Many commemorative events are proclaimed, be it hurricanes, political events or security incidents, such as the Morris worm that broke out yesterday, 32 years ago.
But these security incidents have recently taken on a meaning of their own with frightening nicknames such as Heartbleed (2014), Meltdown, Spectre and Foreshadow (2018), and Fallout and ZombieLoad (2019).
Not everyone does. Less emotionally charged bug names such as CacheOut, CrossTalk and RIDL have been suggested, but the name alert is already so widespread that CERT’s Cyber Security Department at Carnegie Mellon University is asked to intervene.
Last month, CERT/CC started to identify common vulnerability and exposure indicators (VEICs) to make them more accessible and less dangerous.
Sensational names are often a way for discoverers to give more visibility to their work, said Leigh Metcalf, senior analyst for network security research at CERT/CC CMU on Friday. This is a concern for CERT/CC as it seeks to reduce the fears, uncertainties and doubts of providers, researchers and the public.
The beauty of this initiative, Metcalfe said, is that such names shape public and political debates, such as the U.S. government’s 2018 hearing on fusion and spectrum.
US-CERT mentions the 10 most common security flaws, and yes, these are mostly Microsoft vulnerabilities that people have forgotten to fix.
The 16th. In October, CERT/CC started offering random name combinations for CVE names via a Twitter bot called Vulnonym. So, instead of mentioning security holes such as the recent Windows kernel bug with a gaping ID such as CVE-2020-17087, the group automatically suggests compound nicknames such as Unsafe Ensemble, Formless Screwdriver and Unchecked Slapstick. And the Suggestive Bunny.
According to Metcalfe, the goal is to create neutral names that can be stored without commenting on the severity of the defect.
CERT’s naming scheme is based on a list of adjectives and nouns from the Wiktionary and on various categories of words such as animals, plants, cosmic objects, etc. The list of adjectives and nouns is also based on the Wiktionary. They are then linked to a CVE number using the cantor’s payout function. The results often resemble code names for Linux versions of Ubuntu.
In dealing with this issue, we looked at several word lists to avoid including sensational, scary or offensive titles, Metcalfe said, possibly unaware that the CVE-2020-9875 was called Scary Sena.
But neutral language is a challenge because innocent individual words in combination can become less innocent and because the context is important when it comes to making sense. Some of the assigned names invite lonely giggles, like Kenny Lampaker.
Others can be considered provocative if Dirty Surf refers to a vulnerability in the Amazon or Dirty Python to an insect in an adult toy. What about the back of the head and the perceptual ejaculate?
At least we were expecting such questions. Metcalfe said there is a simple process to remove offending names from the dataset and regenerate them. The procedure is not specified and no criteria are proposed for the assessment of undesirable combinations.
It is possible that the complaints process meets the current standard of customer service – by making noise in social networks. ®