This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

How New Is the Latest Security Flaw?

Mar 13 2001 12:00 AM PST

An electronic security company says it found a soft spot in Internet protocol, but the story could be 'as old as the hills.'

The security company Guardent trumpeted the discovery of a glitch in transmission control protocol, TCP, that bad guys could exploit to do bad things. With few exceptions, the media rehashed Guardent's press release and talked to its executives; few outlets checked with outside security experts.

Guardent did a careful half-disclosure of its claimed discovery of a way to predict the supposedly random serial numbers of TCP sessions. A cracker who could do this reliably could hijack, corrupt or shut down any conversation between two devices on the Net. The security company did not release details of its claimed exploit, saying it would do so only to companies that signed non-disclosure agreements.

Guardent's press release, and most of the news coverage of it, failed to mention that this vulnerability has been known since at least 1986, or that in 1996 AT&T wrote a document for the Internet Engineering Task Force explaining how to overcome it, or that many modern operating systems have implemented AT&T's suggestions. Guardent's release claimed that no past exploits of the vulnerability were known, and the press echoed this claim. In fact, uber-hacker Kevin Mitnick used this very technique in his battle against security expert Tsutomu Shimomura.

EWeek's Dennis Fisher turned in a well-rounded report for ZDNet. He noted the history of the vulnerability and quoted an independent security consultant's comment that the problem is "as old as the hills."

Every tech reporter has access to geek hangouts such as Slashdot. While these forums won't supply reporters with authoritative information, they will point out non-obvious wrinkles that reporters ought to follow up by talking to their favorite security sources. Has Guardent found a truly new problem, or was it simply garnering publicity by pressing the button labeled "security flaw"? Today's coverage won't give readers much help in deciding.

Researchers Identify Serious Flaw in TCP

Flaw Uncovered in TCP

Software Flaw May Pose Risk for Net User
Boston Globe

TCP Security Flaw Found
Business 2.0

Security Hole in TCP

Guardent Security Advisory A0303122001: TCP Sequence Number Vulnerability