Rebuttal on Schneier's comments regarding eEye and Code Red.

[InfoSec News <isn () c4i org>]

Forwarded from: "Jay D. Dyson" <jdyson () treachery net>


-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 15 Aug 2001, InfoSec News wrote: 

Bruce Schneier (in Crypto-Gram) wrote:

> We shouldn't lose sight of who is really to blame for this problem. 
> It's not the system administrators who didn't install the patch in time,
> or the firewall and IDS vendors whose products didn't catch the problem. 
> It's the authors of the worm and its variants, eEye for publicizing the
> vulnerability, and especially Microsoft for selling a product with this
> security problem.

        This stunned me.  If memory serves, Counterpane's staff was quite
pleased about receiving full details of the worm from eEye staff.  This
afforded Counterpane the ability to accurately update their IDS and
related.  As much as I respect Bruce Schneier's work, I have to say that
this stance smacks of a double-standard: "Full disclosure for me, but not
for thee." 

        Why is it *NOT* noted that eEye worked closely with Microsoft and
delayed release of the advisory until Microsoft had a patch?  (Microsoft
went so far as to *thank* eEye for their assistance when they released the
patch.  You think that comes easy?)  Why is *NOT* noted that the Code Red
worm utilized a different attack method than eEye originally identified?
And finally, why is it *NOT* noted that eEye went out of its way to break
down the worm that *someone else* released into the wild so that other
parties could better defend themselves?

        The omission of these very crucial aspects of the ongoing Code Red
incident invalidates Schneier's critique of eEye's full disclosure
practices. 

> You can argue that eEye did the right thing by publicizing this
> vulnerability, but I personally am getting a little tired of them adding
> weapons to hackers' arsenals.

        I personally hope that eEye and other firms continue such full
disclosure practices because their tools are as amoral as cryptography. 
Like cryptography, hacking tools can be used by people of dishonorable
intent...and like cryptography, hacking tools can be used by honorable
people as a means to defend the assets for which they are responsible.  To
suggest that release of such tools be curtailed (or prohibited) is to
suggest that the populace at large be left totally at the mercy of Those
Who Do Not Play By The Rules solely for the benefit of the unthinking and
uncaring (and quite possibly incompetent) admin.

        I've long since tired of the argument that everything has the
potential for misuse should be rendered to the impact of a Nerf ball. 
Malcontents will always be with us...and limiting the liberties of the
well-adjusted based on the shortcomings of the maladjusted is little but
another step into an Orwellian future wherein War is Peace, Freedom is
Slavery, and Ignorance is POLICY. 

> There are two other lessons of Code Red that I haven't seen talked
> about.  One: Code Red's infection mechanism causes insecure computers to
> identify themselves to the Internet, and this feature can be profitably
> exploited.

        Actually, I addressed this facet when I authored and released
Early Bird (http://www.treachery.net/~jdyson/earlybird/).  Several others
have mentioned it as well (such as Weld Pond of @Stake), though I don't
know how far or wide their observations were disseminated.

> How many hackers are piggybacking on Code Red in this manner?

        Just as many as there are responsible admins who notify the admins
of the affected networks, I imagine. 

        And not to belabor the point, but piggybacking has been done for
*ages*.  As evidence, I need only point to: 

        http://attrition.org/mirror/attrition/lamer.html

        The above page is a listing of *re-defacements* of sites that were
listed on the Attrition Mirror.  Those re-defacements were not listed on
the Mirror, but they were kept for statistical purposes.  This may be the
first time this information has been made publicly known, but it pretty
much proves the point that intruders have been piggybacking on previously
breached systems long before Code Red.  Indeed, one of the systems in that
list has been re-defaced over 40 (!!) times.

        Furthermore, I'm less than half-way through a personal project
(one that I started in late February of this year) which involves a
longitudinal study of the state of [in]security of systems that scan
servers I maintain.  Were I of an unethical mindset, I could have just as
readily piggybacked onto the breached systems that scanned the systems
over which I have charge.  Given that I've been doing such longitudinal
studies on systems that scan mine, I have every reason to believe that
others have been doing as much as well...and their motives may or may not
be as purely academic as my own.

> Two: Code Red's collateral damage illustrates the dangers of relying on 
> HTTP as the Internet's communications medium.
<snip>
> This is a large single-point-of-failure that Code Red has illustrated,
> and no one seems to be talking about. 

        No argument there.  All told, I think people have become
desensitized to DoS attacks.  Further, I think the lack of discussion
regarding this very real problem hinges solely on the preference for
convenience being weighed more heavily than the necessities of security. 
Most users don't just want to have their cake and eat it...they want to
put it on display as well.  A lot of these problems could have been
avoided by simple use of IP filtering.  Instead, the port is open and will
listen intently to anyone that yells at it.  Small wonder it goes deaf
when the volume reaches a crescendo. 

> Code Red ushers in a new form of attack: a preprogrammed worm that
> unleashes a distributed attack against a predetermined target.

        How is that different than the Morris worm of the '80s?  It too
had predetermined targets and exploited known vulnerabilities.  And that
worm, like Code Red, suffered from its own programmatic mistakes. 

- -Jay

Thanks to Jericho <jericho () attrition org> and Aj Reznor <aj () reznor com>
for their comments and suggestions on this response.

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-------- Real men prefer full disclosure. --------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO3rqerlDRyqRQ2a9AQHDJwP/a+eBq5UMf4Z7tiKBp9Ik1O6ytwMTX9uV
3ujcJZp+Xs0D3nR4/8rCKEvKrKKGUk1k0ls2KwdeDxng6QsPmbgaxrdCgwCgbSSo
oUb8QJ3sxhCnCyGBSzE2mBMwwasSvcflBbkejxZsAirlo/m9C0FguRjcacFz5Sax
JEL2dhljf0k=
=mnEJ
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.