Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow
From: Vin McLellan <vin () theworld com>
Date: Sat, 07 May 2005 03:23:12 -0400

Kevin quoted GaryO's vulnerability report and asked the obvious question: Huh?

> 29-02-2004  - Directly contacted RSA via all publc addresses,
>              worked with another securty consultancy in attempt to contact
>              RSA product security team.
>   04-2005  - RSA contacted via telephone

Jumped off the page for me too. There was clearly a screw up somewhere if Gary couldn't get through to RSA, in the UK or the US. I suspect a couple of RSA senior managers are already climbing down through the ranks with blow-torches to make sure that nothing like this can happen again.

I'm a consultant to RSA and I'll try to report back to the list on what changes are made.

I would be very surprised if this incident does not it quickly lead RSA to revamp whatever procedures it has for handling such a report -- at the very least, publicly designate of a clear point of contact for external reports of security vulnerabilities in RSA products. I expect a new policy along the lines recently recommended by the Organization for Internet Safety. (See: <www.oisafety.com>.)

[OIS, as regularly on this list probably know, is a consortium of vendors -- MS, Oracle, ISS, and Symantec (publisher of Bugtraq), among others -- and a few of the aggressive security consultancies (@stake, Foundstone, etc.) that regularly develop reports of security vulnerabilities. OIS came out with a very useful consensus.]

On the SEC-1 web site, they are listed as a "RSA SecurWorld Select
Partner", an honor they've held since at least 2002.  Is RSA so
unresponsive to security flaw reports that they do not respond even to
their "select partners"?

RSA distributors and resellers have their own priority channels by which they are able to report to RSA on problems with a product. I don't know what happened here, but I suspect Mr. O'leary-Steele chose not to use them, for his own reasons. That should not have made a material difference, of course. Even anonymous emails about security issues are routed to RSA Tech Support staff for review.

With its roots in the crypto culture -- where open critical review is a valued part of the process by which a technology is vetted and tested -- I think RSA has always been petty responsive to external critiques if RSA judged them substantive. YMMV.

I expect there will be a quick internal review and then RSA do what it must to make sure that this sort of "disconnect" can't happen again. I'm only a consultant to RSA, but it is clear to me that the sort of time-lag reported here is unacceptable. RSA is full of people, top to bottom, who would immediately acknowledge that.

I think, frankly, that RSA just outgrew an informal assumption that all or most product issues would be reported up through customer tech support, sales, or partner channels. Someone at RSA should have recognized, earlier, that this is now a silly assumption and done something about it. After this incident, I expect someone -- very quickly -- now will.

I just now noticed Gary Oleary-Steele's Full-Disclosure+Bugtraq posts
of 18-Mar-2005 looking for a RSA security contact.  I wish I would
have noticed them at the time, but I filter both lists so I only see
messages containing certain keywords (such as "SecurID"), and thus I
missed reading that post.

I'm embarrassed to admit that I somehow missed them too. Sorry, Gary. Mea Culpa. Thank you for your persistence.


Vin McLellan + The Privacy Guild + <vin () theworld com>
22 Beacon St., Chelsea, MA 02150

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]