Schneier on Security
A blog covering security and security technology.
« Reinventing 911 |
| Snake-Oil Research in Nature »
December 6, 2005
CME in Practice
CME is "Common Malware Enumeration," and it's an initiave by US-CERT to give all worms, viruses, and such uniform names. The problem is that different security vendors use different names for the same thing, and it can be extremely confusing for customers. A uniform naming system is a great idea. (I blogged about this in September.)
Here's someone talking about how it's not working very well in practice. Basically, while you can go from a vendor's site to the CME information, you can't go from the CME information to a vendor's site. This essentially makes it worthless: just another name and number without references.
Posted on December 6, 2005 at 3:21 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't know that it's useless, per se, but it's certainly much less useful. Seems kind of shortsighted of the CME people.
What's wrong with using your favorite search engine to find CME-681? I agree it would be nice to click, rather than copy and paste, but this seems a mountain out of a molehill.
The names are confusing, but how many people do not have a dominant anti-malware vendor in their life? Pick two or three and it's not too terribly hard to search for the CME. On the other hand the Common Vulnerability Scoring System (CVSS) needs wider adoption...
If people are interested in harmonizing names, why not take the hurricane approach and simply draft a list of names ahead of time? Then when the first virus of the year comes out, everyone can look at their lists and see that it should be called "2006 Alice I" (with variants "2006 Alice II" and so on), then the next one is "2006 Bob I", etc.
the CME project has promise, and i thought it had a lot more promise than it does now. in my current work, being able to reference a piece of malware for customers with an unambiguous identifier has a lot of importance. the CVE project has been a boon because it lets you vector between vendors' reports and names for a vulnerability. i was hoping one for malware would have been designed similarily. "rushed" is a kind way to put it ... confusion when we push down malware detection is a huge problem for us.
to davi: (hi, i hope all is well.) sadly, not all vendors reference the CME identifier clearly, which is a huge hurdle to getting around. one of the best at that is mcafee, no one else really comes close. hence, it can be a bear to search by CME tag in a vendor's site.
it's a problem all around, sadly, for anyone fighting malware and trying to communicate clearly.
Would it not be a good idea to make NIST's NVD into a central database where not only you can find the vulnerabilities, but also where you can verify your network/home against a database and see whether or not you have vulnerable machines/software? That's also a pet peeve I have with virusscanners: they tell you somebody has broken into your house or tries to, but don't tell you the front door is open! (See also my blog entry on this)
Well, it looks like the problem is the CME policy, or more importantly how it is being interpreted/implemented on the site. IMHO (IANAL), they should be providing links to the relevant vendors. And, in fact, they are -- but the links are to the vendors' home pages, not the pages concerning the specific malware.
I suspect this has to do with the fact that many sites don't like others to use "deep links" to pages within their site, and in fact tend to "reorganize" their site to scramble the links and break deep links already in place. I have actually seen "linking policies" on sites that forbid such deep-linking practices, and promise all kinds of legal (civil AND criminal!) penalties if you are caught linking to anything but the home page.
So, IMHO it isn't the CME that has the issue -- it is a problem with the WEB in general.
The hurricane approach won't work for malware because it can't deal with the concurrency of different malware detected/named at the same time.
Although CME it better than nothing it can't solve the basic problem of an unique identifier for every kind of malware. Given the amount of new malware this is similar to the halting problem.
A better approach is certainly white-listing all "known good" software.
It's not that there's no *list*, it's that there's no *linkage*. Vendors provide links into the CME list, but it would be much more useful to have links from the CME list to the vendors' pages describing the virus.
CME plans to provide "additional incident response information" (as quoted from the SANS Handler Diary). We are implementing CME in phases, however, to ensure that it is flexible and scales to the needs of all participants and users. This is how CVE started, incidentally. We are currently providing the identifier, alias information (for CME participants), and a short description. We plan to provide additional malware profile information, to include links to vendor malware descriptions, in the near future. When we started, there was little to link to. We are encouraged that this is changing and that users are now demanding this information. We welcome additional feedback on CME --- email@example.com
How about requiring all member organisations to NOT EVER user a non-CME label for new malware from now on?
So this is useless because in an age when Google is the world's largest IT company nobody could find vendor sites without CERT linking to them.
I've got an idea for a future article for you Bruce... why it is bad practice for CERT to be wasting resources on maintaining databases for crap like this which isn't their responsibility when they could be doing something more useful than advertising anti-virus products.
The CME List now includes links to the vendor sites for aliases. A rollout schedule for CME List content has also been posted on the CME Web site (http://cme.mitre.org):
PHASE 1 - List CME identifiers with a brief description, date, and vendor aliases (10-5-05).
PHASE 2 - Link aliases to vendor malware encyclopedias or alerts (12-19-05).
PHASE 3 - Include detailed, structured content about malware (Q2-2006).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.