Dailydave mailing list archives
RE: News, dumbug, prediction rebuttals.
From: "Marc Maiffret" <mmaiffret () eeye com>
Date: Tue, 27 Dec 2005 11:44:31 -0800
A Windows Vulnerability Drought
I don't think there will be any Windows vulnerability drought. If there was going to be we would currently have started to experience it since a *lot* of the effort has already been done. I do think however that the types of attacks we see will change. The massively propagated attacks either via worms or remote SYSTEM style attacks are going to slow down because Microsoft *is* putting a lot of resources into fixing *those* types of vulnerabilities, but it would be short sighted for companies to think a decline in those types of attacks means systems are more secure. That being said though there are still many more products and lines of code than Microsoft, even with its supposed army, can completely audit. With that there is also the fact that automated tools still are not flexible enough to replace the lack of enough *good* source code auditors. That means you will continue to see more targeted vulnerabilities, which are typically going to be in client applications or other non-built-in OS software, that are not typically audited nearly to the extent at which the OS and a few main apps are. For example all of the business logic management software Microsoft has been acquiring lately, and hey it only stores all your financial data and has plugins on top of IIS. At the end of the day though it is a lot of times futile to try to guess where security will or wont be, as it pertains to bugs and protection. To do that you really need to predict where business will be or more so how people will be doing business. That is one of the main drivers behind the types of security solutions that are produced, with the exception being the consumer market which has its own drivers. And that brings us to my own "prediction" or really food for thought... How do you audit what you don't have access to?
Virtual/Web/Hosted/Whatever Applications
There is currently a big battle being waged "behind" the scenes and soon to be running in the streets between companies like Microsoft and Google to decide who will dominate the hosted/asp/whatever application space. Google obviously is building their whole company around the fact that people will live inside their web applications. Microsoft also is making many moves into this space with its Microsoft Live initiatives. There are also the "other" companies, such as Salesforce.com, which are taking typically large scale enterprise applications and turning them into hosted web applications. So what does this mean for security and more specifically researchers? These movements start to create a barrier in the ability for third parties to verify the trust/security of applications that businesses are depending on. That is because the core of the application that would be tested for security weaknesses is going to be hosted by a third party (obviously). This means for researchers to audit these applications it truly means attacking a companies servers which is (obviously) illegal. I am sure the Microsoft's of the world love this idea because everyone today who is auditing and finding MS Office vulnerabilities, for example, would now not be able to do so because the majority of the MS Office attack surface will be hosted on a server that Microsoft owns which makes it illegal to audit. That might be great for Microsoft PR and might also lead companies to believe these types of applications are more secure. This is because good intentioned researchers are boxed out... This "new" type of application does not however persuade people who do not abide by laws. You end up creating an environment where the "bad guys" are still finding vulnerabilities however the "good guys" are not. Unless of course they work for the company in question. This truly leaves the fate of product security up to vendors and with the lack of bad PR to motivate them they will be purely motivated by the bottom line of revenue which is usually not focused on security as a profit maker, but instead a profit taker. The threat also increases due to the increased instantaneous nature of attacks. We already all understand that the problem with comparing real life crime to cyber crime is that you can be robbing a bank in New York and Tokyo at the same time instantly from Russia while living in California. When everything goes hosted you now have all types of data being store in centralized locations for all businesses. In the example of using hosted Human Resource, Finance, Document type applications that means if I break into the Microsoft Office Live, or Salesforce.com I could *potentially* have instant access to Documents and Financial statements on thousand of corporations. While this might be an obvious statement it is important for the companies building these solutions to truly understand data and privilege separation. So that when they are compromised, and they will be, it is not easy for attackers to gain access to *everyone's* data. Most of the companies I have seen do not seem to have thought about this much. (Side note, one of the greatest feats that U.S. intel. could have pulled off would have been the creation of Google.). This will also cause a rebirth in some of the hacker culture that has been missing for so long where it is not about the waste of fuckin time infighting and more about "sticking it to the man" which in this case would be illegally hacking hosted applications as the only means to show the world they are insecure. Much like back in the day where the only way to learn about systems was to hack into them because you didn't have your high speed cable modem and warez connection to download VMWarez and play with whatever you wanted. But I'm digressing... And speaking of the old days, technology like so many things is reinventing itself in the form of new twists on dumb terminals and distributed component platforms. Which brings us to...
Return of the Dumb Terminal
Many of the largest corporations in the world, especially financial institutions, are moving back to a dumb terminal like environment where the majority of all processing is happening on a central server (really a cluster of servers) rather than on the workstation. Again this is not any sort of new technology however due to a lot of business drivers (In fact 9/11 being a big part of that for the financial firms) many large companies are going to thin client deployments so that they can literally lose a building over night and still be able to have all of their employees working the next day (forget the social right/wrong of that idea for a moment). This push is also in part being helped by companies like Citrix whom are creating the software infrastructures to be able to handle such an endeavor on Windows based platforms. There is the obvious implications that when companies do move to such configurations the threat of local privilege escalation vulnerabilities will greatly increase because now they are worth more. I.E. I don't just go from joe user to admin on my own box ... I now go from joe user to privilege user who can read data on any of the other thousands of employees and business documents etc... This is of course unless the vendors who are making this technological push actually think about adding security as a part of the process. This is another funny aspect of Windows catching up to things "UNIX" has experienced for years. Local priv. escalation has always been interesting for multi-user "UNIX" environments' its finally going to be more interesting for Windows.
A Credible Open-Source SIM
I think you can more broadly say "Open source security products are dead." Although you start sounding like Gartner. But the reality is that most people realize after dumping a couple years of their life into an open source project, that becomes of the level of a real commercial product, that it is not really fair that everyone else is getting paid to do it for a living, or getting bought and paid even more. That is obvious when you look at the two most popular open source products, Snort, Nessus, going away (from what they were). And as a side note anyone who thinks that statement is incorrect about Nessus/Snort can save me the ignorance of a debate as the question is easily answered when you understand what they were once and what they are today, and they are both *very* different. That is not to say you will not see people getting all hyped up to "Save Nessus!" or create another open source product. They will run their course when people realize that open source projects of that magnitude really are not as open source sexy as they sound. They usually result in only a very small (even couple) of people who actually do the real work. Nessus is a great example of that as even Renaud et al have stated. Speaking of which... What happened to all those save Nessus projects? Reminded me of when all the musicians got together to say how shit Bush was yet it all faded as soon as the hype cycle of looking cool ended. But now I'm rambling... Some tidbits for 2006: * Another person writes a paper about how they wrote the smallest windows shell code * The lack of news worthy attacks (worms) creates a lulled state in IT people whom believe their systems are secure. This creates a rebirth in the 90's mentality where you need to prove to people they are vulnerable (the pen-test golden days). Real demand is created for exploit platforms and Core and Canvas battle it out. (2yrs) * Improvements aside, the same 10 people talk about the same 10 things at Blackhat * Symantec sues Microsoft (in the U.S.) as a last ditch effort to not be screwed by Microsoft's move into the consumer security space, Symantec wins. * Oracle continues to make the most vulnerable enterprise software and spends more money on marketing that they are secure than fixing the problems. It is Microsoft 1999, they eventually get screwed in a big way and wake up. * Lack of Microsoft worms does not mean lack of worms, some worm writer realizes that writing a worm for things like the Anti-Virus file decoding overflows would be just as devastating as any Microsoft RPC worm. The first big non-Microsoft worm happens? -Marc
Current thread:
- Re: News, dumbug, prediction rebuttals., (continued)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 22)
- Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
- Re: News, dumbug, prediction rebuttals. Blue Boar (Dec 22)
- Re: News, dumbug, prediction rebuttals. Adam Shostack (Dec 22)
- Re: News, dumbug, prediction rebuttals. plonky (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. plonky (Dec 23)