Windows & .NET Magazine Security UPDATE--July 23, 2003
You probably know by now about two serious vulnerabilities in Windows and Cisco Systems IOS software that could lead to significant problems for a vast majority of networks. The Windows problem relates to remote procedure calls (RPCs); an unchecked buffer could lead to a system or network compromise. Microsoft issued a patch for the problem, which affects Windows Server 2003, Windows XP, Windows 2000, and Windows NT (including NT Server 4.0, Terminal Server Edition--WTS). Because the problem affects four OS platforms, the potential for mass disruption is fairly significant. You can learn more about it in the related article, "Buffer Overrun in RPC Interface Could Allow Code Execution," in this edition of Security UPDATE.
Even more threatening is the problem with Cisco IOS software, which runs on a large number of devices including many of the routers that serve as gateways across the Internet. Cisco reported that a Denial of Service (DoS) condition exists whereby all Ethernet interfaces could become unresponsive and stop processing inbound traffic. The problem could also lead to an inability to remotely access a device. If your Cisco devices use IOS software, you should read Cisco's bulletin regarding this matter and upgrade your IOS software accordingly. The bulletin is linked in our article, "DoS in Cisco IOS," in this edition of Security UPDATE.
The Polish group that discovered the RPC problem, The Last Stage of Delirium Research Group, chose not to divulge technical details about the discovery at this time. Because so many systems could be compromised if exploit details were easy to come by, that's probably a wise choice. However, the group routinely publishes technical details and code that others can use to verify or demonstrate a given security problem, so the group is likely to release information about its latest discovery eventually. Windows users have a window of opportunity to patch their systems before the group releases details or some other entity figures out how to exploit the RPC problem and publishes details. Full disclosure is almost inevitable, so be sure to either patch your systems or find a way to work around the problem.
The media recently brought to light a twist on the matter of full disclosure. This twist deals with the security of underlying network technologies, not the top-level systems themselves. The "Washington Post" reports \[http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html\] that George Mason University graduate student Sean Gorman's dissertation has drawn attention from those involved with national security.
Gorman's dissertation involves a detailed map of networks across the country. One can use the map to drill down and gain an array of details about a given network. For example, according to the "Washington Post" report, Gorman can click on a bank in Manhattan and see who has communication lines connected to that bank, or he can click on a trucking warehouse in Baltimore and determine its choke points.
The implications of his map are staggering. According to Richard Clarke, former US special advisor for cyberspace security, "He \[Gorman\] should turn it in to his professor, get his grade, and then they both should burn it." However, if Gorman can create such a map, others can as well. More importantly, others might have done so already.
Many consider full disclosure a problem, and sometimes it is. However, often (perhaps in most cases), it serves a worthwhile purpose. In Gorman's case, he's now involved in a dilemma: Will his PhD dissertation become "classified information"? If it does, can he still obtain his degree?
Some argue that in Gorman's case, security through obscurity isn't much security at all. In the information security world, people make the same argument. After all, if people don't know about vulnerabilities, they might well be overly exposed without knowledge about that exposure. Knowing about problems lets people address them and defend themselves. On the other hand, full disclosure also gives intruders knowledge they might not have been able to obtain otherwise. Clearly, timing and coordination of information release is a concern.
According to an article \[http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=135262788&zsection_id=268448455&slug=softwarebugs14&date=20030714\] in the "Dallas Morning News," Bruce Schneier, founder and CTO of Counterpane Internet Security, said (about information security vulnerability disclosure), "What we've learned during the past eight or so years is that full disclosure helps much more than it hurts. Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible."
I think you'll agree that Schneier is right. But consider the vulnerability information Gorman has collected. Protecting physical communication infrastructure isn't nearly as simple as correcting program code. Quite a dilemma indeed.