Policing the Virus Defenders

TruSecure's Cooper advocates a board to monitor release of virus threat info.

Russ Cooper has been on the Internet security scene for more than 20 years and has never been afraid to speak his mind. In the wake of the recent Code Red attacks, Cooper, surgeon general at TruSecure Corp., in Reston, Va., and moderator of the NTBugtraq mailing list, is advocating a new approach to releasing vulnerability information, especially exploit code. He is working to create a group, designated as the Responsible Disclosure Forum, that would serve as a clearinghouse for information, assessing each new vulnerability. Senior Writer Dennis Fisher spoke with Cooper last week about the aftermath of Code Red and why he believes irresponsible, full disclosure of security flaws could lead to even more serious problems.

eWeek: Is the Code Red worm something that could have been anticipated?

Cooper: We should have known—and we do know—that attacks are becoming stronger and more widespread. More people are exploiting systems than ever before. Whats surprising is that so many systems were unpatched. In the future, the attacks will be even more devastating if people dont keep their systems updated.

eWeek: But what else can vendors do, aside from issuing the patch and making sure that as many people as possible know about it?

Cooper: Weve argued with Microsoft [Corp.] about the number of patches between service packs, and there are just too many. Theres a need for either a push mechanism or a better pull mechanism. Things like Windows Update expect every computer to be connected to the Internet. Maybe they should send out a new CD every other month with updated software so that everyone will always have the latest updates. Code Red demonstrated a global need for a service thats the equivalent of the manufacturers recall to ensure that this many systems arent left unpatched again.

eWeek: Do you think that the constant flood of new vulnerabilities and bulletins and patches desensitizes people to the threat when something serious does come along?

Cooper: Of course it does. Some administrators are in patch overload. You can only see so many of them before you have to start questioning their validity. The combination of best practices and patching should do it. But todays mentality among security people is, "Only I know enough to assess that patch, and I have to do it." So they put it off until they have time to assess it and test it in their environment. But in the meantime, they could get attacked.

eWeek: Youve taken some heat for your stance on responsible disclosure of vulnerabilities, with people saying it would only make the situation worse. How do you respond to that?

Cooper: Weve been using the full-disclosure model for a long time, and it isnt helping. In fact, its getting worse because now there are more systems to attack. The idea [of the Responsible Disclosure Forum] is that a large group of people, say a thousand, would assess each vulnerability and determine whether its credible and serious, and then wed pass it on to the public. Veracity has to be questioned every time because these bulletins are being used as marketing vehicles.

eWeek: And what if the bulletin doesnt meet the groups standards?

Cooper: We would vilify people that overhype things. If its me doing the hyping, Ill get vilified. We want to promote the people who adhere to responsible disclosure. If you believe the people who find these things, everyone is vulnerable to everything all the time.

eWeek: But a lot of people will say that they should make the determination for themselves as to whether the vulnerability is serious.

Cooper: We need to correlate this to the medical profession. When a doctor does research and finds a problem, the vast number of people dont hear anything unless its serious and theyre at risk. There has to be some mechanism for letting people know.

eWeek: How much of an effect do you think all of the security problems on the Internet have on companies that are deciding whether to move more applications online?

Cooper: Its not helping the economy. It depends on whos making the decision and who his staff is, but its getting harder to protect yourself.