Monday, February 12, 2007

SANs sticks head in sand over exploits...

http://isc.sans.org/diary.html?storyid=2220

I really don’t understand organizations some times. SANs states they won’t link to the original advisory Solaris telnet. This confuses me because anybody who really wanted to find it would take a few seconds a Google it and come up with a bunch of sites in the blog-o-sphere that list the exploits. I think they are doing this because they don’t want to be accused of distributing exploits but in the end I don’t think they are making their readers any safer. We have all seen/met/worked for the kind of person that would read the SANs entry and declare it FUD and that telnet stays on. This doesn’t occur necessarily because they are clueless, it could just be that that have been dulled by every security vendor pitch in the world claiming that the sky is constantly falling. It would be a different story if no one knew about this but the cat is most definitely out of the bag. I feel this kind of information is required for a company to test and understand the problem themselves. SANs sees fit to deny this to the people who use them as a sole source of security information.

I would like to know how security vendors are responding to this as well. Errata Security shipped a detailed report on the problem including protection mechanism like a snort rule about a few hours after it was on announced in the early hours of a Sunday morning. Can anybody who uses any other security vendor’s comment on their response; a new ruleset, an alert, advisory, anything?

1 comment:

kurt wismer said...

what's really strange is that sans hosts and distributes actual malware (not explicitly exploits) captured in the wild for their malware quizzes...

why they would be ok with that but not with posting a link to an official advisory is just bizarre...