1 / 27

Disclosure/Non-Disclosure

Disclosure/Non-Disclosure. Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong. Approach. Context created by course curriculum Disclosure and Non-Disclosure Defined Case studies Observed practices and “norms” Summary and conclusions. Introduction.

varsha
Download Presentation

Disclosure/Non-Disclosure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong

  2. Approach • Context created by course curriculum • Disclosure and Non-Disclosure Defined • Case studies • Observed practices and “norms” • Summary and conclusions

  3. Introduction • Intro to computer security vulnerabilities • To disclose or not? • Is it illegal or unethical not to disclose a discovered vulnerability? • What practices are observed by industry in the case studies? • Questions to the audience: What appear to be the accepted norms?

  4. Introduction (2) • Context of course • Ethical Codes: acceptable professional behavior in the computer industry • Lessig: Architecture, Market, Norms, Law • Brin: Transparency, criticism, accountability, authority, authentication, trust

  5. Full Disclosure – What is it? A security flaw that is… • Released to the public immediately • Developed and discussed in a public forum • In general, brought to light before the public and vendors simultaneously (often before a vendor fix is available)

  6. Full Disclosure - Pros • Levels the playing field • Motivates vendors to fix flaw • Lets knowledgeable users know what their program is doing

  7. Full Disclosure – Cons • Makes exploiting vulnerability easier • Increases chance of compromise or crash • Potential loss of productivity • May result in incomplete fix

  8. Non-Disclosure Defined A security flaw that is… • Held until the proper fixes are produced • Not to be shared in the public eye • Limited disclosure is a medium defined by the company where they disclose some information on the vulnerability

  9. Non Disclosure - Pros • Potential loss of market share • Company/product reputation • Undesirable exposure of underlying technology architecture • Liability for company (can cut both ways)

  10. Non Disclosure - Cons • False sense of security • Potential delay of fixes (both company and client)

  11. Case Study 1Ping of Death - overview • Exploit: (late 1996) Sending large IP packets to a computer may crash it. • Stakeholders: • Malicious individuals executing attack • Users who rely on vulnerable systems • Vendors of vulnerable systems • Public (relies on any of the above)

  12. Case Study 1Ping of Death - analysis • Classification: Full disclosure • Pros • More stable TCP/IP implementation • Similar exploits prevented • Cons • Lost data • Vulnerable systems may still exist

  13. Case Study 1 Ping of Death - Issues • Ethical tests: • Utilitarian: TCP/IP is more stable now – ethical. • Golden Rule: It sucks when someone crashes your computer, so you shouldn’t do it to them. -- unethical • Legal issues: • Denial of service attacks are illegal under CFAA • Saw the beginning of contemporary issues • International boundaries • Data integrity

  14. Case Study 2 Microsoft IIS June ‘99: eEye/Microsoft IIS Security Vulnerability • eEye finds a serious security flaw in IIS Server • eEye emails Microsoft and places warning bulletins, along with CERT • Microsoft does not respond to the emails or warnings • eEye discloses the vulnerability due to Microsoft’s apathy.

  15. Case Study 2Microsoft IIS (2) November ‘00: Microsoft’s Anti Disclosure Plan • Microsoft and 5 security companies decide to create a industry standard for disclosure. • Will draft a standard for notifying the public about newly-found software security bugs • Leading objective of the group will be to discourage "full disclosure" of security holes

  16. Case Study 2Microsoft IIS (3) April ’02: Microsoft’s Practices Today • Trustworthy Computing Initiative started by a memo from Bill Gates where all employees are being trained in security • Microsoft placed a bulletin warning on ten of their IIS vulnerabilities • Both events are high profile in the area of security

  17. Case Study 3Felten vs. RIAA (1) • Hack SDMI Contest (Fall 2000) • Break 4 watermarks • Render watermarks undetectable without significantly degrading audio quality • Edward Felten & Team • Broke all 4 technologies • RIAA threatened team with litigation thru DMCA if team presented research to public • Felten sued RIAA to allow presentation of research • Case thrown out since DMCA does not apply to research

  18. Case Study 3Felten vs. RIAA (2) • Stakeholders • Professor Edward Felten & Team • Crackers of digital watermark technology • Other researchers • RIAA • Record Industry • Secure Digital Music Initiative (SDMI) • Holders of the watermark contest • Verance • One of the watermark manufacturers • Public

  19. Case Study 3 Felten vs RIAA - analysis • Classification: Full Disclosure • Pros • Public learns truth; watermark technology fails • Watermark companies can learn from hacks and develop better technology • SDMI & RIAA learn technology doesn’t work before full scale release of watermarked Cd’s • Cons • Verance’s watermark compromised • DVD-Audio already in use in market, now easily hacked

  20. Case Study 3Felten vs RIAA - Issues • Ethical tests: • Rights: RIAA threat to sue Felten for presenting paper on hacking watermarks – unethical • Utilitarian: Public learns that watermark technology doesn’t work – ethical • Utilitarian: Hackers learn of vulnerability in DVD-Audio thru paper – unethical • Legal Issues: • Right to disclose SDMI watermark hack • Fear of litigation due to DMCA

  21. Case Study 4Malformed SNMP • Simple Network Management Protocol (SNMP) • Vulnerability reported by the Oulu University Secure Programming Group • Vulnerability concerned trap and request handling • Impact included DOS, service interruption, and unauthorized access and control

  22. Case Study 4Malformed SNMP (2) • Stakeholders: • equipment from over 250 manufacturers involved • 3Com, Cisco, Compaq, Dell, Hewlett Packard, Lucent, IBM, Iplanet, Larscom, Lotus, Juniper, Nokia, Novell, Microsoft, Red Hat, Sun, Xerox • Potential impact critical to Internet and majority of government and commercial networks.

  23. Case Study 4Malformed SNMP (3) • Response and solution • CERT and CVE • Ethical test: text book case of vendor notification and posted fixes • Majority of vendors post patches within three weeks of notice • Immediate work around non-catastrophic

  24. Observed Industry Practices • Emergence of clearing house and response organizations: Computer Emergency Response Team (CERT), Common Vulnerabilities and Exposure (CVE), Responsible Disclosure Forum • Accepted as legitimate by industry and the customer

  25. Observed Industry Practices (2) • Role of industry and mainstream press • Role university and industry research groups • Evidence of industry, press, and buying public arriving at a sense of a “norm” • Norm legitimized through criticism

  26. Summary and Conclusions From case studies: • Both non-disclosure and full disclosure can be ethical and unethical depending upon the tests applied • The rights test is not applicable in most contexts due to the timeliness of the legal system

  27. Summary and Conclusions (2) Movement of the Industry: • Practices by major software corporations are moving from non-disclosure (and limited interest in security) towards full disclosure (and a much greater interest in software security). • Stakeholders following this trend: Microsoft, the 281 manufacturers and organizations like CERT.

More Related