Re: Security woes: Who is to blame?

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

> http://news.cnet.com/news/0-1014-201-7819204-0.html?tag=bt_bh
>
> By Robert Lemos

> The issue is not new, but Culp's article marked the beginning of a push
> by Microsoft to call the security industry and hackers into account for
> distributing dangerous code. In many ways it isn't surprising, since
> Microsoft loses face every time a widespread security incident
> compromises its software. 

Hopefully Microsoft stops distributing Frontpage then. That is a clear
cut, easy to use, GUI based exploit utility for defacing web servers.

And I hope that they stop distributing Outlook Express since that too
is half the recipe for all these nasty worms. None of them would work
without the built in default functionality of OE.

> However, if new vulnerability disclosure policies become widespread
> and cut down on the number of worms and attacks targeted at Internet
> companies, everyone stands to gain. CNET News.com caught up with Culp

Ironically no.. not everyone. Security companies really lose out big time.
They lose out of security advisories. They lose out on reporting bugs to
their customers (be it a service or a 'value add'). 

> Q: Why the name information anarchy?
>
> A: Well, because it's accurate. The practice that the essay was
> discussing was the practice of throwing exploit information out freely
> on the Internet without regard to how it might be used. There has been

This is incorrect. Culp obviously has little working knowledge of the
computer underground, and has done no research into it.

Historically, these exploits start out in the hands of one person that
wrote it. S/he either uses it to hack servers or doesn't. After that, s/he
may share it with other hackers or a close group of friends. After that,
they begin to share it with more and more people for various reasons. This
could be because they no longer have a use for it, are finding less
vulnerable machines, or can use it to leverage newer/different exploits.
After a while it leaks out to "irc" (ie: a lot of people, not necessarily
via irc but that level of distribution). Shortly after that it often pops
up on Bugtraq, sometimes as a working exploit, sometimes as a variation of
the original, sometimes crippled, sometimes downright broken. The
difference in the code posted to bugtraq is widespread, and the reasons
are as well.

So, looking back at a one paragraph description that could be expanded to
a chapter in a book.. is that information anarchy? If so, then we should
label Microsoft "anarchists" and level the playing field. When Microsoft
issues a patch or new program, it goes through the same process. Starts
out at the developer, moved to the team, passed on to testers, shared
companywide perhaps, released to customers, posted on the Internet.

Forget a second what is being passed around in each example, that is
irrelevant to the term and branding here. There is a very well defined and
repeated series of events here, each following a fairly well defined
hierarchy.

To those who aren't seeing it yet.. that is not anarchy. Not at all.

But, 'anarchy' is a great buzzword and no doubt the result of a Microsoft
PR team (or perhaps buggy Word thesauras..). 

It conjures up really bad images and makes all the good law abiding
citizens hate those anarchists!

> disclosed about security vulnerabilities. And for the longest time,
> folks arguing both pro and con could cite theory about why their
> position was correct. But the five worms (Ramen, 1i0n, Sadmind, Code
> Red and Nimda) that were released over the past year answer the
> question with actual data and conclusively.

Ooooh, actual data and conclusively. Can anyone drag this up? Culp? Care
to cite a source for this claim? Mind if I pass it on to someone that
knows more about data, numbers, and 'proving' stuff than you do?

> What does that tell you?
>
> Those five worms tell us the posting exploit information on the Web is
> harmful and dangerous. In all five cases, the worms were built using
> information that was publicly posted on the Web and posted to no good
> purpose.

Wow, amazing leaps of logic here. If this is such a truth, why isn't Sun
Microsystems starting this initiative or partnering with Microsoft on it?
You DO remember that 'sadmind' was a multi-OS worm right?

And can you quote each place the vulnerability basis for the worms was
originally published? After you do that, can you really say that each had
'no good purpose'? Does it matter that each one of these had working
exploit code MONTHS before they were utilized in worms?

> Are you trying to hush up those that find these vulnerabilities?
>
> Absolutely not. Our reputation and our practices speak for themselves.

Now this is a truly accurate statement. Microsoft's reputation and
practices speak for themselves.

> Nobody else in the industry is as open about reporting their own
> security vulnerabilities in their own products as Microsoft is. That's

Wrong. Absolutely and CONCLUSIVELY (since you like using that word) wrong.
The linux community is much better.

> The essay is not calling for people to refrain from looking for
> security vulnerabilities, to stop reporting them to the vendors, to
> stop telling customers about them. We don't want to change any of
> that.  The only thing that we are suggesting is that reasonable people
> should be able to agree that telling bad guys how to use those
> vulnerabilities to attack innocent users is wrong.

Oh jeez. This is a complete fallacy here. So the solution is to stop
giving bugs to the bad guys is it?

In the past, exploit information has been taken from vendors (via
'hacking'). It has been shared by employees that had access to it. It has
been accidentally leaked out to the public. It has been shared with
contractors and more.

At what point can you say each of those people are good and bad? It's a
pipe dream to even think the world is so black and white as to allow us to
conveniently 'withold' that info from 'bad guys'.

What about the person who is good during the day at work, and bad at
night?

> As far as releasing information and vulnerabilities, what about
> reports that the latest Windows XP patch has five security fixes, but
> only two are documented?
>
> It's interesting that you can claim that you can know and don't know
> how many vulnerabilities are being fixed in the patch while at the
> same time saying you know how many fixes are in the patch. That seems
> to be a logical contradiction.

Huh? Re-read the question there Scott..

> But let's talk about that update. It's the first critical update for
> Windows XP and contains all the fixes to Windows XP between the
> release to manufacturing and its availability in the market on 25
> October. The idea between doing a single fix is that it is more
> convenient for customers because you only have to apply the one fix
> and you get everything. It can be applied at install time.

Uh, yeah, let's talk about that update and answer the question for a
change. What a cop out.

The word is the patch fixed FIVE security holes, yet only TWO were
documented anywhere for the public. Meaning there are more problems than
Microsoft is admitting to. What was that earlier about being so good at
admitting/reporting problems?

Next, Oct 25 was just a couple weeks ago. There are already 2 to 5 serious
security vulnerabilities in that short a time frame? Could you comment on
what auditing or testing was done that Microsoft could miss these?

And this last comment about patching in a big batch, doesn't that help
address the real reason you want little to no public vulnerability
disclosure? These big patches help you in so many ways. They let you
procrastinate on serious problems with less perceived threat since the
exploit code isn't "public".

> How much of a difference will your new initiative make to Internet
> security? Are we going to see a big decrease in the number of worms?
>
> We have to be realistic. There will be malicious users who will write
> malicious code. They will probably write worms, and they will attack
> users. The number of incidents will almost certainly be smaller than
> the number of incidents we have today. Judging by those five worms
> that tore through the Internet over the past year, recognizing that
> all of them relied on information that was posted to the Internet, we

.. as much as they relied on shoddy products from Microsoft that made them
possible in the first place. 

> Are you going for a mutual consensus of people here? What happens when
> a hacker finds a hole in some software package and posts it to a
> bulletin board or Usenet list? Is there anything you can do about
> that?
>
> Microsoft is not the world's policeman. There is only so much that
> Microsoft can do. And the extent of what we are advocating now is
> self-restraint. We are not advocating the creation of cybercrime laws
> to prevent the posting of exploit code; we are not for any kind of
> punitive or coercive measures. We believe that security professionals,
> for the most part, are in this business to protect users--and that
> when they understand that certain actions are really protecting users,
> they'll do the right thing. So our goal here is, working with the rest
> of the industry, to try to develop some reasonable and moderate
> standards for handling security vulnerabilities that are likely to
> have the desired effect--that is protecting users.

Wow, thanks for not answering the question.

Let me rephrase it. What is Microsoft doing to address those who do NOT
follow the Microsoft Vision (tm) for vulnerability disclosure?

> That's not true. There are a lot of dimensions to the problem of
> improving security. One of them is that vendors need to write better
> software, and we certainly count ourselves in that circle. We need to
> develop more secure products; we need to make it easier for people to
> manage their security on their machines. And we have been very up-front
> about our obligation to do that and our intention to do that. 

.. obligation.. intention..

Yeah thanks for nothing. What is Microsoft doing to IMPLEMENT this?

> For instance, the Strategic Technology Protection Program that we
> rolled out a few weeks ago. For the most part, it's a listing of the
> specific things we are going to change in our products to make them
> more secure. We have talked in the past about the secure Windows
> initiative and the steps we are taking at Microsoft to change our

.. and now that the STPP is out of headlines.. how is it working out?
Without hearing more about the ups and downs, sounds like a press gimick.

> The essay was intended to jump-start the debate in the community. We

The debate was not dead by any means. Every few weeks one thread or
another on a high traffic mail list reverts into the full disclosure
discussion. It is typically killed off by the moderator (usually for good
reason since the argument basically can't be won).

Jump starting the debate is a good media spin really.

> to help us figure out what the next step needs to be. The essay was a
> problem statement--it identified a problem that needs to be solved. It

In defining the problem, you clearly mislabeled it though. That doesn't
encourage anyone to jump on the bandwagon. (see above, re: the term
anarchy)

> wasn't intended to propose a solution; It was intended to start a

Yet you did. Your solution is to "not give info to the bad guys".

> debate about the problem. That's what we are here at the Trusted
> Computing Conference to do. We hope at the end of the conference we
> have some recommendations that we and the rest of the industry can

Care to comment on why you didn't speak and give the audience a fair
chance to play question? Rumor is several were there with good questions
and they were looking for your input. Instead, they saw Weld and ohers
pushed up to the podium instead of you..

> for years. Our perspective is that it is time to stop talking. We all
> understand what the problem is. Now it is time as an industry to come
> up with a plan of what we are going to do to solve the problem and
> then start executing on the plan.

How very Microsoft. There is a reason it has been talked about for years
and nothing done. You can't stop it from happening. Even if the project
was a "100% success" (heh), it would lower the number of times
"vulnerability info would be given to the bad guys". So does Microsoft
really think this is feasible? Do you really think that goal can be
obtained?




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.