Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Security Alert Advanced Notice, Cisco PIX Source Code Reported Stolen, Open Letter to Anti-Virus Software Companies

Published: 2004-11-05
Last Updated: 2004-11-06 12:19:02 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS Security Alert Advanced Notice



Microsoft has recently acknowledged that we need a little more time to prepare for the second Tuesday of each month. Starting this month, Microsoft will announce the patches that are going to be released with little technical detail a few days ahead of time. Notices will include the number of security bulletins that <i>might</i> be released (which has no bearing on the number of patches, *coughMS04-028cough*), anticipated security ratings and the products that will be affected.



http://www.microsoft.com/technet/security/news/bulletinadvance.mspx

http://www.microsoft.com/technet/security/bulletin/advance.mspx



Notably missing from this advance notice report is anything relating to the Internet Explorer IFRAME vulnerability, for which an exploit is currently circulating.



http://www.securityfocus.com/bid/11515



Cisco PIX Source Code Reported Stolen



A group calling themselves the Source Code Club that previously claimed to have stolen source code for Cisco IOS is now attempting to sell the source code to interested parties. No word on the cisco.com website about this dubious offer at this time.


Just in case you were wondering, the Source Code Club FAQ indicates that they are NOT hiring at this time.






Open Letter to Anti-Virus Software Companies



The following letter was provided to us by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. I think many of us can relate to the grief caused by the virus name game described in his letter. Note these the thoughts and opinions in this letter are those of the author and not necessarily those of the Internet Storm Center or the SANS Insitute. Thanks Chris.




-----BEGIN LETTER-----

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.


Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.


The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.



Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center ( http://isc.sans.org/index.php ), Secunia’s Virus Information page ( http://secunia.com/virus_information/ ), VGrep Online ( http://www.virusbtn.com/resources/vgrep/index.xml ), MyITforum’s Security message boards ( http://myitforum.techtarget.com/forums/default.asp?catApp=2 ), and AntiVirus e-mail list ( http://myitforum.techtarget.com/articles/14/view.asp?id=1301 ).



This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.



While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.



Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.



Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.



I think I can speak for everyone in the security community when I say; "dealing with it" is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected. We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.



Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/ ). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.



However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to do accomplish this and keep your customers better informed about how they are protected.




Thank you for your time and attention,

Chris Mosby

SMS Administrator

MyITforum Security Message Board Moderator.

-----END LETTER-----





-Joshua Wright/Handler on Duty
Keywords:
0 comment(s)
Diary Archives