Security clearinghouse under the gun

The CERT Coordination Center, a group widely used by security companies as a clearinghouse for newly discovered software vulnerabilities, raises the ire of a well-known researcher.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
A group widely used by security companies as a clearinghouse for newly discovered software vulnerabilities has raised the ire of a well-known researcher, who criticized its policy of disclosing information early to preferred members.

In an e-mail released to a public security mailing list this week,

Reader Resources
Worm slams Net

a vulnerability research company took to task the nonprofit Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University.

In the e-mail, noted security researcher Mark Litchfield wrote that his company would no longer submit information on security flaws to the CERT center. Such a submission, he wrote, is "an act of good faith" intended to give information technology administrators the information they need to patch their systems. But Litchfield said he felt "a betrayal of trust" because CERT had "leaked (the information) to certain organizations and government departments" before passing it on to IT workers.

"In submitting vulnerabilities to (CERT)...I do not expect the issue to be disclosed to any (but the usual) parties," he wrote in the e-mail message posted Monday to the Bugtraq mailing list. "I believe that choice remains with the discoverer (of the vulnerability) and the vendor of the software."

Vulnerability disclosure has been a heated issue for several years, and the CERT Coordination Center, an organization created after the Morris Worm struck the Internet in 1988, has been a focus of some criticism for its policy of giving early warning to paid sponsors. Litchfield's criticism, however, is by far the most vocal to date.

"We have told them that we will provide them with the information as long as they don't tell others," Mark?s brother and fellow researcher David Litchfield said in a Wednesday interview. "They have refused." Most security researchers feel that responsible disclosure policy includes working with the affected software's creator to fix the vulnerability and then releasing the flaw information at the same time that the company releases a patch.

David Litchfield is managing director of U.K.-based computer security company NGS Software and is now best known as the discoverer of the Microsoft SQL flaw used by the Slammer worm to ravage corporate networks last weekend.

Jeffrey Carpenter, manager of the CERT Coordination Center, said that the group was surprised by Litchfield's e-mail. Carpenter stressed that since the center founded the Internet Security Alliance for paying members more than two years ago, it has never hidden the fact that it informs ISA members of security issues.

"We have tried to take a reasoned, middle-of-the-road approach to vulnerability information," Carpenter said. "We do want critical-infrastructure and system operators to have a chance to take critical steps to defend their systems prior to a general release of information."

Carpenter also dismissed the security researcher's main concern: That companies who receive early information may leak details and place the security of the Internet in jeopardy.

"Members must sign a strong nondisclosure form," Carpenter said. "We specifically designed the agreement so that the only thing people are using the info for is protecting their own infrastructure."

But many other security firms have already started notifying the CERT center only when they are ready to release details of a flaw publicly.

Chris Rouland, director of vulnerability research for software company Internet Security Systems, said the company will release details to CERT only two days before they go public. To reach IT professionals about patching problems, the company now relies on the FBI's National Infrastructure Protection Center (NIPC) cybercrime warning capability.

"We deal with the NIPC because we have no concerns that they will predisclose," Rouland said. The NIPC's role in advanced warning will become part of the new Department of Homeland Security in March.

Internet Security Systems found itself on the other side of the equation last year when it failed to give an open-source group more than few hours of advanced notice of a flaw.

The care with which security researchers release information to the CERT Coordination Center has threatened the group's role as a central clearinghouse for security information, said Chris Wysopal, director of research and development for digital-security company @Stake.

"It is only when massive coordination needs to happen that people use CERT," Wysopal said. "If you look at the CERT advisories compared to two years ago, there are less with new information and more reports of (already) publicly disclosed vulnerabilities."

A dire pronouncement of CERT's failing relevance to a digital world that's suffering more and more attacks? Perhaps not. Even NGS Software's Litchfield said that despite his strongly worded e-mail, in the long run he hopes the situation can be remedied.

"Perhaps we have overreacted in anger," David Litchfield said. "Perhaps it is short-term thinking to close that relationship, so we will have to see what can be done."