Disclosure/Non-Disclosure

1
Disclosure/Non-Disclosure

• Case Study Observations
• Prepared by
• Scott Sakai, Mansi Shah,
• Kevin Walsh, and Patrick Wong

2
Approach

• Context created by course curriculum
• Disclosure and Non-Disclosure Defined
• Case studies
• Observed practices and norms
• Summary and conclusions

3
Introduction

• Intro to computer security vulnerabilities
• To disclose or not?
• Is it illegal or unethical not to disclose a
  discovered vulnerability?
• What practices are observed by industry in the
  case studies?
• Questions to the audience What appear to be the
  accepted norms?

4
Introduction (2)

• Context of course
• Ethical Codes acceptable professional behavior
  in the computer industry
• Lessig Architecture, Market, Norms, Law
• Brin Transparency, criticism, accountability,
  authority, authentication, trust

5
Full Disclosure What is it?

• A security flaw that is
• Released to the public immediately
• Developed and discussed in a public forum
• In general, brought to light before the public
  and vendors simultaneously (often before a vendor
  fix is available)

6
Full Disclosure - Pros

• Levels the playing field
• Motivates vendors to fix flaw
• Lets knowledgeable users know what their program
  is doing

7
Full Disclosure Cons

• Makes exploiting vulnerability easier
• Increases chance of compromise or crash
• Potential loss of productivity
• May result in incomplete fix

8
Non-Disclosure Defined

• A security flaw that is
• Held until the proper fixes are produced
• Not to be shared in the public eye
• Limited disclosure is a medium defined by the
  company where they disclose some information on
  the vulnerability

9
Non Disclosure - Pros

• Potential loss of market share
• Company/product reputation
• Undesirable exposure of underlying technology
  architecture
• Liability for company (can cut both ways)

10
Non Disclosure - Cons

• False sense of security
• Potential delay of fixes (both company and client)

11
Case Study 1Ping of Death - overview

• Exploit (late 1996) Sending large IP packets to
  a computer may crash it.
• Stakeholders
• Malicious individuals executing attack
• Users who rely on vulnerable systems
• Vendors of vulnerable systems
• Public (relies on any of the above)

12
Case Study 1Ping of Death - analysis

• Classification Full disclosure
• Pros
• More stable TCP/IP implementation
• Similar exploits prevented
• Cons
• Lost data
• Vulnerable systems may still exist

13
Case Study 1 Ping of Death - Issues

• Ethical tests
• Utilitarian TCP/IP is more stable now ethical.
• Golden Rule It sucks when someone crashes your
  computer, so you shouldnt do it to them. --
  unethical
• Legal issues
• Denial of service attacks are illegal under CFAA
• Saw the beginning of contemporary issues
• International boundaries
• Data integrity

14
Case Study 2 Microsoft IIS

• June 99 eEye/Microsoft IIS Security
  Vulnerability
• eEye finds a serious security flaw in IIS Server
• eEye emails Microsoft and places warning
  bulletins, along with CERT
• Microsoft does not respond to the emails or
  warnings
• eEye discloses the vulnerability due to
  Microsofts apathy.

15
Case Study 2Microsoft IIS (2)

• November 00 Microsofts Anti Disclosure Plan
• Microsoft and 5 security companies decide to
  create a industry standard for disclosure.
• Will draft a standard for notifying the public
  about newly-found software security bugs
• Leading objective of the group will be to
  discourage "full disclosure" of security holes

16
Case Study 2Microsoft IIS (3)

• April 02 Microsofts Practices Today
• Trustworthy Computing Initiative started by a
  memo from Bill Gates where all employees are
  being trained in security
• Microsoft placed a bulletin warning on ten of
  their IIS vulnerabilities
• Both events are high profile in the area of
  security

17
Case Study 3Felten vs. RIAA (1)

• Hack SDMI Contest (Fall 2000)
• Break 4 watermarks
• Render watermarks undetectable without
  significantly degrading audio quality
• Edward Felten Team
• Broke all 4 technologies
• RIAA threatened team with litigation thru DMCA if
  team presented research to public
• Felten sued RIAA to allow presentation of
  research
• Case thrown out since DMCA does not apply to
  research

18
Case Study 3Felten vs. RIAA (2)

• Stakeholders
• Professor Edward Felten Team
• Crackers of digital watermark technology
• Other researchers
• RIAA
• Record Industry
• Secure Digital Music Initiative (SDMI)
• Holders of the watermark contest
• Verance
• One of the watermark manufacturers
• Public

19
Case Study 3 Felten vs RIAA - analysis

• Classification Full Disclosure
• Pros
• Public learns truth watermark technology fails
• Watermark companies can learn from hacks and
  develop better technology
• SDMI RIAA learn technology doesnt work before
  full scale release of watermarked Cds
• Cons
• Verances watermark compromised
• DVD-Audio already in use in market, now easily
  hacked

20
Case Study 3Felten vs RIAA - Issues

• Ethical tests
• Rights RIAA threat to sue Felten for presenting
  paper on hacking watermarks unethical
• Utilitarian Public learns that watermark
  technology doesnt work ethical
• Utilitarian Hackers learn of vulnerability in
  DVD-Audio thru paper unethical
• Legal Issues
• Right to disclose SDMI watermark hack
• Fear of litigation due to DMCA

21
Case Study 4Malformed SNMP

• Simple Network Management Protocol (SNMP)
• Vulnerability reported by the Oulu University
  Secure Programming Group
• Vulnerability concerned trap and request handling
• Impact included DOS, service interruption, and
  unauthorized access and control

22
Case Study 4Malformed SNMP (2)

• Stakeholders
• equipment from over 250 manufacturers involved
• 3Com, Cisco, Compaq, Dell, Hewlett Packard,
  Lucent, IBM, Iplanet, Larscom, Lotus, Juniper,
  Nokia, Novell, Microsoft, Red Hat, Sun, Xerox
• Potential impact critical to Internet and
  majority of government and commercial networks.

23
Case Study 4Malformed SNMP (3)

• Response and solution
• CERT and CVE
• Ethical test text book case of vendor
  notification and posted fixes
• Majority of vendors post patches within three
  weeks of notice
• Immediate work around non-catastrophic

24
Observed Industry Practices

• Emergence of clearing house and response
  organizations Computer Emergency Response Team
  (CERT), Common Vulnerabilities and Exposure
  (CVE), Responsible Disclosure Forum
• Accepted as legitimate by industry and the
  customer

25
Observed Industry Practices (2)

• Role of industry and mainstream press
• Role university and industry research groups
• Evidence of industry, press, and buying public
  arriving at a sense of a norm
• Norm legitimized through criticism

26
Summary and Conclusions

• From case studies
• Both non-disclosure and full disclosure can be
  ethical and unethical depending upon the tests
  applied
• The rights test is not applicable in most
  contexts due to the timeliness of the legal
  system

27
Summary and Conclusions (2)

• Movement of the Industry
• Practices by major software corporations are
  moving from non-disclosure (and limited interest
  in security) towards full disclosure (and a much
  greater interest in software security).
• Stakeholders following this trend Microsoft, the
  281 manufacturers and organizations like CERT.