Understanding full disclosure

Lately, in the news, there has been a lot of talk over the term ‘full disclosure.’ Some recent topics include a story about an eBay-like website that sells exploits to the highest bidder.  There is also the recent disclosure made by researcher Thor Larholm that is being attacked by other researchers and security experts as irresponsible. Larholm reported on vulnerabilities inside what was later proven to be both Firefox and Internet Explorer. So, what exactly is full disclosure and why is it suddenly in the limelight?

Early on, the nature of disclosure was nonexistent. It used to be that researchers would discover vulnerabilities and quietly alert vendors.  The theory is that the vendors would then fix the vulnerabilities. Often, that theory was false, as fixes would come either in the next release or in some cases never at all. Then, the United States Computer Emergency Response Team or CERT was formed. Researchers would send CERT vulnerability reports, and after verification, CERT would alert the vendor. The vendor would issue a patch and CERT would release the details of the vulnerability and the link to the patch at the same time. The problem with that is the lack of urgency.  There is no reason for the vendor to patch because they know CERT will not publish details until a patch is released.

Later, CERT changed their policy. The range of time before disclosure is different depending on several points. CERT will disclose some information instantly to their paid subscription list and that on its own is a problem for many professionals. The other problem for a few experts is the variation of disclosure. Sometimes there is a thirty-day wait, other times there is a forty-five day wait, and then there are the releases that see publication years after their discovery.

Many researchers found the early processes frustrating. Several of them found themselves faced with threats of legal action if they released the details of any vulnerability by vendors they were attempting to help. The argument is a simple one. Release the vulnerability to the public and at the same time, you release it to the vendor.  What this does is force the vendor to patch. The public pressures the company to act quickly, before there is wide spread exploitation of the published flaw, adding a positive spin on this form of disclosure. The ones who counter that argument say that logic is false and it does more harm than good.

A compromise was formed, disclose the vulnerability to the vendor, and set a time line for their response. The researcher waits a few weeks for the vendor to follow-up. If no response from the vendor is seen, the researcher will alert them again to see if there is a patch. After about thirty days, if there is no response from the vendor, one final contact is attempted. If that fails the researcher goes public. While that is fair to both the researcher and the vendor, the method is still attacked because each researcher has his or her own opinion on exactly what the terms of full disclosure mean and how long to wait.

The recent disclosure by Thor Larholm has come under attack by researchers and experts because there was no delay in the release. The vulnerability information was posted on his blog, as he discovered it, and neither Microsoft nor Firefox had time to patch it beforehand. Many security people have no problem with Larholm’s research, just his method of disclosure.

“It seems that, once again, irresponsible disclosure of a zero-day flaw has taken place. Sophos cannot stress enough the importance of responsible disclosure, where the person who discovers the flaw works with the software developers to help avoid exploits,” Sophos’s Carole Theriault said. “Posting proof-of-concept code publicly might get a five minute spotlight, but for all the wrong reasons. Tsk tsk, Thor Larholm.”

Researchers like Larholm move to this method of disclosure because vendors often threaten researchers or take little action. There is also the dismissive nature of some companies who blame the researcher for the flaws discovered. Earlier this month, a website was launched designed to help researchers sell their work. This website will allow the researcher to sell out to the highest bidder, eBay style. One of the points the site, WSLabi, makes as to why it was launched is, “This exchange will create a portal where researchers, security vendors and software companies can interact in an open market to enable researchers to obtain the correct value for their findings.”

This is not the first attempt at a site where research is sold off; it will not be the last. Questions arose as to exactly how buyers are screened and who controls the information. While the website says that buyers are carefully screened, and the risk that the research will be sold to the wrong sort of person is null, there was no real evidence given as to how the site will accomplish this.

A recent blog post by Sophos addresses the new site. “Many argue that researchers investing a great deal of their own time finding vulnerabilities and disclosing the details responsibly to vendors should receive some form of payment. But the introduction of money brings its own complications - chief of which is in direct contrast to the fundamental principles of responsible disclosure.”

“There is little doubt that this site may gather some attention, but it will never become the ‘global database of every IT security research.’ Despite its attempts at a polished, professional appearance, you have to question its existence. A recent posting on their blog does little to sway this opinion, with a call for iPhone ‘research,’ which frankly touches on incitement,” the post added.

The argument for the site is that because of the failures of full disclosure researchers are still being bullied. Now, the money issue is brought into play and there is a need for companies to say more than a simple “Thank you” something that often never happens.

The adage that “researchers have to put food on the table” is the line often used to defend the work performed. There is solid evidence for this, as researchers spend large amounts of time doing their jobs, but the companies still argue that no one asked them to do this, and that without proper notification their actions of releasing their work to the public are still borderline criminal.

Despite the claims of faults, one case, which is very recent, proves that full disclosure works. This case involves Wachovia National Bank, a rather large bank that has branches all over the US. In a recent mailing to customers, they addressed changes to their privacy policy, and provided a link to a website where customers can edit their personal information for the bank. The website in the mailer contained a form that sent the entered data across an unsecured connection.

The story with Wachovia starts with a Horizon Network Security Advisory dated July 10, 2007. The advisory was a common one that is sent almost daily to the Full Disclosure mailing list. “Wachovia Bank website sends confidential information (social security numbers, phone number, address, etc.) over the Internet without encryption,” read the title of the advisory.  The advisory explains that a link in the reformed Privacy Policy on Wachovia’s website links to a form that allows customers to change personal information. The form used to enter and send this information was on an unsecured page, and examination of the pages source by Horizon Network Security showed no encryption on the page.

“Unfortunately, that page appears to be an ordinary HTML form whose "filled out data" then is transmitted via the "post" method to an http (not https) URL,” said the advisory explaining the problem. Now that the problem was found, Bob Toxen of Horizon Network Security and a Wachovia customer, needed to report it. When it comes to the disclosure method used, Toxen explains the process to Monsters and Critics in a recent interview.

“I initiated three contacts with two different people, one contact in customer service who then forwarded me to web site support.  I then explained the problem to the web site support person verbally and via FAX,” he said. In the explanation, Toxen set a timeline of seven days to address and resolve the issue or ask for more time. “I actually gave them fifteen days but they did nothing, not even to phone or email me to say ‘we're investigating, please give us more time’.”

Matt Wadley from Wachovia explained to Monsters and Critics that this was a simple miscommunication, and that it was not a snub to Horizon Network Security or by proxy Bob Toxen as it appeared. Keeping to his word, Toxen posted the full advisory to the Full Disclosure mailing list, and after a few hours, the problem was fixed.

Seeking comment on the advisory Monsters and Critics reported the issue to the PR department and later the same day was contacted by Matt Wadley who gave assurance that contact was made to Toxen, and his research was very helpful.

Was it the advisory, which caused the corrections to the online form? Was it the contact to the Wachovia press department? That is unknown but Wadley mentioned that some of the IT staff might be Full Disclosure subscribers, and if that is the case then the alert issued to the list got their attention.

“It is important to note that this vulnerability is hard to exploit on a large scale basis.  However, Wachovia's failure to respond to my contacts has caused a Wachovia internal investigation as to why and, I'm assured, steps to ensure that future contacts will be followed up on. Hopefully, this will result in the next Good Samaritan who contacts them to result in the problem being fixed.  If the next problem is more serious then that further proves the value of full disclosure,” Toxen said addressing his contact with the bank.

Officially, Wachovia said, “The safety and security of our customers' information is a top priority at Wachovia. We have corrected the online security issue related to our consumer privacy preference form, and a secure form is now available on wachovia.com. Currently, we have no evidence of any negative customer impact resulting from this issue.” Wadley would not speculate on the chance that there could have been damage.

While there is no proof there was any exploitation, Toxen said in his opinion, there needs to be some disclosure on Wachovia’s part regardless. “While Wachovia claims that they know of nobody whose data was compromised, nobody can say absolutely that this hasn't happened. Wachovia is so big that some of their clients probably suffered identity theft without knowing the cause. It is my opinion that California's data breach reporting law requires Wachovia to alert any customer whose data *may* have been breached, i.e., all California customers who used that form or, if they did not track that, then all California customers.”

The bottom line is that full disclosure works, and regardless of the breakdown in communications, once they were established again, the issue was resolved in a few hours. “I think that my experience with Wachovia and many others' reported experiences with large companies prove that the current practice of full disclosure works.” Toxen said when asked his opinion on the state of full disclosure. Adding, that he feels it is necessary, and should remain legal in the civilized world.

The debate over disclosure methods will continue for a long time to come. For more information about the issues with full disclosure, check out the following links:

http://www.internetnews.com/dev-news/article.php/1437841 (2002)
http://www.usenix.org/publications/login/1999-11/features/disclosure.html (1999)

Further Reading on M&C