Security flaws under the microscope

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/securitytopics/security/story/0,10801,83811,00.html

By Andrew Brandt
PC World.com
AUGUST 07, 2003

A study unveiled at the Black Hat Briefings conference in Las Vegas 
last week paints a grim picture of network security problems. 
Among the study's surprising results: Some kinds of computer security 
vulnerabilities--especially ones with an aggressive "exploit" 
(something that takes advantage of the vulnerability, such as a worm 
or virus)--may plague computer networks indefinitely. 

"I wanted to understand how prevalent critical vulnerabilities are," 
said Gerhard Eschelbeck, chief technology officer of security software 
provider Qualys Inc. and author of the study. His first-of-its-kind 
research is the result of 18 months of constantly probing his 
customers' networks for common security problems. 

The study, along with guidelines proposed by the Organization for 
Internet Safety (OIS) on how to report buggy and insecure software 
dominated the first day of the conference. 


Perpetual vulnerabilities 

Thought Slammer was over? Not according to Eschelbeck's study. 

In his research, the security hole that allows entry to the Microsoft 
SQL Slammer worm, which first appeared in January of this year (and 
for which a patch was available as of July 2002), was detected more 
than 30 times in the first week of February, then sharply declined 
over the following six weeks to just five detections the week of March 
22nd. That sounds like good news, but since attention to the worm 
waned, Slammer's hole has made a comeback, with 22 vulnerable PCs 
detected the week of June 28. (The research did not indicate whether 
the scanned computers had become infected or otherwise fell victim to 
the security problems, only that they were in peril.) 

For the Code Red worm, the rise is less dramatic, but detectable. From 
the end of April through the end of June, Eschelbeck's research 
detected a slight rise in the average number of Code Red-vulnerable 
computers among the networks he scanned. Code Red first made an 
appearance in June 2001. 

Eschelbeck theorized that IT departments are partly to blame for the 
resurgence of some old security problems. Computer support staff store 
"images" of hard drives with pertinent data, drivers, and software 
configurations, so they can quickly restore a laptop or desktop to the 
company's defaults. But often the IT department doesn't update those 
images to include the latest patches to the operating system or the 
applications. When a computer hard drive has the old image 
reinstalled, all the old problems come with it. 

In addition, a number of home computer users didn't apply recommended 
security patches to their systems, so their 
vulnerabilities--detectable by Eschelbeck's software--remain a threat 
to the rest of the networked world. 

After he built his scanning tool, Eschelbeck got results by keeping 
track of the number and type of known security problems as he scanned 
more than 1.5 million IP addresses. Armed with a database of 2,041 
different security vulnerabilities, he also created the first Top 10 
Vulnerabilities List, which updates in real time as new scan results 
come in. This is an ongoing project for Eschelbeck. 

Computer users may test their own systems, anonymously and at no 
charge, using Eschelbeck's RV10 tool. 


Eschelbeck's laws of vulnerabilities 

In analyzing his research, Eschelbeck spotted patterns that helped him 
develop what he called his four Laws of Vulnerabilities. 

Law 1: The half-life of vulnerabilities (meaning the amount of time 
that passes from the point a vulnerability is discovered until the 
number of affected computers is halved) is 30 days. 

Law 2: About half of the most prevalent serious vulnerabilities change 
over the course of a year, but others persist. And the associated Law 
3: Some security problems will remain indefinitely. 

Law 4: Eighty percent of vulnerabilities have an exploit within 60 
days, on average. 

Don't let that 60-day figure make you complacent, though. "The 
underground is ramping up their efforts to build exploits because they 
know they have a very short window before a fix gets released," said 
analyst Simple Nomad of Bindview, a company that helps businesses 
secure their computer networks. 


Bug report procedures proposed, criticized 

As a result of the speed with which some hackers build exploit tools, 
software companies are scrambling to develop procedures to respond to 
people who discover and report security vulnerabilities. 

One set of such procedures has just been released by OIS, a group of 
security companies and software makers that includes Oracle Corp. and 
Microsoft Corp. The OIS Vulnerability Handling Guidelines describe a 
comprehensive set of "best practices" software makers should use to 
handle security bug reports. 

The guidelines call for the maker of the software for which a security 
vulnerability has been detected to restrict release of full technical 
details of a bug to a short list of businesses, such as antivirus 
vendors, while a patch is being developed for the vulnerable software. 
Only after a period of no less than 30 days would technical details 
become widely available. 

"We saw that releasing [full technical details of] exploits at the 
same time as the patch was doing more harm than good," said Chris 
Wysopal, director of research and development for security consulting 
firm @stake. The company's clients, including major corporations, 
"were getting owned on the first day the [security bug] exploit was 
getting released," he explained. Wysopal helped develop the 
guidelines. 

Some attendees suggested that this delay in sharing information 
benefits some companies by increasing the value of paid security 
mailing lists, while harming academic research into security problems. 
Several others also derided the guidelines for being too optimistic, 
making assumptions about the motivation of people who find and report 
vulnerabilities, as well as their willingness to cooperate. 

The guidelines remain controversial. However, the companies that 
participate in the OIS are not bound by them--they are 
recommendations. 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.