InfoconDB

Presented at Black Hat USA 1999, July 8, 1999, 5:10 p.m. (60 minutes)

Hundreds, if not thousands, of machines are unnecesarily compromised each day. But most of these breakins could have been avoided if administrators had been aware of just a single vulnerability - the one that affected them! How do these administrators keep up with the plethora of security issues exposed every week? Today, there are primarily three ways to discover these vulnerabilities: vendor fixes and patches, security advisories published by one of the myriad of groups (CERT, CIAC, etc), and full disclosure mailing lists such as Bugtraq.

But how effective are each of these methods? How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public? Are the proponents of full disclosure helping to fix the problem, as they believe, or are they creating more of a problem by divulging vulnerability exploits before a fix is available?

We will analyze this issue from all three perspectives, discussing both successes and failures of each method, and discussing what steps we need to take to remedy the problem. People have very strong feelings on this topic, and its sure to provoke interesting discussion.

Presenters:

Jeremy Rauch
Jeremy Rauch has been involved in discovering and researching security vulnerabilities from a number of different perspectives. Working with vendors, he has identified and helped fix over two dozen major security vulnerabilities. Jeremy is currently a developer at one of the largest security vendors, where part of his duties include the identification and reporting of security risks. Jeremy is also one of the founders of Security Focus, Inc. a centralized online security resource offering security news, products, events, books, tools, and one of the most comprehensive vulnerability listing on the net.

How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public?

Presenters:

Similar Presentations: