Security firm breaks with CERT over disclosure

A long-simmering dispute flared into public view earlier this week when UK company Next Generation Security Software announced it...

A long-simmering dispute flared into public view earlier this week when UK company Next Generation Security Software announced it was severing its relationship with the CERT Coordination Center.

The row began when vulnerability research companies claimed that the US government-sponsored internet security-reporting centre passed vulnerability information to third parties.

The dispute between Next Generation and CERT arose over a batch of six software vulnerabilities that the company shared with CERT at the same time as it disclosed them to the software supplier affected, according to Next Generation co-founder Mark Litchfield.

Before a patch was issued or the public notified about the vulnerability, the supplier was approached by two US government agencies concerning the undisclosed vulnerability. Litchfield claimed the agencies had said that CERT had informed them about the flaw.

CERT's vulnerability disclosure policy, which is posted on its website, clearly states that the organisation distributes vulnerability information before public disclosure. Recipients of that information include CERT sponsors, software suppliers unaffected by the vulnerability, members of the Internet Security Alliance and owners of critical infrastructure.

Litchfield acknowledged that he was not fully aware of the disclosure policy and had not carefully read the information posted on the CERT Web site.

Still, the CERT policy, especially the disclosure of information to members of the Internet Security Alliance (ISAlliance), a public-private trade group, rubbed Litchfield the wrong way.

"I saw it as a betrayal in trust. My expectation was that we'd let CERT know about it so that they'd do their own internal research on the issue, do further checks, then write their own advisory and publish it."

An effort to have CERT sign a non-disclosure agreement with Next Generation in exchange for continued vulnerability reports was rebuffed, Litchfield said.

"As a policy, we've decided that it's not in the public interest to hide vulnerability information from people who need that to defend critical infrastructure," said Jeffrey Carpenter, manager of the CERT Coordination Center, which is at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.

While companies such as Next Generation profit from the vulnerabilities they discover, Carpenter said CERT has a greater mission to serve the Internet community by passing along vulnerability information to affected companies.

But by sharing information with the fee-paying members of the ISAlliance, Litchfield insisted CERT was going beyond its duty to notify affected organizations.

Instead, he argued, CERT is, essentially, selling an early look at vulnerability information to third parties, some of which are potential Next Generation competitors.

CERT denied any conflict of interest between its role as an independent reporting organisation and its practice of disclosing vulnerability information to ISAlliance members and the US government.

Many ISAlliance members are critical infrastructure owners, including financial institutions, telecommunications companies and software vendors, though membership is not limited to such organisations, Carpenter said.

In addition, a strict security screening process and nondisclosure policy prevents ISAlliance members from circulating the vulnerability information they receive from CERT outside of their organisation, said Larry Clinton, deputy executive director and operations officer of the ISAlliance.

In theory, that should keep information that was confidentially disclosed to CERT from being spread by other companies. Most security companies are not taking any chances, however.

"When the ISAlliance was formed, a big part of the value of that was its relationship with CERT and that if you joined you got detailed vulnerability information," said Chris Wysopal, director of research and development at @stake.

"From that point on, most of the people I talk to - other security researchers at other companies - decided not to give any information to CERT unless they needed help [disseminating it]," Wysopal said.

He added that Next Generation's announcement regarding CERT, while more public, is not an uncommon position in the security community.

"What we have done, because we are a small company with limited resources, is to contact CERT only with widespread issues," Wysopal said.

Litchfield said Next Generation has not decided whether it will use CERT to disseminate information about widespread vulnerabilities.

The rift between the security researchers and CERT could threaten to make the reporting organisation irrelevant.

Compared with the period before the announcement of the ISAlliance relationship, recent CERT alerts are based more often on information publicly available elsewhere than on information disclosed exclusively to CERT, Wysopal said.

Clearly, the loss of information from Next Generation will be sorely felt. The company's researchers found a number of high-profile software vulnerabilities in recent years, including the Microsoft SQL Server vulnerability exploited by the Slammer worm that appeared last Saturday.

Next Generation shared a number of those vulnerabilities with CERT at the same time they were disclosed to the affected software supplier.

CERT offered little comment on the Next Generation decision to stop reporting vulnerabilities. "That's their decision to make," Carpenter said.

CERT, which receives funding from the US Department of Defense, has been under pressure from the federal government in recent years to increase its interactions with the private sector and to get help funding its operation.

CERT's response was to partner with the Electronic Industries Alliance, a federation of trade associations, and form the ISAlliance.

"The ISAlliance was formed to promote security improvement across the Internet and to enable CERT to provide important information to critical infrastructure operators within the private sector." CERT said in a statement.

"The funds that CERT receives from the ISAlliance directly support this interaction."

At the same time as it has had to look for private sector help, however, the organisation has had to keep up with an ever-growing number of software vulnerabilities and high-profile attacks stemming from those vulnerabilities.

CERT recorded just over 9,800 incidents in 1999. By 2002, that number grew to more than 82,000 separate incidents.

"We do the best we can with the funding we have. We'd always like to have more," said William Pollak, manager of communications at CERT.

While not opposed to private funding of CERT per se, security researchers would like to see CERT find a way to fund its operations that does not conflict with its mission as an independent reporting body.

One way might be for CERT to use its research talent and established vulnerability rating and publishing system to analyse, package and distribute vulnerability information after it has been publicly released.

"They have a good methodology for creating a risk rating and doing the formatting and analysis. They could be a third party between the vendor and the researcher and could sell that extra information," Wysopal said.

Litchfield gave CERT credit for the work that it has done publicising vulnerability information, especially in cases where a vulnerability affects a wide array of products.

However, security researchers need to be better informed about how vulnerability information will be handled when they give it to CERT, he said.

"My basic concern was to make sure other independent researchers be aware that this is CERT's policy, because we weren't aware. If someone had made us aware, we would have stopped informing CERT ages ago."

Read more on Hackers and cybercrime prevention