mailing list archives
Re: [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow
From: Vin McLellan <vin () theworld com>
Date: Sat, 07 May 2005 03:23:12 -0400
Kevin quoted GaryO's vulnerability report and asked the obvious question: Huh?
> 29-02-2004 - Directly contacted RSA via all publc addresses,
> worked with another securty consultancy in attempt to contact
> RSA product security team.
> 04-2005 - RSA contacted via telephone
Jumped off the page for me too. There was clearly a screw up somewhere if
Gary couldn't get through to RSA, in the UK or the US. I suspect a couple
of RSA senior managers are already climbing down through the ranks with
blow-torches to make sure that nothing like this can happen again.
I'm a consultant to RSA and I'll try to report back to the list on what
changes are made.
I would be very surprised if this incident does not it quickly lead RSA to
revamp whatever procedures it has for handling such a report -- at the very
least, publicly designate of a clear point of contact for external reports
of security vulnerabilities in RSA products. I expect a new policy along
the lines recently recommended by the Organization for Internet Safety.
[OIS, as regularly on this list probably know, is a consortium of
vendors -- MS, Oracle, ISS, and Symantec (publisher of Bugtraq), among
others -- and a few of the aggressive security consultancies (@stake,
Foundstone, etc.) that regularly develop reports of security
vulnerabilities. OIS came out with a very useful consensus.]
On the SEC-1 web site, they are listed as a "RSA SecurWorld Select
Partner", an honor they've held since at least 2002. Is RSA so
unresponsive to security flaw reports that they do not respond even to
their "select partners"?
RSA distributors and resellers have their own priority channels by which
they are able to report to RSA on problems with a product. I don't know
what happened here, but I suspect Mr. O'leary-Steele chose not to use them,
for his own reasons. That should not have made a material difference, of
course. Even anonymous emails about security issues are routed to RSA Tech
Support staff for review.
With its roots in the crypto culture -- where open critical review is a
valued part of the process by which a technology is vetted and tested -- I
think RSA has always been petty responsive to external critiques if RSA
judged them substantive. YMMV.
I expect there will be a quick internal review and then RSA do what it must
to make sure that this sort of "disconnect" can't happen again. I'm only a
consultant to RSA, but it is clear to me that the sort of time-lag reported
here is unacceptable. RSA is full of people, top to bottom, who would
immediately acknowledge that.
I think, frankly, that RSA just outgrew an informal assumption that all or
most product issues would be reported up through customer tech support,
sales, or partner channels. Someone at RSA should have recognized,
earlier, that this is now a silly assumption and done something about it.
After this incident, I expect someone -- very quickly -- now will.
I just now noticed Gary Oleary-Steele's Full-Disclosure+Bugtraq posts
of 18-Mar-2005 looking for a RSA security contact. I wish I would
have noticed them at the time, but I filter both lists so I only see
messages containing certain keywords (such as "SecurID"), and thus I
missed reading that post.
I'm embarrassed to admit that I somehow missed them too. Sorry, Gary. Mea
Culpa. Thank you for your persistence.
Vin McLellan + The Privacy Guild + <vin () theworld com>
22 Beacon St., Chelsea, MA 02150
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/