Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/28/2007
07:35 AM
50%
50%

Heads in the Sand

Everyone loses when threats of legal action get made to forestall vulnerability disclosure

In the latest rounds of the Ostrich Security Game, HID Global Corp. has become an active player. Threatening legal action, they forced the cancellation of a session from the Black Hat agenda. They claim patent infringement, while the company discussing the vulnerability says it lacks the resources to fight any legal battle. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)

The big loser? Companies and individuals who care about security, especially security that concerns RFID used in identification systems. Who wins? No one, not even HID Global.

The idea that, by squelching discussion of a flaw, you can eliminate exploitation of the flaw, is ridiculous. No one thinks that HID Global has made its system, or any other RFID system, even fractionally safer by this act. I can imagine that someone in the corporation thought they'd save themselves some embarrassment, but by this time so many words have been spent on their efforts that even the PR goal is lost.

It's not as though HID Global is the first company to do something like this. A couple of years ago, Cisco pulled the same sort of trick at Black Hat in Las Vegas, when a researcher showed how to successfully attack Cisco routers. In this case, things worked out, sort of, between the parties, but none of the companies involved ended up adding protection for their users or saving themselves embarrassment from their acts.

No one likes it when their faults are exposed. That's human nature. When faults exist, though, especially in systems that involve critical private data or the operation of critical systems, the responsible thing is to work with the researcher who finds the flaw, let your customers know that it exists, then fix it as rapidly as possible. Shoving your head deep into the sand and trying to pull your customers in after you is no path to security -- and no path to customer confidence.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • HID Global Corp.
  • IOActive

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-35419
    PUBLISHED: 2021-04-14
    Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
    CVE-2021-28060
    PUBLISHED: 2021-04-14
    A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
    CVE-2021-28825
    PUBLISHED: 2021-04-14
    The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
    CVE-2021-28826
    PUBLISHED: 2021-04-14
    The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
    CVE-2021-28855
    PUBLISHED: 2021-04-14
    In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).