Re: [Full-Disclosure] Sapphire worm POC that fulldisclosure policies hurt everyone

From: yossarian (yossarian@planet.nl)
Date: 01/26/03

  • Next message: flatline: "Re: [Full-Disclosure] format strings vulns in /bin/login and /usr/bin/passwd"
    From: "yossarian" <yossarian@planet.nl>
    To: <full-disclosure@lists.netsys.com>
    Date: Sun, 26 Jan 2003 21:57:02 +0100
    

    > I hear alot of arguments put out by the naive in favor of fulldisclosure
    of vulnerability information. But the fact is, fulldisclosure policies hurt
    everyone, and this time, they have wreaked havoc across the entire internet.
    The ms-sql vulnerability has been known to the public for six months. If the
    fulldisclosure philosophy were correct, the vulnerability would have been
    patched by the vast majority of admins out there. However, that isn't what
    happened. Thousands of machines were compromised and it lead to a massive
    internet-wide loss of service.

    Who is naive here? It doesn't hurt me that MS SQL servers fall over. If my
    bank will get hurt by this virus, I will choose a bank that can be trusted.
    Funny thing is, my bank is spending a lot of money and effort in preventing
    this, and are succesful at it. My guess is that shooting the messenger is
    naive.

    It might be a flaw in fulldisclosure policy that the responsible admins
    don't read them, and irresponsible ones do. It is a major flaw in cars that
    people who are not good drivers, can drive in them. Full disclosure does not
    enable viruses. It IS a matter of timing, of course, posting a full exploit
    on the 1st day it is discovered, might be a bit over the top. But then
    again, it is the first day YOU know it is there, other might have known for
    ages. Example: on DefCon 2000, the trust factory went full disclosure, more
    or less, on an exploit in Lotus Notes. It was said to be unbreakable, rock
    solid etc., for years. This very same hole had been exploited earlier, I and
    many colleagues with me had seen it in 1998 or 1999, when it was used
    against a bank and a car manufacturer. We didn't disclose it, maybe no one
    did, but bottom line is that it had been used way before disclosure. Most
    stories don't hit the press, most vulns are not reported, and eventually
    forgotten. But they are also never fixed. If you say don't disclose, you are
    fighting the lesser evil. As a researcher, you find large numbers of holes.
    It is just a matter of time and effort. The lesser evil is computer viruses.
    The bigger menace might well be digital armageddon. I don't think it is
    possible today, but it will be some time in the future. Someone can shut
    down the powergrid, probably with a targeted computer virus. Remember,
    digital warfare will most likely be a form of economic warfare, unless
    integrated warfare will be vulnerable. It certainly will, but it is not
    there, yet. The pentagon is working toward it, which means that soldiers can
    command landmines to move to another spot - over TCP/IP. Sounds silly, but
    some people are building this, it is not SF. If the vulnerability of the
    used technologies are not known, high tech countries will be attacked by
    their own smart weaponry.
    Compared to some ATM's out of order, this might well be digital armageddon.
    But no, we don't want to strenghten our defences, since their will be
    collatoral damage, since companies continue to employ incompetent people.
    What is worse, the internet completely down today, or say in ten years time
    with all the new dependencies. maybe including SDI and military early
    warning systems, and certainly including the power grid, hospital support -
    not just PC - systems and all telephone communications?

    > There are alot of attacks against the competency of administrators who
    failed to put their databases behind their firewall, and also failed to
    patch their machines, but fulldisclosure operates on the assumption that all
    administrators are going to find out about the bug and patch their machines.
    The fulldisclosure philosophy is flawed.

    Well, if you use ligit software, you are paying for support and supposed to
    follow the instructions of the manufacturer. If you don't, who is to blame?
    It is like not following your doctors advice. All admins should do their
    jobs properly, because that it is what they are paid for. The information is
    free, it is out there, very easy to get, but no, since not all the people
    read it, FD doesn't work? The sad truth is that many admins are incompetent.
    Finding out about a bug, especially if it is MS or some other major
    companies software is very, very easy. Or would you dare to call people who
    don't read the suppliers advice (or the manuals) as competent?

    > The vast majority of those reading this message probably won the
    scriptkid/admin race of patching vs being compromised. But today, that
    didn't stop the destructive power of this worm. Today's denial of service
    was mostly caused by smaller enterprises with less competent administrators.
    The message is "pay up to the security consultants or your machines get
    owned". I would be more okay with this if it were just the machine's owners
    that got affected, but it's the entire internet. Get a clue, your actions
    have consequences.

    Duh, what a race, if you are more than six month's behind. It doesn't take
    six months to write a virus. The consequences of no disclosure, because that
    IS what you are advocating, is that systems will never get fixed. See my
    rant about digital armageddon.

    It is not pay up to the security companies but just use the software you
    understand. A fool with a tool is a dangerous fool. If a smaller company
    decides to use a tool it cannot control, it is stupid. But you don't need a
    security consultant to apply a fix, well, i sincerly hope that any admin can
    update a system, either a fix or just a new app. There is no difference.
    Also, there is no excuse for incompetence. Even smaller companies have their
    buildings constructed by competent companies, not by someone who is dirt
    cheap and.they met in bar. If a building collapses due to incompetence, the
    construction company gets sued. If people die, the company owners might go
    to jail.

    >If the ms-sql bug had never been disclosed, and was slipped quietly to
    Microsoft, this never would have happened, and the same responsible
    administrators would have upgraded their software. The odds are, those same
    responsible administrators have had their database servers behind a firewall
    anyways, so this is all irrelavant. This catastrophe was caused solely by
    the disclosure of vulnerability information.

    This would have happend, since if MS was told quietly about this bug, these
    sorry excuses for admins would still not have updated their systems.

    There are hundreds of bugs in MSSQL, fixed and not fixed, but only a few
    were ever used in a virus. MS is spending lots of money, just fixing the
    holes they do find. Why? Because they might get exploited, whether it is
    known or unknown. Most holes that are fixed were found by MS people, and
    never disclosed. Just check on their site, and see what is in the updates.
    Some security hotfixes are because of disclosed holes, many are not. In the
    service packs, many other security holes are closed, MS tells you all about
    it, if you were to read technet. BTW, technet is not for security consultant
    only.

    Let me give you an example on disclosure vs. MS: in 1997 in MSDN someone
    from MS warned developers about the risks of using, or rather thoughtless
    use of several codesets. In 2001 the Unicode exploits surfaced, and MS fixed
    them. But many admins didn't. Do you blame MS?

    > I urge you to be more responsible with your actions in the future. The
    stability of the entire internet is at stake.

    Funny, the net was built and designed to withstand nuclear war, but a single
    15 y/o will take it down? The net is some corporate databases. It wouldn't
    be interesting if it was. And all the extra traffic, well anything can cause
    that, not only viruses. If they were to put a new single from any major
    popband on-line, would the traffic be very heavy?

    I urge people to disclose in an effective AND responsible way, since not the
    stability but the future of the Internet is at stake.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



    Relevant Pages