nCircle VERT Blog: February 2007 Archives

In the security community, the topic of full disclosure has been discussed for what seems like an eternity. Essentially, it is the discussion on whether or not the full disclosure of vulnerabilities prior to vendor notification is useful or harmful to the computing world at large.

There are really two thoughts on the subject. One side of the argument is that full disclosure forces vendors to patch their software as quickly as possible. The alternative view is that full disclosure only harms the users of the product since there is often very little they can do to patch. Assuming that there is a vulnerability in a product that is not publicly disclosed, the users of the product would be relatively safe because the vulnerability would not be known to the community at large. Of course, that does not mean that the details of the vulnerability are not known by someone out there. It just means that the average script kiddie does not have access to exploit code.

So, which side is the correct one? Who cares. While it may be important to the security industry to figure out what is the best way to approach the discovery of new vulnerabilities, debating on which side is the best is a waste of time. The problem is that we aren't the ones who decide to release vulnerabilities publicly without full disclosure. Therefore, debating on which approach is better is a little useless since no matter what we decide on, both things are going to happen anyway. It's not like what we decide upon, if we ever could, would affect what the others in the world will do. It's like debating whether or not apples or oranges are better fruit. Some will choose one. The rest will choose the other. Will a consensus within a small group change the eating habits of the world? I doubt it.

We are doing a disservice to ourselves and the people out there. If I was looking from the outside in, I would have a lot of trouble taking the industry seriously. If we are so focused on the little things that don't matter, how could we expect others to have faith in us to have good arguments on the things that are.

That's not to say that the topic isn't important. There are a lot of reasons why we should continue to have these discussions. First, and foremost in my mind, is user education. There are a lot of people who don't necessarily know of the benefits and/or drawbacks to full disclosure. It's important for the community to take a leadership role in security and educate others. However, we all talk about full disclosure like it's the most important thing since the discovery of sliced bread. There have been numerous articles and blog posts about the benefits and drawbacks to full disclosure by people who have been in the industry for years. However, there is a big difference between talking about it once in a while and discussing the same thing over and over again endlessly.

In the end, I think we are doing a disservice to ourselves (and maybe I shouldn't be grouping us together). A lot of times, it looks like we act like silly children when we combat on something that really doesn't matter. Which side of the full disclosure debate is really not important as it's going to happen anyway. It's what we do and what we have taught others to do when full disclosure affects us that's important.

I recently attended a curriculum planning group for a 1-year post-grad in Information Security. The idea behind the course was a melding of business and infosec. There were a number of industry professionals, from both the vendor side and the corporate side and at the end of the entire thing I realized that there's a bit of a disconnect in the security world between the ones selling security and security-related information and the ones applying the security. It was a disconnect that reminded me of the entire end-user aspect of security issues.

One of the comments that was made, paraphrased because I can't remember it word for word, was, "If I'm hiring someone for my security team, I'd rather they understand the business side of things than the technical side. Anyone can Google how to configure a router." Someone told me that they can agree with the first part of this, and I can see that as well... It explains why my post-secondary education included courses on finance, ethics, project management, teamwork and business. I can't, for the life of me, understand the second part. This is where that "end user" aspect of security issues or in this case "user" aspect comes into play.

Let's look at the technical part of this... More and more high schools are offering the CCNA program and those students can configure a Cisco router... does that mean I trust them to securely configure the router? The answer is no. I decided to see what a Google search would reveal, so I entered the string, "Configuring a router". The first non-Cisco link I found was the one I went with. It read like something out of a CCNA textbook. No mention of security, use of the RIP routing protocol and many other things that were indicative of an amateur configuration. No hardening of the device, nothing... just a couple of IP addresses on interfaces and the ability to route between then.

Another comment I overheard was along the lines of, "Sure a technical person could configure it but a business person would understand where to place the device". I highly doubt that a business person will understand or even comprehend the act of using a perimeter router, a firewall with a DMZ and then an inside router. They may not even comprehend why it's a bad idea to put an Microsoft Small Business Server live on the internet... why it's a bad idea to have Exchange and your Domain Controller on a single box that's live to the world.

I can even understand why you might hire someone with more business skills than technical skills to manage your security team... but they won't function successfully if they aren't surrounded by those with technical skills to do the work and to advise them.

So in the end we're left with a disconnect... a disconnect between those doing the security research and creating the security products and those implementing them. Those of us on the vendor side of the table make the assumption, or at least I did anyways, that our products are going to someone with a technical background so they'll be implemented properly... when in reality they could very well be going to someone with a business background who may or may not know the function of the device.

We all talk about end user education; perhaps we should expand that and talk about corporate security education as well. Explaining to those who are responsible for our data, be it our educational data, our financial data or our voter information, that you can't properly configure a device and implement it in your infrastructure solely by reading Google. We may have a lot of information at our fingertips but experience and ability still play key roles.

Okay, I have a confession to make, not so long ago I was a complete linux n00b. Back when I started in VERT (a little over a year ago) I could count the number of days I had used a non-MS OS on the fingers of one hand. Sure, I had played around with Linux as far back as Red Hat 5, and once, for about six months, I had Fedora Core 4 installed on a partition I never booted to, but I never used it enough to gain any mastery.

Now don't get me wrong, I wasn't one of the those "afraid of the command line", click-happy users. It was just that I had been working as a Windows systems administrator, I needed to live and breathe Windows systems. I could play around with *nix on my own time, but it just that, playing. I never *had* to make it work, so I never did.

Happily, one of the requirements for my role here was that I gain comfort with Linux and Unix based systems. I certainly saw my lack in that area as a weakness in my skill set and I wanted to tackle a distro which would really force me to get my hands dirty, so on the recommendation of a co-worker, I choose Gentoo running fluxbox as my window manager and ran it quite happily for more than 12 months.

However, after waiting 2 days (on a single core P4 2.7 GHz processor with 1GB RAM) for 'emerge -Du system' to upgrade gcc 3.6 to 4.1, upgrade X11 from 7.0 to 7.1, and then rebuild and recompile everything with the new compiler over the Christmas holidays I started to think that maybe it was time to expand my Linux horizons.

What I liked about Gentoo:
- the portage system, the ease of get, install, configure a wide selection of applications
- the BSD based configuration gave me (I believe) a very Unix-like feel to my configurations
- active and diverse user community
- minimal install, nothing running that I didn't want.
- getting application and kernel updates as soon as they are available.

What I didn't like about Gentoo:
- waiting hours to compile updated versions of firefox, X11, etc.
- waiting days to recompile everything when a gcc update occured.
- fixing all the things that break due to "bleeding edge" updates.

General feeling about Gentoo? Very positive. I would recommend it to a friend. But maybe not to a customer. It requires a lot of "hands-on" to keep it up to date, but I think it's a great distribution with plenty of active development and community support.

However, at this point I thought it would be good for me to try something else for a while, just to see "how the other half lives". I had played around with Ubuntu for a while, but it never grabbed me. It seemed too easy, too clicky for my tastes, and another VERT researcher and (sometimes) Ubuntu enthusiast with the same hardware warned me of various issues with the ATI drivers and his setup.

Seeing as my reason for changing was to learn a different way of using Linux, I was willing to endure something of a challenge to get it configured the way I wanted, so long as I gained something from the process. What I settled on was CentOS 4.4. Why? Cent OS is a Red Hat Enterprise Linux derivative. A lot of people, a lot of our customers, use Red Hat and related distros. Learning the Red Hat way of doing things was something I couldn't afford to not do.

Next time... my thoughts on switching to CentOS.

Microsoft has the following typos in today’s MS Advisory Content.

MS07-005
Security Update Information
Windows 2000
Windows XP
Windows Server 2003

Registry Key is listed as;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StepbyStepInteractiveTraining\KB923723\Filelist
Correct Key is;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Step By Step Interactive Training\SP2\KB923723\Filelist

MS07-006
Security Update Information
Windows Server 2003

Registry Key is listed as;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB928255\Filelist
Correct Key is;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP2\KB928255\Filelist

These errors may look minor, but Registry keys are serious business to those in the Vulnerability Detection field.

There is a brand new Solaris 10/11 Telnet vulnerability that allows remote users to log into the remote server as any user without providing a password. This is similar to the old AIX/Linux RLogin vulnerability in 1994.

It’s simple enough. If you provide a “-fusername” option to the -l command while attempting to telnet into a vulnerable Solaris server, you will be logged in automatically as the supplied “username”. Therefore, you could log in as any known user. It has been reported that you cannot login remotely as root. However, this is incorrect. Depending on the configuration of the remote server, it is possible for the remote user to log in as root. If the remote server is configured to allow remote root access on the console (if CONSOLE is not set in /etc/default/login), then the remote user can log in as root. Example is below.

Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
Last login: Mon Feb 12 10:38:17 from AHost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have new mail.
# id
uid=0(root) gid=0(root)
#

RSA is wrapping up and I have to say that I was pleasantly surprised with a lot of things this year.

The traffic at the nCircle booth was excellent, but it's the quality of traffic that really impressed me. In the past, RSA meant a lot of "what do you do?" questions from passers by. This year, we had a lot of people - current customers and non-customers - asking really intelligent questions about agentless network detection. It seems that the customer side of the community has really done their homework over the last 12 months which is great to see.

Fortunately, many of the questions focused on how we do what we do as much as what we've done or are planning to do. Configuration Compliance is on everyone's mind right now and we laid out how we've been attacking it. Roadmaps are very important, but it seems that the customers are getting savvy enough to ask probing questions to decide whether an organization has what it takes to deliver on their promises. They are also looking for assurance that we have what it takes to consistently deliver in the future. In particular, many of the questions were about coverage and people want to know what makes VERT different than others in the space when it comes to our capabilities.

The timing for these questions could not have been better from my perspective. I was on the presentation schedule a couple of times, talking to people about how we approach coverage. I'll save the details for a near-future blog posting, but the title of the presentation was "Beyond Vulnerabilities: The Future of Coverage". Based on the feedback, it seems that our message was very well received and sparked some excellent Q&A. The detailed follow-up questions, in my opinion, speak volumes about how our customers' understanding of the space has evolved over the last 12 months. My core message was that customers and would-be-customers should expect more from the research teams in this space. The use of the term "risk" does not mean that a company has evolved beyond Vulnerability Assessment, and the attendees understood what we've been doing over the last 5 years to build something bigger than a VA solution. This would have been exactly the wrong presentation 1 year ago, but it seemed to strike a chord with conference attendees this year. Sometimes you get the timing right - I'm a great believer in luck and I find that the more I listen to our customers, the more of it we have.

We also had a fantastic couple of discussions with the guys from mitre. We're big fans of the mitre folks and we're looking to do more exciting things with OVAL, CVE, and possibly CCE/XCCDF this year. More information on that later in the year as well.

Thanks to all of you who were in San Francisco and stopped by the booth. For those who weren't able to make it, I'll summarize the presentation for you soon and hopefully it will spark some good conversation.

So Microsoft has released their advanced notification of this coming Tuesdays patches. It looks like we're expecting 12. Given the current list of unpatched public vulnerabilities, Microsoft has some serious catching up to do... even if the assumption were made that all 12 patches were based on public exploits (which won't be the case)... they'd still be behind.

Tuesdays breakdown looks like this:

• 5 x Microsoft Windows (Highest Severity: Critical)


• 2 x Microsoft Office (Highest Severity: Critical)


• 1 x Microsoft Windows & Microsoft Visual Studio (Severity: Important)


• 1 x Microsoft Windows and Microsoft Office (Severity: Important)


• 1 x Step-by-Step Interactive Training (Severity: Important)


• 1 x Microsoft Data Access Components (Severity: Critical)


• 1 x Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft ForeFront (Severity: Critical)

We'll be here on Tuesday, all day (and night), providing our insight as we work through the released patches, so stop by and say "hi".

Something I’ve always enjoyed is exploration… Hiking through the bush, touring a cave or walking a ledge to view pictographs… The great thing about computers is that even when it’s a frigid day or a torrential downpour, I can still explore… I can explore the Internet, an Operating System, and Source Code… anything I want to really.

One of my favourite things to explore is HTML… Regardless of whom you are or what website you run, your HTML source is available for the entire world to see. With the onset of Web 2.0 there’s plenty more interesting code to explore. Web 2.0 was actually a topic of discussion around here the other day. There was plenty of discussion into the language of choice for an internal project… the debate was PHP vs. AJAX. AJAX won at first but raised the question: Pyjamas or GWT. This of course drove me to look at the various frameworks and even test them. I wasn’t overly impressed… but then again I’ve never been a big fan of Web 2.0. In the end PHP with small tidbits of JavaScript is being used but that experience had me thinking.

Part of my investigation brought me to various potential vulnerabilities in Web 2.0. I ended up over at Attack Labs and it’s a little frightening. Another interesting read on the subject which has popped up more recently is AJAX Fingerprinting. I’m amazed at this new programming craze that’s sweeping the nation. The evidence of that is everywhere, anyone can have a website now and even do a little of their own coding. You can’t watch TV without seeing an ad for a mail-order Web Developer course… College night schools are offering the courses; high school typing classes are introducing it… You’re hard pressed to find someone who isn’t involved in some sort of web design… It’s just so gosh darn easy these days.

This scares me… a lot of Colleges and Universities are *JUST* getting the idea of teaching secure coding… for years it was never taught or discussed… in some educational institutions it’s still a taboo subject. Now these same places are teaching web design… which, regardless of how you spin it, is coding. I know at least some programmers out there are gasping in horror right now but it’s true. So you’ve got two parties coming together… the “old school” crowd that was doing HTML when it was 100% static and has a grasp for the security and has watched the evolution of the World Wide Web and the “n00bs”… graphic artists who don’t grasp computers but got into web design, people fresh out of college where security and web programming don’t cross paths, and the people who were suckered in by some washed up 70s sitcom star on late night television.

So OWASP has released their 2007 Web Application Vulnerabilities Top 10. Jeremiah Grossman published the Top 10 Web Vulnerabilities of 2006 back in December. Everyone is talking “WebAppSec” and the terms are flying by, and sometimes over, people’s heads. XSS, SQL Injection, CSRF, etc. We’re being kept decently informed on problems to watch out for… yet we still consistently find these problems. Maybe we’ve hit a point where instead of pointing out problems and quick solutions we should be going back to the source… we should be looking to re-educate the individuals who create these pages and introduce them to the concept of secure coding… a common coding practice that, as of yet, hasn’t been applied to web design.

Thrilling.
So I sat through John Thompson's keynote yesterday, listening to his vision of the future and how we must restore *confidence* - I said *confidence* in the online experience. You can view the RSA keynotes here: http://www.rsaconference.com/2007/us/content/webcasts/

Over-billing.
John worked his way through the library of products that his company has acquired and the working groups that they've participated in, saying little more than how *confident* he was that Norton 2007 had finally solved world hunger and global warming. More inflation of the Anti-virus value proposition from a company that is simultaneously pitching a collection of solutions to manage risk.

Shilling.
He also talked a great deal about protecting identities as the number one issue facing the security industry today. Given my background in Identity Management (and it's various alternative names) over the last 10 years, I was less than excited to see Symantec jump on the IAM bandwagon. He seemed to have a lot of *confidence* that his company had the tools to address "the identity issue". I have a lot of *confidence* that cobbling together a number of solutions across a number of problem sets does not make you a Subject Matter Expert. I have just as much *confidence* that Symantec does not know enough about the identity space to be taken seriously ... at least not yet.

Chilling.
The ironic part was when John went after Microsoft at the end of his keynote. He resurrected an old analogy that the person who maintains your bookkeeping should not be entrusted with auditing your books. In turn, he asserted that the company that makes and maintains your Operating System should not be entrusted with the protection of that Operating System. Sorry John, but that message doesn't fly ... despite the anti-Microsoft applause that it drew during the presentation. Those who buy first and think about integration into the glass house later should be careful where they aim their stones.

Don't get me wrong - I've had my share of beefs with Microsoft over the years and John is an eloquent speaker with some very good things to say during his keynote - but this kind of appeal to "conflict of interest" is overblown and beside the point. My advice to John is to sell his mousetrap on its merits if he believes that it is better. If you don't want the world to buy a competitor's products, explain to the world why your solutions are better. Period.

That's been our message from day one and our customers know why they put their trust in IP360. I am *confident* that their trust has nothing to do with the fact that we're not an OS vendor.

Tabula Rasa
(Latin). A clean slate; a blank or erased tablet.

Backwards Compatibility. I'm hardly a Mac user, but from what I've heard, they don't bother with it. Every Mac OS release is a clean slate (or close to it) and the end user just has to adjust. On the other side, Microsoft spends millions (billions?) making sure that you can still open that document you put together using Word 95 in Office 2007.

Which approach is better? Define better.

I think it can be stipulated that there is a proportional relationship between code complexity and and the investment of time and money required to produce and maintain it. Conversely, there must be a proportional relationship between how often an information system (the software and the data) must be updated and the investment of time and money to do the updates.

Hence, backwards compatibility is good for the user. Software companies only exist to serve the needs of their users. So, how good software is at meeting the needs of the user reflects the quality of the organization which produced the software. Thus backward compatibility is better, it is something good software companies maintain to meet the needs of their users.

But I sure wish I didn't have to burn cycles doing it myself.

Wag of the Finger
ESET for their live performances of "Everybody was Virus Fighting ..." (to the tune of Kung Fu Fighting). Imagine the most annoying commercial on TV repeating every 10mins and having no ability to press mute. Now imagine that TV being right behind your head while you are trying to deliver a presentation. Brutal.

Tip of the Hat to
Cyberdefender for having a genuine Aqua Teen Hunger Force Mooninite (Ignignokt) to give away. Their authentic bomb scare cult classic came from Seattle. The low budget construction on this thing has to be seen to be appreciated (it involves electrical tape and some D batteries). Any knock offs that are showing up on eBay will be obvious by their high quality construction. When lit up it looked just awesome!

Wag of the Finger
Mazu Networks for employing a fake Don King (who tells everyone his name is Ron King) and 2 people in Blue and Red Rock'em Sock'em Robots' suits. The grade school art project robots looked like them might have been interns who had been force to battle since the expo opened. They looked like they needed new batteries.

The show floor at RSA is ridiculously large. The gimmicks and booth antics … ridiculous …

First vendor on my list of WOW is Verisign.
These guys had some unicycle riding Security Pros telling us all about their solutions. They were about as creepy as a clown at a birthday party.

Hackistan (yes you read that correctly) had some fur wearing communist era actors using fake Russian accents in what can only be described as Borat does InfoSec.

Message to Hackers
If you want to win the ongoing battle between security companies and the underground here is how – stop maliciously exploiting people or generating any newsworthy events for 1 year. Watch 30% of security companies go out of business. Wait another year and watch how many more merge or disappear. You can out number your opponents just by laying low for a while.

I will post again after the SC Magazine Awards dinner.

I just came across this and wanted to throw it up for any of our readers that don't visit the Websense blog. According to their article the Dolphin Stadium website has been compromised and infected with malicious code. This code attempts to install a trojan keylogger/backdoor via two patched Microsoft vulnerabilities (MS06-014 and MS07-004).

If you haven't visited Microsoft Update in a while, now is a great time to browser over and ensure that your computer is up to date.