[ISN] Code Red is Not The Problem

From: InfoSec News (isnat_private)
Date: Tue Aug 07 2001 - 03:07:06 PDT

  • Next message: InfoSec News: "[ISN] Coordination called key to NIPC improvements"

    Forwarded by: Richard Forno <rfornoat_private>
    (original with references and active links is at
    Article #2001-07 5 August 2001
    Richard Forno (rfornoat_private)
    (c) 2001 Author. Permission granted to freely reproduce - in whole or in
    part for noncommercial use - with appropriate credit to author and
    We survived Code Red and the world is once again safe for now.Consumers
    worldwide can continue using the Internet to buy books, download music, send
    e-mail, and live this wonderful binary lifestyle that so enamors the Western
    World. Like Y2K - only eighteen months ago - we dodged a much-hyped bullet
    full of sound and fury by the media-whoring Sirens of Security, but in
    reality, it was yet another case of threat inflation by the naysayers of our
    day, many of whom have agendas rarely based on reality or facts.
    System administrators have patched and fixed their systems to deal with Code
    Red, and Microsoft's been seen at the same podium (and in public agreement)
    with the very same Justice Department that's trying to punish the software
    collective as a monopoly. What a fantastic public relations boon for
    Microsoft to receive so much free publicity and mention in the popular
    press, right alongside the American flag and senior members of the
    government and other security organizations during this time of crisis!
    Appearing like the White Knight atop his horse, the Redmond clan
    miraculously and immediately coded a hotfix for their IIS servers to close
    down the vulnerability associated with Code Red. Thank You, Microsoft, for
    being so magnanimous and once again demonstrating your power over the wired
    world of the enterprise and consumer masses, and for publicizing the fact
    that even your most hated non-commercial adversary - the Justice Department
    - has no choice but to endorse your products and company despite your deep
    differences. As a result of the media hoopla, the hotfixes have been (and
    continue to be) deployed, and the world is safe until the Next Big Event.
    Not less than five days after the 2001 version of the "Y2K Scare" or, more
    appropriately, TEOTWAWKIA (The End Of The World As We Know It Again), Code
    Red is already serving as the latest fait accompli for the security industry
    to sell additional security products and government entities to promote
    controversial knee-jerk laws and regulations based more on fear,
    misperception, political contributions, and ignorance than objective and
    factual reality. 
    But even with this latest major Internet security problem, Corporate America
    and the government still don't get it, and probably never will.
    Contrary to what the fear-mongers and Sirens of Security proclaim from their
    pulpits, Code Red isn't the danger, nor is it some "cyber-terrorist" with a
    mouse and keyboard. Buying products and services will only be a short-term
    curative, but not beneficial for long term security success. It's like
    taking taking Tylenol for a headache that just won't go away.....if you go
    to the doctor, you might learn what is causing the headaches in the first
    place, and actually get better by addressing the root cause of your pain,
    and not simply the symptoms.
    The most significant danger and vulnerability facing the Wired World is
    continuing to accept and standardize corporate and consumer computer
    environments on technology that's proven time and again to be insecure,
    unstable, and full of undocumented bugs ("features") that routinely place
    the Internet community at risk. But nobody wants to talk about that - not
    the government, not CERT, not many security vendors, or most of the
    mainstream media. Such analysis, although true, runs contrary to the status
    quo and the industry-favoring 'party line' groupthink leading to increased
    profits for everyone.
    It's an established fact that the Internet and technology is a significant
    asset to the economy and the modern way of life. Yet, the IT community
    continues throwing good money after bad in a never-ending game of
    cyber-triage (scrambling to acquire and deploy the latest hotfixes) to
    respond or prevent damages arising from the software they are standardized
    on. I'm not a business major, but I believe that a product or service
    costing more to support than acquire is considered a "loss leader" and
    should have its usefulness and profitability to the corporation seriously
    and objectively reconsidered.
    That being said, has anyone done an independent, objective study to
    determine the Total Cost of Ownership (TCO) associated with Microsoft
    products? It's got to be astronomical; consider how many man-hours (more
    likely man-years) are wasted annually by IT departments scrambling to triage
    the repeating fallout from such notable Microsoft- and/or Microsoft
    Visual-Basic-based security problems as Melissa, Pretty Park, ExploreZip,
    Bubbleboy, I Love You, AnnaK, Code Red, SirCam, and others, including dozens
    of buffer-related exploits that any halfway-decent software quality
    assurance team should have caught. More amusingly, how many other operating
    systems can be compromised by exploiting a buffer overflow in a word
    processor's Clip Art function, or via its integrated MP3 player? How much
    overtime has been paid to consultants, technical staff, and for products
    needed to "clean up after" or fix problems caused by Windows? How much money
    is wasted on so-called vendor certification programs that cover what used to
    (or should) be included in the product documentation, if it even comes with
    the product? 
    Adam Lawson's Security News Portal article this week rightfully concluded
    that "Code Red proved you should always be wary about what Microsoft
    software does to your machine, like turning it into a server without your
    implicit knowledge." Our information assets and Wired Society are at ongoing
    and catastrophic risk by continuing to standardize on products designed more
    to achieve one company's marketplace dominance than for the security and
    operational reliability of its products. It's funny that since the US Army
    moved its main headquarters webservers away from Microsoft technology in
    1999, those particular servers have not been compromised once. What does the
    Army know that the rest of Corporate America doesn't?
    While nearly every other operating system has its share of vulnerabilities
    and problems, none of them present the significant levels of risk that
    Microsoft's does to their respective customer bases. Think about it -
    Microsoft products sit on some 85% of the world's computer systems, and it's
    Microsoft products that are responsible for most if not all of the major
    Internet security headlines in recent years. While technical folks have
    noted this fact and expressed growing frustration with these products in
    their circles, their managers, CEOs, and their government counterparts turn
    a blind eye to this grim reality, choosing instead to maintain the status
    quo. This places information assets at risk by throwing good money after bad
    to support a faulty product that's proven to be more problematic than
    beneficial on an all-too-frequent basis.
    I was at a security conference recently where it was stated that an
    organization needing to secure a Windows NT 4.0-based IIS webserver needed
    to incorporate approximately forty-seven-plus hotfixes that were either
    included as part of a Service Pack or separate downloads from Microsoft. How
    is any systems administrator supposed to retain their sanity and maintain
    positive forward motion (i.e., productivity and a return on the company's
    investment in them through their salary) when they are dedicating increasing
    amounts of time to fixing one problem after another on a product that -
    although sold as a finished item - performs like it's still being beta
    tested? How many corporate projects are impacted or delayed because
    technical staff must scramble to address the latest Microsoft security
    problem? No wonder more and more system administrators are burning out and
    questioning how seriously their employers are taking the concept and need
    for true information security and operational reliability, let alone how
    ignorant their senior management is regarding the true costs of using
    Microsoft products.
    The rational and radical thing to do is to formally declare a problem exists
    and take appropriate action to correct it head-on. In the physical world,
    there are Lemon Laws and consumer protections for shoddy products and
    services. If a vendor knowingly sells a product with problems, they can be
    held legally accountable for culpable or criminal negligence. The same can't
    be said for the software vendors whose products power the majority of
    computers in our Wired Society. If the FDA found that a diet drug caused
    heart problems, the drug maker would be held responsible under federal law,
    there would be Congressional hearings, and significant public outcry. Not so
    in the software world - the only recurring Congressional action or interest
    on computer security issues is at the request of the entertainment industry
    cartels to maintain their respective monopolies over consumers, or for the
    annual "we've got to do more" Congressional hearings on the security of
    federal systems.. Imagine how quickly Microsoft would clean up its software
    if it faced a large financial penalty for each customer victimized by its
    five-most-buggy product lines (Internet Explorer, Outlook, IIS, and Windows
    family of products)? Even insurance firms that underwrite IT reliability and
    business 'uptime' are charging higher premiums for companies using
    Microsoft-based servers. Again, what do these folks know that the rest of
    the world doesn't? Dump Microsoft, and your security posture increases, and
    your support costs decreases, by nearly an order of magnitude!
    Of little help on this matter are the various professional and government
    organizations that should be the vanguards of sanity, reality, and public
    welfare but instead continue to perpetuate the status quo and cater to
    Microsoft's needs to maintain a happy and content customer base. Three days
    after Code Red's moment in the spotlight, I received an e-mail message from
    SANS discussing the Code Red fiasco. Although reiterating a much-needed
    pleading for better system administration measures, the message was clearly
    a marketing note for SANS' latest Roving Road Show this time on how to
    appropriately secure IIS against Code Red and other known vulnerabilities.
    Ironically -- but not entirely unexpected -- the letter also stated that "it
    would be inappropriate to try and capitalize off this attack" but that they
    hadn't yet "determined pricing" to cover the expenses for the nine-city Code
    Red Tour '01. SANS doesn't need to call this post-Code Red community-service
    project a for-profit venture, but you can bet bits to bytes that attendees
    will be swamped with all sorts of SANS propaganda and "to know more, attend
    our other conferences" invitations. Thus, regardless of what is claimed,
    SANS is simply trying to 'get in early' and capitalize on the bow wave of
    Code Red's notoriety, Fear, Uncertainty, and Doubt. After all, panic sells -
    but publicized panic sells more!
    Sadly, all the objective analysis and facts will not change things, since
    the current state of affairs is rather profitable for two of the three
    parties involved. Microsoft receives a significant profit for each copy of
    its product sold, and security vendors receive significant profits selling
    products and services designed to mitigate the problems associated with the
    underlying Microsoft products! It's a neat, tidy arrangement, and as a
    result, past experience shows that there's little reason to hope for a
    change no matter how bad things get. The more bugs, exploits, and
    vulnerabilities that are publicized or hyped to the consumer masses and
    elected officials means more money for these two industries. Information
    security is a self-fulfilling prophecy, where the customers - individuals
    and corporations - lose time and again. The only way to break this cycle and
    achieve what textbooks call "security" is to drastically re-evaluate our
    professional approach to this discipline at its most basic and fundamental
    levels, and replacing what's repeatedly found to be broken or faulty. As it
    currently stands, not even Bob Villa could patch up the Windows in our Wired
    World's electronic houses!
    People should be wary of the ambulance-chasaers that use the latest security
    incident (e.g., Code Red) to pitching security services on panicked
    customers. While it's certainly necessary to make certain any IIS servers
    (or systems and networks in general) are protected from any number of
    security problems, simply downloading the latest fix for your platform is
    not the Be-All, End-All Solution. Code Red's demise doesn't mean that the
    world is safe once and for all, nor does it mean that Code Blue, Code
    Purple, or Code Red Part Drei won't manifest next week on USENET, or that
    I-LOVE-YA may not reappear in someone's Inbox and start another week of
    Ether-Hell for Exchange administrators. What you learn at the SANS Code Road
    Show (or any similar event) or gain from new products purchased in a
    knee-jerk response to Code Red's myth might not help you during the next
    incident. After all, what worked well today may not work well tomorrow,
    precisely because it worked today! Users need to focus on the larger picture
    and underlying causes of these security events, and not on simply curing the
    symptoms that crop up with annoying regularity. Continuing to download one
    fix after another is a short-term remedy for a long-term problem. Instead,
    look for long-term solutions that will save you time, labor, frustration,
    and certainly money!
    Instead of wasting money on post-Code-Red marketing hype and media
    misperception, organizations should address the larger question. They need
    to take a large step back and seriously reconsider why they continue to
    place themselves at risk by standardizing on technology that's been publicly
    proven time and again to be notoriously exploitable, unstable, and most
    importantly, continues to detract from corporate profits and shareholder
    return. Until someone with the intestinal fortitude is able to successfully
    challenge this dangerous status quo, the Wired World remains at significant
    risk of not only more security exploits generating headlines, but an endless
    series of hotfixes, cyber-triage, frustration, fear-mongering, and knee-jerk
    reactions that further obfuscate the real problems facing us.
    My sympathies to those that have to deal with this mess on a daily basis,
    not knowing if (or when) relief is in sight. I've been a system
    administrator before - but I'd sure hate to be one today.
    NOTE: This will by my last article discussing Microsoft's many shortcomings
    and how its products place the Wired World at risk unless there is some
    seriously-glaring item that just can't be ignored (Smart Tags as a way of
    exercising control over web content, for instance.) Enough is enough, and
    after a while it's like beating your head against a brick wall....as I said,
    it's a sad-but-very-unlikely fact that the security profession or folks in
    leadership positions will take note of what the reality of the situation is.
    I'm not a Microsoft-basher ( I actually like some of their stuff), but
    rather an IT security professional that's tried to provide objective and
    out-of-the-box analysis on a very real and pressing vulnerability that
    nobody with any significant responsibility seems to care about addressing.
    May the the Apple Macintosh, Linux's Tux, the BSD Demon, and their siblings
    continue to gain ground as sources of truely reliable, secure,
    pro-community, pro-customer software that drives the Wired World into the
    next generation despite the wishes of the current establishment. You've got
    my support! /rick 
    (c) 2001 Author. Permission granted to freely reproduce - in whole or
    in part for noncommercial use - with appropriate credit to author and
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 05:23:24 PDT