Security patches: The solution or the problem?

[InfoSec News <isn () c4i org>]

UNIX SECURITY --- August 30, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
________________________________________________________________________________

HIGHLIGHTS

* Code Red once again showcased the dangers of failing to apply 
  security patches. Or did it? Carole digs a little deeper to uncover 
  the real problem that was being exploited.

SERVICES

* Webcast: Create robust, efficient e-business applications on the fly 
________________________________________________________________________________

SPONSORED LINK

LEVERAGE YOUR LDAP DIRECTORY FOR WEB ACCESS CONTROL

Need to protect your portal from access violation? Users tired of
multiple password log-ons to your portal? Fed up with cookies and system
agents? Learn how to deploy Web access control, while leveraging your
current applications. FREE white paper and personalized online demo at:
http://ad.doubleclick.net/clk;3245551;5953479;s
______________________________________________________________________________

Worm Droppings
By Carole Fennelly

"While the angels, all pallid and wan,
Uprising, unveiling, affirm
That the play is the tragedy, 'Man,'
And its hero the Conqueror Worm."
-- Edgar Allan Poe, "The Conqueror Worm," Graham's Magazine,
   January 1843.


Every time I go on vacation, I come back to a mailbox full of dire 
warnings about an exploit that will "bring the Internet to its knees." 
Like tired remakes of a classic movie, the Code Red Worm events were 
boringly predictable. Without even opening my mail, I knew the script 
that would be followed by the usual suspects: Vendors, the Media, and 
various Security Pundits.

The Media played the part of "Chicken Little Crying Wolf" perfectly, 
hyping the threat in order to sell more advertisements. The frantic 
search for updated information and patch downloads (necessary or not) 
probably contributed to slowing down Net traffic more than the Worm.

Next, of course, were the Security Vendors issuing press releases and 
updating their sales presentations to assure prospective clients that 
their product or service would have provided protection. "Don't wait 
for the next Code Red!" many warned. I sat through one presentation 
where the vendor intimated that they had "inside information" before 
the CERT announcement. My pointing out that everyone had "inside 
information" since the company that discovered the vulnerability, eEye 
Digital Security, made this same information publicly available wasn't 
too popular.

Security Pundits seized the opportunity to jump on their ever-ready 
soap boxes and point fingers at their favourite targets. Ironically, 
eEye Digital Security was a popular target for making the vulnerability 
public knowledge. The Full Disclosure can of worms flared into debate 
on many security lists with proponents arguing that Full Disclosure is 
the only way to compel vendor action and opponents countering that Full 
Disclosure provides too much information to would-be attackers. The 
upshot of all this bickering was that no one changed position. What a 
surprise. Incidentally, many legitimate firms contacted eEye looking 
for a copy of the exploit so they could test their systems. Somehow, 
they lacked faith in the patch process. I suppose this makes them Full 
Disclosure advocates.

Well, we can finally get back to business as usual now that the Code 
Red fiasco appears to be ebbing. Battle-scarred but wiser, we have seen 
the importance of applying security patches as soon as they are 
available. Damn lazy administrators should keep up with this stuff. 

When are we going to wake up and realise that patching systems is a 
*lousy* security mechanism? Sure, software bugs happen and must be 
fixed, but we have turned a last-ditch mechanism into a standard 
security practice.

Patching a production system is risky and requires regression testing. 
One company, St. Bernard software, (taking advantage of the Code Red 
hype) offers an automatic patching mechanism. Sounds great, but 
patching systems isn't always so straightforward. The interdependencies 
of many modules can cause a patch for one application to break 
something else and, quite often, the patch cannot be backed out. Anyone 
remember trying to back out of a Windows 95 upgrade?

Unless a particular bug had a serious impact on production, patching 
systems used to be a scheduled event. We've come to rely on patching as 
an emergency security response. That's like rushing into brain surgery 
to cure a headache -- sure, it could be a tumor but let's do some tests 
first.

When are we going to stop reacting to symptoms and start looking at the 
root cause of security problems? Put simply, software is not properly 
tested before being released. The solution, of course, is not so 
simple. How can software vendors be compelled to employ better quality 
control methods? Manufacturers of consumer products, such as cars, are 
held accountable for their products' performance and safety. Can you 
imagine going to your car dealer for a patch kit that repairs a faulty 
fuel regulator affecting several models? Of course, as the owner of the 
vehicle, you should know how to repair it. Automobile consumers would 
never tolerate such an attitude and neither should consumers of 
software products who are forced to accept one-sided license agreements 
because they have no choice.

Yes, there will always be bugs that need to be patched, but they 
shouldn't be the *same* bugs over and over and over again. We would not 
tolerate a builder using materials that are known to be sub-standard 
and there are requirements that new materials be proven to meet basic 
safety requirements. No such requirements exist for software.

But, we will wait for the next "Code Red" or "Melissa" or "Pope Fathers 
Child!" event and re-use the same old tired plot with just a few 
changes in the script. When will we stop settling for tired re-makes?


AUTHOR'S END NOTE:

Unfortunately, I have to announce that I am taking a sabbatical from 
the ITworld.com newsletter for the next couple of months. I will be 
working on a book project and I also need to devote some time to 
migrating my archives onto my site (http://www.wkeys.com). If anyone 
would updates on my future work or just want to say "hi", I'd love to 
hear from you. Email me at cf () wkeys com.

________________________________________________________________________________

SPONSORED LINK

METAgroup.com -- CLICK DAILY WITH THE TOP MINDS IN IT

Visit METAgroup.com for free access to daily IT and E-business news 
analysis, analyst insights, research reports and much more.
http://itw.itworld.com/GoNow/a14724a41090a75976238a0

________________________________________________________________________________


About the author(s)
-------------------
Carole Fennelly is a partner in Wizard's Keys Corp., a company 
specializing in computer security consulting. She has been a Unix 
system administrator for almost 20 years on various platforms, and 
provides security consultation to several financial institutions in the 
New York City area. Visit her site at http://www.wkeys.com.
________________________________________________________________________________

ADDITIONAL RESOURCES

St. Bernard Software's UpdateEXPERT
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp

I could have saved myself the effort and recycled an article I wrote 
last year about another security scare. Things haven't changed much:
http://www.cnn.com/2000/TECH/computing/06/27/security.frenzy.idg/

A certain poetic justice here. "iDefense Files for Bankruptcy":
http://www.washtech.com/news/netarch/12107-1.html

Attorney General asks Qwest to credit users for virus outages:
http://www.siliconvalley.com/docs/news/tech/037615.htm

FTC proposes new laws "Thou Shalt Patch"
http://www.wired.com/news/politics/0,1283,45692,00.html

LCLint Home Page
http://lclint.cs.virginia.edu/

New Visual C++.NET Option Tightens Buffer Security (lots of good 
resources here for secure programming practices):
http://security.devx.com/bestdefense/2001/mh0301/mh0301-1.asp

Good article by Richard Forno "Code Red is Not the Problem"
http://www.infowarrior.org/articles/2001-07.html
________________________________________________________________________________

ITWORLD.COM SERVICES

CREATE ROBUST, EFFICIENT E-BUSINESS APPLICATIONS ON THE FLY

Software developers looking to create robust, efficient and flexible 
E-business applications look no further. Tune into this free educational
webcast series on the WebSphere Software Platform sponsored by IBM 
today.
http://www.itworld.com/jwc/nla/overview
________________________________________________________________________________

CUSTOMER SERVICE

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter 
- When finished, click submit

Questions? Please e-mail customer service at: mailto:support () itworld com
________________________________________________________________________________

CONTACTS

* Editorial: Andrew Santosusso, Associate Editor, Newsletters, 
  andrew_santosusso () itworld com
* Advertising: Clare O'Brien, Vice President of Sales, 
  clare_obrien () itworld com
* Recruitment advertising: Jamie Swartz, Eastern, Regional Sales 
  Manager, jamie_swartz () itworld com or Paul Duthie, Western Regional 
  Sales Manager, paul_duthie () itworld com
* Other inquiries: Jodie Naze, Senior Product Marketing Manager, 
  jodie_naze () itworld com
________________________________________________________________________________

PRIVACY POLICY

http://www.itworld.com/Privacy/

Copyright 2001 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.