Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

AlertCon 3 + 1 flaw + n bad guys = AlertCon 2

Rob Rosenberger, Vmyths co-founder
Thursday, 27 June 2002

[Editor's note: this column will make more sense if you read this first.]

THE PSYCHIC HOTLINE at security firm ISS did something weird today. They went from "AlertCon 3" to "AlertCon 2" — just one day after they published a critical alert about an OpenSSH hole they discovered.

ISS helped to instigate rumors of upcoming cyber-attacks ... but then they lowered their "AlertCon" level. Go figure.
Please don't ask me why ISS employees hack OpenSSH on company time. Right now I want to stay focused on their latest AlertCon anomaly.

The "AlertCon" went down even though a horrifying different security hole remains horrifyingly open, with horrifyingly few webmasters bothering to patch their servers. ISS on Tuesday predicted the Internet would remain at "AlertCon 3" through at least "Thursday." (Remember, these guys are psychoticpsychic.)

Toss in a horrifying OpenSSH flaw, and you've got at least the same AlertCon value as before. Right?

ISS on Wednesday proclaimed "we are at AlertCon 3 due to the newly released OpenSSH vulnerability coupled with the existing Apache vulnerability." The OpenSSH advisory they published on Wednesday proclaimed "[ISS] is aware of active exploit development for this vulnerability." This claim helped to instigate rumors of upcoming cyber-attacks.

So if you add one horrifying security flaw with another — and if you mix in some bad guys who want to exploit those flaws — then you've got at least the same AlertCon value as before. Right?

Wrong! Do the math, folks:

AlertCon 3 + 1 flaw + n bad guys = AlertCon 2

Mind you, I actually saw a full-blown exploit earlier today. It showed up on the well-known "BugTraq" mailing list, courtesy of a helpful team of security experts at Rapid7. It would take me seven minutes to compile Rapid7's exploit code — and then I could fry any server running a vulnerable OpenSSH package.

You'd think ISS would have gone back to "AlertCon 3" when Rapid7 published an OpenSSH exploit. Right?

Wrong. ISS still remained at "AlertCon 2" hours later when I filed this column. Go figure.

Please don't ask me why Rapid7 employees develop & publish exploits for OpenSSH on company time. Right now I want to stay focused on the latest ISS AlertCon anomaly...