Shulou(Shulou.com)06/01 Report--

Both * and service providers benefit, and users are the biggest victims.

Most "white hat" security engineers are driven by a sense of social responsibility that makes them want to tell everyone loudly as soon as they find a loophole.

Throughout the cyber security industry, whether it's newly discovered vulnerabilities or evolving cyber threats, we believe in the idea of sharing information quickly in order to prompt affected service providers (hardware or software) to take immediate action to fix the vulnerability in a timely manner.

When we lengthen the time line, from a macro point of view of the impact of vulnerability disclosure, we will find that it is a double-edged sword-"timely repair" and "malicious exploitation" in the game.

It is not a good thing to publish vulnerabilities prematurely.

There are many ways to disclose loopholes, and news often spreads quickly. Premature "full disclosure" of previously unknown issues can lead to the emergence of evil forces-often faster than the service provider's IT team.

A famous example is the Mirai botnet, which in 2016 * of the United States, paralyzing the Internet in many cities in the United States. In fact, it was originally used to carry out violence against Telnet's embedded listening devices. Later, the Mirai source code was released to the open source community, producing a mock version to use violence against listening hardware through Secure Shell (SSH). In order to improve the * * rate, these * take advantage of a variety of vulnerabilities in less secure Internet of things (IoT) devices.

Today, Mirai variants still pose a continuous threat to embedded Linux systems. The following figure shows the trend of the threat posed by Mirai. Until June 2019, variants of Mirai continued to appear.

Mirai was first discovered in 2016, and activity surged again in 2018. (source: Ixia "2019 Security report")

Buy time to fix the loophole first.

The best way is to make responsible disclosure behind the scenes. Publish an announcement after a specified period of time (usually 90 or 120 days), giving the affected service provider sufficient time to develop a valid patch or fix and provide it to the customer.

To take a positive example, Drupalgeddon is a SQL injection vulnerability aimed at the free open source Drupal content management framework. In 2018, a researcher identified two similar high-risk variants of the vulnerability, Drupalgeddon 2 and 3. He responsibly informed the service provider of the vulnerability in private, giving them time to develop and release patches before the exploit details were made public.

After the patch was released, researchers released details of the exploit from April 12 to 25, 2018. The following figure shows the threat trend of this vulnerability, and you can see that the threat of exploitation surged in April and May 2018, but then quickly subsided until subsided, mainly because the timely patch repair process reduced the number of available targets.

The threat of Drupalgeddon 2 and 3 quickly faded after thousands of sexual encounters in April and May 2018. (source: Ixia "2019 Security report")

Protect common interests

In order to promote information sharing, a variety of "open" communities of IT professionals have emerged on the global Internet. Many well-known open communities have zero barriers, and it is conceivable that * * is also ambushed, which is why there will be a surge in activities within days or weeks after the vulnerability is made public.

A safer approach for service providers is to form closed communities with strict access systems to review all potential members. Other trusted methods include loophole reward programs, trusted public testing, national vulnerability libraries, and so on. A trusted platform mechanism can be the best way to gain time, reduce risk and prevent the next wave.

The exact time to announce the vulnerability

In China, there is a clear time limit for publishing network security loopholes and network security threat information (currently in the stage of soliciting opinions).

Combined with the regulations on the Management of Network Security vulnerabilities (draft for comments) issued by the Ministry of Industry and Information Technology on June 18, 2019 and the measures for the release and Management of Network Security threat Information (draft for comments) issued by the Internet Information Office on November 20, 2019, we can sort out a standard timeline from vulnerability discovery, vulnerability repair to vulnerability publication:

This article is compiled and sorted out by Amber network, please indicate the source when reproduced.

Keep abreast of the network security situation in the stupid network equipment search system

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.