formerly
known as the Computer Emergency Response Team, joins a prominent electronics
trade association to form a new "Internet Security Alliance."
The effort, to be announced here Thursday, would distribute up-to-the-minute
warnings to international corporations about cyber-threats, offer security
advice and ultimately establish a seal program to certify the security of
companies' computer networks. Companies would pay $2,500 to $70,000
annually, depending on their revenue, and in exchange would receive warnings
about new Internet threats generally 45 days before anyone else.
[snip..]
Under its new agreement, CERT would continue to provide those early
confidential warnings to the Defense Department and the General Services
Administration, but also would offer them to alliance members. CERT would
continue to issue its free, public alerts after 45 days -- a practice that
has drawn criticism because of the imposed delay.
Security is a game of windows; windows based on time. The window begins when
a vulnerability is found and an exploit created, and ends for a given person/system
when it is patched and resolved. CERT has consistently demonstrated they enter
the picture long after a vulnerability is discovered, even if made public on Bugtraq
or another forum. Offering their advisories at the end of the window, typically at the same
time as the vendor or third party is releasing theirs.
That in mind, consider what they are selling now: already dated
information that is almost always public in some other fashion or forum. Unless CERT overhauls their
advisories and provides more information, customers will receive belated vague details
of a vulnerability the bad guys have known about for months and which might affect their
network, with little or no practical information as to how to effectively guard against it.