14 DAY TRIAL // Jack C. Louis, senior security officer at Finnish security company Outpost24 and reputed researcher, passed away in a house fire accident at his home on March 15th, at the age of 32. He was working with major vendors in the IT industry to patch several severe TCP-stack vulnerabilities that could threaten the stability of the entire Internet.
Back in October 2008, Robert E. Lee, chief security officer at Outpost24 along with Jack C. Louis, announced the discovery of serious flaws affecting most of the TCP-stack implementations used today. The two devised several different attack types and included them in a test kit they dubbed Sockstress.
Not much information was made available to the large public, because of the sensitive nature of the discovery, but Lee and Louis started working with CERT-FI (the Finnish Computer Emergency Response Team) in order to supply the impacted vendors with all the information necessary to address it.
One of the described attacks allows a computer with limited resources and bandwidth to successfully incapacitate even the most “powerful” servers on the Internet. This denial of service attack involves tricking the TCP stack into keeping connections alive for virtually forever, by simulating a very slow request. Then, it's just a matter of opening enough such connections to overload the stack and make it unresponsive.
Now, with Louis' unexpected death, the job of continuing the research falls on Lee's shoulders. “It's been rough. Jack's been a very close friend and business partner for the past six years. We did everything together,” Lee commented for Network World. He also noted that Louis did not provide vendors with details about all vulnerabilities, because some were still being researched.
However, for the ones that were properly documented, patches are expected to be deployed during this year. “Discussions have been ongoing with a number of vendors, and several of them are currently in various phases of patch development process. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the risk can be expected to be released during this year,” a CERT-FI statement reads.
The problem is that the deployment of patches has to be done coordinately. If a vendor was to release a fix sooner than others, ill-intent parties might reverse-engineer it and launch attacks against the yet unprotected servers. At the moment, there is no evidence that these flaws have been targeted in the wild and that's unlikely to happen, because finding them is no easy task and requires more than a few nights of poking around.
Jack C. Louis was considered by many industry professionals a security genius. Before joining Outpost24 as their Senior Security Officer, he collaborated with the Institute for Security and Open Methodologies (ISECOM), where he contributed to the writing of the Open Source Security Testing Methodology Manual (OSSTMM). The famed researcher was also the lead developer of Unicornscan and the Sockstress tool. The Jack C. Louis memorial page created by his family can be visited here.