The Politics of Vulnerabilities

The Politics of Vulnerabilities Scott Blake, CISSP Vice President of Information Security BindView Corporation/RAZOR Research Agenda Introduction What is Politics? What is a Vulnerability? The Past and Present Ideologies, Actors, and Initiatives The Future Trends and Probabilities © 2002 BindView Corp. What is Politics? The study of power Power is the ability to make one do what one would not otherwise do. Important Terms Actor: One who uses or is subject to power Ideology: A set of beliefs or ideas Legitimacy: In accordance with established standards or patterns Authority: Legitimate power © 2002 BindView Corp. What is a Vulnerability? Experts do not agree Flaws in Software Misconfigurations What do vulnerabilities do? Change user context Crash systems or services Execute arbitrary code … © 2002 BindView Corp. Ideologies Full disclosure Responsible Disclosure Zero disclosure Limited Disclosure © 2002 BindView Corp. Full Disclosure Tenets Information wants to be free Use the power of public opinion to make vendors improve code Exploit code is more useful than destructive Adherents Most non-profit researchers Very few commercial researchers © 2002 BindView Corp. Responsible Disclosure Tenets Exploit code causes more problems than it solves Broad dissemination of vulnerability information is required to improve security awareness Use the power of public opinion to make vendors improve code Adherents Most commercial researchers Some notable software vendors © 2002 BindView Corp. Zero Disclosure Tenets Responsibility for fixing vulnerabilities lies with software vendor Authors of software should control information relating to that software There is no public good in broad availability of vulnerability information Adherents Many software vendors Many government actors Much of the Public © 2002 BindView Corp. Limited Disclosure A variant of Zero Disclosure Same Tenets and Adherents But supports complete information sharing on a Need-toKnow basis within peer groups Implemented in US Information Sharing and Analysis Centers (ISAC) and others © 2002 BindView Corp. Disclosure Ideologies Summary Release Exploits Full Disclosure Yes Release Vulnerability Details Yes Adherents Most noncommercial researchers Responsible Disclosure Zero Disclosure No Yes No No Most Commercial researchers Most vendors, government, public © 2002 BindView Corp. The Actors Vendors Researchers The Underground Governments Media The Public © 2002 BindView Corp. Vendors Motivators Shareholder value Financing Software Sales Interests Limit damage to brand value Limit vulnerability of customers Sell more software Power Relations Often try to prevent public disclosure of vulnerability information through legal action, market leverage, lobbying © 2002 BindView Corp. Researchers Motivators Advance state of the art Build more security Build name recognition/peer respect Financing Day Job Customers (Grant, Contract) Software sales © 2002 BindView Corp. Researchers (2) Interests Continue financing source Maintain/extend reputation Power Relations Hobbyists are largely free from external influence providing the day job does not interfere Academic and consultative researchers are largely beholden to their funding source, but different funders set different restrictions Commercially-sponsored researchers are beholden to the parent company’s interests © 2002 BindView Corp. Researchers: The Underground Same as other researchers, plus: Motivators Control, knowing something that other don’t Financing Some organized crime or other illegal sources Interests Maintaining the status quo Power Relations Wield little power except to cause fear among other Actors © 2002 BindView Corp. Governments Motivators Technocratic perception of public good Financing Taxes Campaign Contributions Interests Economic growth Public Safety Power Relations Prosecution of criminal or negligent behavior Large purchaser of information technology © 2002 BindView Corp. The Media Motivators “All the news that’s fit to print” Financing Advertisements Subscribers Interests More readers Power Relations Very powerful creators of brand, image Influencers of public perception © 2002 BindView Corp. The Public Motivators Too chaotic to be relevant Financing Too chaotic to be relevant Interests Stable, secure software Whiz-Bang Features Power Relations Wields tremendous power, but very difficult to direct in any specific direction © 2002 BindView Corp. Policy Initiatives Council of Europe’s Cybercrime Treaty US Information Sharing Policies Disclosure Forums Organization for Internet Safety Various US Legislation © 2002 BindView Corp. Council of Europe’s Cybercrime Treaty Intended Outcomes Harmonize and update European computer crime laws Unintended Outcomes Potential for mis-implementation of tools provisions may have chilling effect on research Language pertaining to intent may lead to certification requirements for security practitioners © 2002 BindView Corp. US Information Sharing Policies Intended Outcomes Stay one step ahead of the bad guys Facilitate movement of information among legitimate parties: Government and ISACs Better intelligence on attacks Unintended Outcomes Chilling effect on public discussion Creates information haves and have-nots © 2002 BindView Corp. Disclosure Forums Intended Outcomes Get information to those who need it Unintended Outcomes Puts information in the hands of the “bad guys” Examples Bugtraq NTBugtraq Win2KSecAdvice Cypherpunks Vuln-Dev And many more © 2002 BindView Corp. Organization for Internet Safety Intended Outcomes Limit availability of information to “bad guys” Unintended Outcomes Limit availability of information to everyone “Chilling Effect” on research in general © 2002 BindView Corp. Various US legislation FOIA and Anti-Trust exemptions for security-related information sharing Increasing funding for NIST and NSF sponsored research Single “Gold Standard” for US government system security configurations FISMA: Revised reporting regulations for government agencies DMCA and PATRIOT Act © 2002 BindView Corp. Trends Increasing legislation More clear definitions of cybercrime Will the definitions be correct? Improving communication channels Information is being shared better among the “good guys” and the “bad guys” More and more research being done Rate of new vulnerability announcements has been increasing at ~90% per year since 1992 © 2002 BindView Corp. Trends (2) More vicious attacks Nimda was the most aggressive worm yet, though still not terribly damaging, but very expensive to clean up Continuing penetration of Internet access The number of devices has topped 100 million and the rate is set to skyrocket with wireless Internet devices © 2002 BindView Corp. Probabilities Will the public demand security? Probably not Who will pay for security? Consumers? Government? Vendors? Lessons from recent events HP DMCA threat Security for the people? Personal firewalls, privacy regulation (HIPAA, GLBA), NCSA Will liability laws change? Probably not © 2002 BindView Corp. Conclusions / Predictions No major changes are imminent Continued Continued Continued Continued harmonization of laws creation and discovery of flaws mismanagement of flaws small-scale exploitation Absent a catastrophe, no major changes will occur at all Software drifts toward being more secure, but the progress is offset by increasing complexity © 2002 BindView Corp. Questions? blake@bindview.com Slides will be on razor.bindview.com next week and on blackhat.com in several weeks © 2002 BindView Corp.