Feds, Industry, Battle the Biggest Bug

Discussion in 'other security issues & news' started by spy1, Jun 14, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    A security hole in implementations of Abstract Syntax Notation One may threaten some of America's most crucial networks. Relax, the President's been briefed.
    By Kevin Poulsen, Jun 12 2002 12:00AM

    Four months after a public advisory warned of security vulnerabilities in a ubiquitous Internet remote management protocol, there have been no widespread attacks exploiting the holes. But technology companies and a special U.S. government panel are quietly evaluating the threat of related vulnerabilities in some of America's most critical electronic infrastructures, including the telephone network, the power grid, and the next generation of air traffic control systems.

    On February 12th, Carnegie Mellon's Computer Emergency Response Team (CERT) issued a high-profile alert about serious security holes in dozens of implementations of the Simple Network Management Protocol (SNMP) -- the Internet's standard language for monitoring and controlling routers, switches and other devices. It was big news in itself, with nearly two hundred companies forced to evaluate, and in some cases patch, their products. Perhaps owing to CERT's careful behind-the-scenes advance coordination with vendors, months later there have been no reports of mass exploitation of the vulnerabilities.

    But while the Internet-oriented CERT warned only about SNMP security holes, the research on which they based their advisory had farther reaching implications.

    The CERT announcement was based on work performed last year by the Oulu University Secure Programming Group in Finland, a group that's perfected a technique of finding security holes in software by systematically flinging a wide range of unexpected values and illegally formatted data at it, and noting when, and how, it breaks. While their target was SNMP, the Finnish researchers' attacks actually hinged on manipulation of an even more fundamental and common language -- on which SNMP is built -- called Abstract Syntax Notation One (ASN.1).

    Rest of article here:
Thread Status:
Not open for further replies.