Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share
  • icon

Security Firm @stake Says Your Network May Be Leaking Sensitive Data


Newly announced flaw places some information sent over networks at risk to snoops.

By George V. Hulme
InformationWeek
January 7, 2003 12:00 AM

Security researchers at the firm @stake say they've found a flaw in how network device drivers send information that could create an "information leakage vulnerability" that may let hackers collect sensitive information sent from vulnerable devices. If successful, @stake says, hackers potentially could view "slices of previously transmitted packets or portions of kernel memory" over certain networks.

The CERT Coordination Center has posted a long list (http://www.kb.cert.org/vuls/id/412115) of network vendors' products that could be vulnerable to the flaw. However, as of now, the majority of vendors haven't disclosed whether their device drivers are at risk. So far, Cisco Systems, F5 Networks, Hitachi, Microsoft, and NEC have reported that they're not vulnerable. According to @stake's advisory, the software and hardware vendors were notified of the potential flaw in June 2002. According to CERT, no statement concerning this vulnerability is yet available from more than 40 of the vendors notified more than six months ago.

More Software Insights

White Papers

Webcasts

Reports

Videos


Marketbright helps non-technical marketing managers run Web sites, send mail blasts and generate leads Coral8 is helping Wall Street and other large companies keep up with real-tim data and click stream anaysis with its enterprise-level SQL engine. InformationWeek's David Berlind covers the announcements made by IBM today regarding
InformationWeek's David Berlind covers the announcements made by IBM today regarding
Dubbed EtherLeak, @Stake says in its advisory (http://www.atstake.com/research/advisories/2003/a010603-1.txt) that incorrect implementations of the IEEE's Ethernet standard and poor programming practices "results in several variations of this information leakage vulnerability."

According to the IEEE Ethernet standard, packets sent over the network should be at least 46 bytes in size. However, it's common for protocols, such as IP, to require packets of less than 46 bytes; in such cases, the remaining frames should contain null, or "empty," data.

Researchers from @stake say their tests reveal that instead of worthless packets stuffing the remaining bytes, potentially sensitive corporate information stored in memory buffers on the network interface card, static system memory controlled by the network driver, or kernel memory is sent instead. "The number of affected systems is staggering, and the number of vulnerable systems used as critical network infrastructure terrifying. The security of proprietary network devices is particularly questionable," @stake wrote in the conclusion of its paper.

Both CERT and @stake recommend vulnerable companies encrypt network traffic, but even encrypting all network traffic isn't foolproof protection. While at-risk networks will greatly reduce this vulnerability's impact through encryption, they warn, sensitive information leaked from such sources as kernel memory can still be viewed by prying eyes.



Subscribe to RSS


Advertisement

CAREER CENTER
Ready to take that job and shove it?



TechCareers

SEARCH
Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center





Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)

Last Name:

First Name:

Title:

Company Name:

City:

Business Address:

Zip:

State:

Email Address:

NOTE: Offer valid for U.S., U.S. possessions, & Canada only

            

Join economist Chris Cornell and 3 CIOs in an Exclusive Online Exchange for Senior IT Executives: Using IT to Drive Value in a Turbulent Economy. November 5th only.