Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING.

Advertisements

Chapter 1  Introduction 1 Chapter 1: Introduction.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

Security Issues and Challenges in Cloud Computing

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Introduction to Security Computer Networks Computer Networks Term B10.

IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.

1 An Overview of Computer Security computer security.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Ed Felton v. RIAA Fredrik Lundberg Matt Gong Sung Noh.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Network security policy: best practices

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.

SEC835 Database and Web application security Information Security Architecture.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Information Systems Security Computer System Life Cycle Security.

VisaPro Services Pvt. Ltd.. THE COMPANY VisaPro Immigration Services LLC, USA –US based immigration law firm –Offices in US and India.

1 Recipe for Disaster: Engineering without Ethics Dr. C. Dianne Martin Professor, Computer Science The George Washington University

Introduction to Computer Ethics

-Tyler. Social/Ethical Concern Security -Sony’s Playstation Network (PSN) hacked in April Hacker gained access to personal information -May have.

Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

IT Professionalism Ethics Modified by Andrew Poon.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Legitimate Vulnerability Markets By: Jeff Wheeler.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Juan Ortega 12/15/09 NTS355. Microsoft Security Advisory (977544) Vulnerability in SMB Could Allow Denial of Service Flaw on SMBv2 supposedly opened two.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02.

CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.

Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

보안 취약점 비교 Linux vs. Windows

Securing Information Systems

Secure Software Confidentiality Integrity Data Security Authentication

Risk Management Policy & Procedures

Cyber Issues Facing Medical Practice Managers

Intro to Ethical Hacking

Vulnerability Reporting Process

Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham

Presentation transcript:

Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Approach Context created by course curriculum Disclosure and Non-Disclosure Defined Case studies Observed practices and “norms” Summary and conclusions

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Introduction Intro to computer security vulnerabilities To disclose or not? Is it illegal or unethical not to disclose a discovered vulnerability? What practices are observed by industry in the case studies? Questions to the audience: What appear to be the accepted norms?

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Introduction (2) Context of course –Ethical Codes: acceptable professional behavior in the computer industry –Lessig: Architecture, Market, Norms, Law –Brin: Transparency, criticism, accountability, authority, authentication, trust

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure – What is it? A security flaw that is… Released to the public immediately Developed and discussed in a public forum In general, brought to light before the public and vendors simultaneously (often before a vendor fix is available)

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure - Pros Levels the playing field Motivates vendors to fix flaw Lets knowledgeable users know what their program is doing

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Full Disclosure – Cons Makes exploiting vulnerability easier Increases chance of compromise or crash Potential loss of productivity May result in incomplete fix

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non-Disclosure Defined A security flaw that is… Held until the proper fixes are produced Not to be shared in the public eye Limited disclosure is a medium defined by the company where they disclose some information on the vulnerability

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non Disclosure - Pros Potential loss of market share Company/product reputation Undesirable exposure of underlying technology architecture Liability for company (can cut both ways)

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Non Disclosure - Cons False sense of security Potential delay of fixes (both company and client)

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - overview Exploit: (late 1996) Sending large IP packets to a computer may crash it. Stakeholders: –Malicious individuals executing attack –Users who rely on vulnerable systems –Vendors of vulnerable systems –Public (relies on any of the above)

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - analysis Classification: Full disclosure Pros –More stable TCP/IP implementation –Similar exploits prevented Cons –Lost data –Vulnerable systems may still exist

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 1 Ping of Death - Issues Ethical tests: –Utilitarian: TCP/IP is more stable now – ethical. –Golden Rule: It sucks when someone crashes your computer, so you shouldn’t do it to them. -- unethical Legal issues: –Denial of service attacks are illegal under CFAA –Saw the beginning of contemporary issues International boundaries Data integrity

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS June ‘99: eEye/Microsoft IIS Security Vulnerability eEye finds a serious security flaw in IIS Server eEye s Microsoft and places warning bulletins, along with CERT Microsoft does not respond to the s or warnings eEye discloses the vulnerability due to Microsoft’s apathy.

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS (2) November ‘00: Microsoft’s Anti Disclosure Plan Microsoft and 5 security companies decide to create a industry standard for disclosure. Will draft a standard for notifying the public about newly-found software security bugs Leading objective of the group will be to discourage "full disclosure" of security holes

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 2 Microsoft IIS (3) April ’02: Microsoft’s Practices Today Trustworthy Computing Initiative started by a memo from Bill Gates where all employees are being trained in security Microsoft placed a bulletin warning on ten of their IIS vulnerabilities Both events are high profile in the area of security

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs. RIAA (1) Hack SDMI Contest (Fall 2000) –Break 4 watermarks Render watermarks undetectable without significantly degrading audio quality –Edward Felten & Team Broke all 4 technologies RIAA threatened team with litigation thru DMCA if team presented research to public Felten sued RIAA to allow presentation of research –Case thrown out since DMCA does not apply to research

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs. RIAA (2) Stakeholders –Professor Edward Felten & Team Crackers of digital watermark technology –Other researchers –RIAA Record Industry –Secure Digital Music Initiative (SDMI) Holders of the watermark contest –Verance One of the watermark manufacturers –Public

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs RIAA - analysis Classification: Full Disclosure Pros –Public learns truth; watermark technology fails –Watermark companies can learn from hacks and develop better technology –SDMI & RIAA learn technology doesn’t work before full scale release of watermarked Cd’s Cons –Verance’s watermark compromised DVD-Audio already in use in market, now easily hacked

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 3 Felten vs RIAA - Issues Ethical tests: –Rights: RIAA threat to sue Felten for presenting paper on hacking watermarks – unethical –Utilitarian: Public learns that watermark technology doesn’t work – ethical –Utilitarian: Hackers learn of vulnerability in DVD- Audio thru paper – unethical Legal Issues: –Right to disclose SDMI watermark hack –Fear of litigation due to DMCA

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP Simple Network Management Protocol (SNMP) Vulnerability reported by the Oulu University Secure Programming GroupOulu University Secure Programming Group Vulnerability concerned trap and request handling Impact included DOS, service interruption, and unauthorized access and control

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP (2) Stakeholders: –equipment from over 250 manufacturers involved –3Com, Cisco, Compaq, Dell, Hewlett Packard, Lucent, IBM, Iplanet, Larscom, Lotus, Juniper, Nokia, Novell, Microsoft, Red Hat, Sun, Xerox Potential impact critical to Internet and majority of government and commercial networks.

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Case Study 4 Malformed SNMP (3) Response and solution CERT and CVE Ethical test: text book case of vendor notification and posted fixes Majority of vendors post patches within three weeks of notice Immediate work around non- catastrophic

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Observed Industry Practices Emergence of clearing house and response organizations: Computer Emergency Response Team (CERT), Common Vulnerabilities and Exposure (CVE), Responsible Disclosure Forum Accepted as legitimate by industry and the customer

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Observed Industry Practices (2) Role of industry and mainstream press Role university and industry research groups Evidence of industry, press, and buying public arriving at a sense of a “norm” Norm legitimized through criticism

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Summary and Conclusions From case studies: Both non-disclosure and full disclosure can be ethical and unethical depending upon the tests applied The rights test is not applicable in most contexts due to the timeliness of the legal system

Sakai,Shah, Walsh, Wong Disclosure/Non-Disclosure Case Studies Summary and Conclusions (2) Movement of the Industry: Practices by major software corporations are moving from non-disclosure (and limited interest in security) towards full disclosure (and a much greater interest in software security). Stakeholders following this trend: Microsoft, the 281 manufacturers and organizations like CERT.