Code Red is Not The Problem

[InfoSec News <isn () c4i org>]

Forwarded by: Richard Forno <rforno () infowarrior org>

CODE RED IS NOT THE PROBLEM

(original with references and active links is at
www.infowarrior.org/articles/2001-07.html)

Article #2001-07 5 August 2001

Richard Forno (rforno () infowarrior org)

(c) 2001 Author. Permission granted to freely reproduce - in whole or in
part for noncommercial use - with appropriate credit to author and
INFOWARRIOR.ORG. 

We survived Code Red and the world is once again safe for now.Consumers
worldwide can continue using the Internet to buy books, download music, send
e-mail, and live this wonderful binary lifestyle that so enamors the Western
World. Like Y2K - only eighteen months ago - we dodged a much-hyped bullet
full of sound and fury by the media-whoring Sirens of Security, but in
reality, it was yet another case of threat inflation by the naysayers of our
day, many of whom have agendas rarely based on reality or facts.

System administrators have patched and fixed their systems to deal with Code
Red, and Microsoft's been seen at the same podium (and in public agreement)
with the very same Justice Department that's trying to punish the software
collective as a monopoly. What a fantastic public relations boon for
Microsoft to receive so much free publicity and mention in the popular
press, right alongside the American flag and senior members of the
government and other security organizations during this time of crisis!
Appearing like the White Knight atop his horse, the Redmond clan
miraculously and immediately coded a hotfix for their IIS servers to close
down the vulnerability associated with Code Red. Thank You, Microsoft, for
being so magnanimous and once again demonstrating your power over the wired
world of the enterprise and consumer masses, and for publicizing the fact
that even your most hated non-commercial adversary - the Justice Department
- has no choice but to endorse your products and company despite your deep
differences. As a result of the media hoopla, the hotfixes have been (and
continue to be) deployed, and the world is safe until the Next Big Event.

Not less than five days after the 2001 version of the "Y2K Scare" or, more
appropriately, TEOTWAWKIA (The End Of The World As We Know It Again), Code
Red is already serving as the latest fait accompli for the security industry
to sell additional security products and government entities to promote
controversial knee-jerk laws and regulations based more on fear,
misperception, political contributions, and ignorance than objective and
factual reality. 

But even with this latest major Internet security problem, Corporate America
and the government still don't get it, and probably never will.

Contrary to what the fear-mongers and Sirens of Security proclaim from their
pulpits, Code Red isn't the danger, nor is it some "cyber-terrorist" with a
mouse and keyboard. Buying products and services will only be a short-term
curative, but not beneficial for long term security success. It's like
taking taking Tylenol for a headache that just won't go away.....if you go
to the doctor, you might learn what is causing the headaches in the first
place, and actually get better by addressing the root cause of your pain,
and not simply the symptoms.

The most significant danger and vulnerability facing the Wired World is
continuing to accept and standardize corporate and consumer computer
environments on technology that's proven time and again to be insecure,
unstable, and full of undocumented bugs ("features") that routinely place
the Internet community at risk. But nobody wants to talk about that - not
the government, not CERT, not many security vendors, or most of the
mainstream media. Such analysis, although true, runs contrary to the status
quo and the industry-favoring 'party line' groupthink leading to increased
profits for everyone.

It's an established fact that the Internet and technology is a significant
asset to the economy and the modern way of life. Yet, the IT community
continues throwing good money after bad in a never-ending game of
cyber-triage (scrambling to acquire and deploy the latest hotfixes) to
respond or prevent damages arising from the software they are standardized
on. I'm not a business major, but I believe that a product or service
costing more to support than acquire is considered a "loss leader" and
should have its usefulness and profitability to the corporation seriously
and objectively reconsidered.

That being said, has anyone done an independent, objective study to
determine the Total Cost of Ownership (TCO) associated with Microsoft
products? It's got to be astronomical; consider how many man-hours (more
likely man-years) are wasted annually by IT departments scrambling to triage
the repeating fallout from such notable Microsoft- and/or Microsoft
Visual-Basic-based security problems as Melissa, Pretty Park, ExploreZip,
Bubbleboy, I Love You, AnnaK, Code Red, SirCam, and others, including dozens
of buffer-related exploits that any halfway-decent software quality
assurance team should have caught. More amusingly, how many other operating
systems can be compromised by exploiting a buffer overflow in a word
processor's Clip Art function, or via its integrated MP3 player? How much
overtime has been paid to consultants, technical staff, and for products
needed to "clean up after" or fix problems caused by Windows? How much money
is wasted on so-called vendor certification programs that cover what used to
(or should) be included in the product documentation, if it even comes with
the product? 

Adam Lawson's Security News Portal article this week rightfully concluded
that "Code Red proved you should always be wary about what Microsoft
software does to your machine, like turning it into a server without your
implicit knowledge." Our information assets and Wired Society are at ongoing
and catastrophic risk by continuing to standardize on products designed more
to achieve one company's marketplace dominance than for the security and
operational reliability of its products. It's funny that since the US Army
moved its main headquarters webservers away from Microsoft technology in
1999, those particular servers have not been compromised once. What does the
Army know that the rest of Corporate America doesn't?

While nearly every other operating system has its share of vulnerabilities
and problems, none of them present the significant levels of risk that
Microsoft's does to their respective customer bases. Think about it -
Microsoft products sit on some 85% of the world's computer systems, and it's
Microsoft products that are responsible for most if not all of the major
Internet security headlines in recent years. While technical folks have
noted this fact and expressed growing frustration with these products in
their circles, their managers, CEOs, and their government counterparts turn
a blind eye to this grim reality, choosing instead to maintain the status
quo. This places information assets at risk by throwing good money after bad
to support a faulty product that's proven to be more problematic than
beneficial on an all-too-frequent basis.

I was at a security conference recently where it was stated that an
organization needing to secure a Windows NT 4.0-based IIS webserver needed
to incorporate approximately forty-seven-plus hotfixes that were either
included as part of a Service Pack or separate downloads from Microsoft. How
is any systems administrator supposed to retain their sanity and maintain
positive forward motion (i.e., productivity and a return on the company's
investment in them through their salary) when they are dedicating increasing
amounts of time to fixing one problem after another on a product that -
although sold as a finished item - performs like it's still being beta
tested? How many corporate projects are impacted or delayed because
technical staff must scramble to address the latest Microsoft security
problem? No wonder more and more system administrators are burning out and
questioning how seriously their employers are taking the concept and need
for true information security and operational reliability, let alone how
ignorant their senior management is regarding the true costs of using
Microsoft products.

The rational and radical thing to do is to formally declare a problem exists
and take appropriate action to correct it head-on. In the physical world,
there are Lemon Laws and consumer protections for shoddy products and
services. If a vendor knowingly sells a product with problems, they can be
held legally accountable for culpable or criminal negligence. The same can't
be said for the software vendors whose products power the majority of
computers in our Wired Society. If the FDA found that a diet drug caused
heart problems, the drug maker would be held responsible under federal law,
there would be Congressional hearings, and significant public outcry. Not so
in the software world - the only recurring Congressional action or interest
on computer security issues is at the request of the entertainment industry
cartels to maintain their respective monopolies over consumers, or for the
annual "we've got to do more" Congressional hearings on the security of
federal systems.. Imagine how quickly Microsoft would clean up its software
if it faced a large financial penalty for each customer victimized by its
five-most-buggy product lines (Internet Explorer, Outlook, IIS, and Windows
family of products)? Even insurance firms that underwrite IT reliability and
business 'uptime' are charging higher premiums for companies using
Microsoft-based servers. Again, what do these folks know that the rest of
the world doesn't? Dump Microsoft, and your security posture increases, and
your support costs decreases, by nearly an order of magnitude!

Of little help on this matter are the various professional and government
organizations that should be the vanguards of sanity, reality, and public
welfare but instead continue to perpetuate the status quo and cater to
Microsoft's needs to maintain a happy and content customer base. Three days
after Code Red's moment in the spotlight, I received an e-mail message from
SANS discussing the Code Red fiasco. Although reiterating a much-needed
pleading for better system administration measures, the message was clearly
a marketing note for SANS' latest Roving Road Show this time on how to
appropriately secure IIS against Code Red and other known vulnerabilities.
Ironically -- but not entirely unexpected -- the letter also stated that "it
would be inappropriate to try and capitalize off this attack" but that they
hadn't yet "determined pricing" to cover the expenses for the nine-city Code
Red Tour '01. SANS doesn't need to call this post-Code Red community-service
project a for-profit venture, but you can bet bits to bytes that attendees
will be swamped with all sorts of SANS propaganda and "to know more, attend
our other conferences" invitations. Thus, regardless of what is claimed,
SANS is simply trying to 'get in early' and capitalize on the bow wave of
Code Red's notoriety, Fear, Uncertainty, and Doubt. After all, panic sells -
but publicized panic sells more!

Sadly, all the objective analysis and facts will not change things, since
the current state of affairs is rather profitable for two of the three
parties involved. Microsoft receives a significant profit for each copy of
its product sold, and security vendors receive significant profits selling
products and services designed to mitigate the problems associated with the
underlying Microsoft products! It's a neat, tidy arrangement, and as a
result, past experience shows that there's little reason to hope for a
change no matter how bad things get. The more bugs, exploits, and
vulnerabilities that are publicized or hyped to the consumer masses and
elected officials means more money for these two industries. Information
security is a self-fulfilling prophecy, where the customers - individuals
and corporations - lose time and again. The only way to break this cycle and
achieve what textbooks call "security" is to drastically re-evaluate our
professional approach to this discipline at its most basic and fundamental
levels, and replacing what's repeatedly found to be broken or faulty. As it
currently stands, not even Bob Villa could patch up the Windows in our Wired
World's electronic houses!

People should be wary of the ambulance-chasaers that use the latest security
incident (e.g., Code Red) to pitching security services on panicked
customers. While it's certainly necessary to make certain any IIS servers
(or systems and networks in general) are protected from any number of
security problems, simply downloading the latest fix for your platform is
not the Be-All, End-All Solution. Code Red's demise doesn't mean that the
world is safe once and for all, nor does it mean that Code Blue, Code
Purple, or Code Red Part Drei won't manifest next week on USENET, or that
I-LOVE-YA may not reappear in someone's Inbox and start another week of
Ether-Hell for Exchange administrators. What you learn at the SANS Code Road
Show (or any similar event) or gain from new products purchased in a
knee-jerk response to Code Red's myth might not help you during the next
incident. After all, what worked well today may not work well tomorrow,
precisely because it worked today! Users need to focus on the larger picture
and underlying causes of these security events, and not on simply curing the
symptoms that crop up with annoying regularity. Continuing to download one
fix after another is a short-term remedy for a long-term problem. Instead,
look for long-term solutions that will save you time, labor, frustration,
and certainly money!

Instead of wasting money on post-Code-Red marketing hype and media
misperception, organizations should address the larger question. They need
to take a large step back and seriously reconsider why they continue to
place themselves at risk by standardizing on technology that's been publicly
proven time and again to be notoriously exploitable, unstable, and most
importantly, continues to detract from corporate profits and shareholder
return. Until someone with the intestinal fortitude is able to successfully
challenge this dangerous status quo, the Wired World remains at significant
risk of not only more security exploits generating headlines, but an endless
series of hotfixes, cyber-triage, frustration, fear-mongering, and knee-jerk
reactions that further obfuscate the real problems facing us.

My sympathies to those that have to deal with this mess on a daily basis,
not knowing if (or when) relief is in sight. I've been a system
administrator before - but I'd sure hate to be one today.

NOTE: This will by my last article discussing Microsoft's many shortcomings
and how its products place the Wired World at risk unless there is some
seriously-glaring item that just can't be ignored (Smart Tags as a way of
exercising control over web content, for instance.) Enough is enough, and
after a while it's like beating your head against a brick wall....as I said,
it's a sad-but-very-unlikely fact that the security profession or folks in
leadership positions will take note of what the reality of the situation is.
I'm not a Microsoft-basher ( I actually like some of their stuff), but
rather an IT security professional that's tried to provide objective and
out-of-the-box analysis on a very real and pressing vulnerability that
nobody with any significant responsibility seems to care about addressing.
May the the Apple Macintosh, Linux's Tux, the BSD Demon, and their siblings
continue to gain ground as sources of truely reliable, secure,
pro-community, pro-customer software that drives the Wired World into the
next generation despite the wishes of the current establishment. You've got
my support! /rick 


(c) 2001 Author. Permission granted to freely reproduce - in whole or
in part for noncommercial use - with appropriate credit to author and
INFOWARRIOR.ORG.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.