Forwarded from: Aj Effin Reznor <ajat_private> "InfoSec News was known to say....." > http://www.newsbytes.com/news/01/168934.html > > By Brian McWilliams, Newsbytes > ALISO VIEJO, CALIFORNIA, U.S.A., > 10 Aug 2001, 5:11 PM CST > > The damage toll from the Code Red worm has sparked a new debate > over what security experts call "full disclosure." > > Richard M. Smith, chief technology officer for the Privacy > Foundation, today criticized the company that found and publicized > the glitch in Microsoft's Internet Information Server (IIS) which > led to the creation of the malicious worm and a copy-cat. Am thinking Mr. Smith's head has either swollen in size due to his self-professed track record (as he posted to BugTraq at Date: Fri, 10 Aug 2001 15:32:53 -0400: "I've probably found a dozen or so security holes in Microsoft products. Many of these problems were reported on BugTraq list without full disclosure. How come so few people have ever approached me for the full details?") or he is feel a bit of a deficit of attention lately, but this is fucking ridiculous. > Eeye published a detailed advisory about the new IIS flaw on June > 18, the same day that Microsoft released its own bulletin and a > patch to correct the problem. In its description of the problem, > Microsoft thanked eEye for working with the company "to protect > customers." Good to see the truth shine through (for once). > "One thing is now crystal clear with Code Red: full-disclosure > comes with one of hell of a price tag. There has to be a better > way," said Smith. A single case example doesn't make for good modelling. Mr. Smith should be well aware of this. I am posting this to ISN as I wasn't able to get in on the BugTraq thread before Aleph1 killed it off. I know that the more technical minds on this list will yawn over my rantings, but I know there are many here who are openly not the most proficient people in the world, and while the article points a good defense to eEye, I really am rather pissed at Mr. Smith's allegations. His way or the highway? Bah! The following is an email I sent early today to journo at the Register UK. The article, while being well written, I felt was off base on the attacks on eEye. The article was posted to ISN, it's located at http://www.theregister.co.uk/content/55/20908.html This mail relates more to the Reg's article than the issues Mr. Smith brings up (worm hype as marketing vs. "it's their fault"). My mail (in part) to the author: [begin] Thomas, Regarding your article located at: http://www.theregister.co.uk/content/55/20908.html I have always enjoyed the reporting that The Register UK has to offer, by far superior to the piddly OC Register that I have local to me. Beyond the local cage-liner, the Reg/UK's tongue in cheek humour and dry wit has always appealed to me, I find myself often possessing similar qualities, much to the dismay of coworkers and superiors :) Anyways... I do take issue with one point that you make, that being about Marc@eEye. I know that line alone is going to put you on the defensive, and for once, I am *not* out to flame the living shit out of someone just because their views are contrary to mine (if you knew me, you'd be shocked over this, really). The points you make are all valid and intelligent, and I respect you for that. However, I do see things a bit differently than you do, and I hope that, despite differing, possibly drastically, you can respect my thoughts equally, or at least a close approximation of such. eEye has multiple products other than SecureIIS, which I will assume that you have performed some mild dilligence and are aware of. Based off their security scanner, Retina, and the ongoing signature development that they are constantly undergoing, "new" vulnerabilities are found. The .ida bug is of course one of these. eEye has discovered multiple bugs over the last couple of years. This has multiple effects. One, they have a signature in their database which can give their product a competitive edge, which is of course good in a free market economy such as we have here. Be mindful that there are bugs in existance which "the underground" (lordy, I hate that phrase, but it's convenient enough for this correspondace) is aware of, and security vendors and practitioners are not privy to. eEye may be discovering *completely* new bugs, or they may be discovering something which the underground has known about. Either way, through their findings, administrators can attempt to tighten up their systems a little more. SecureIIS is a marvelous product both in theory, and largely in operation. For being first generation, the tweaks and adjustments that it'll be getting for the next rev are really relatively minor. And yes, it would have protected any non-patched system from .ida attempts. Being the only product I know of that doesn't rely on a signature database, and is flexable enough to handle unseen attacks is pretty friggin cool. Let them brag! ISS, NFR (Network Flight Recorder), no one comes to mind with a product that can compete with it. I also have yet to see a filter set for any commercial firewall (Check Point, Raptor, Gauntlet) that can block Code Reds. If there is one that I've missed, I humbly accept correction. But, SecureIIS is unique and well thought out. Deal. Microsoft admitted that eEye had been fundamental in working with them on the bug, the exploit, and the patch development. eEye, in a gentleman's agreement with MS, didn't release the exploit until the patch was prepared and available. Hardly the maneuvering of a company that is using the bug as a fundamental sales tool. Yes, they've pointed out time and time again that SecureIIS is the only product that would prevent infection on an unpatched server. While this may be ego and posturing, this is also the truth. As a company, marketing is important, and pointing this fact out is worthwhile. Marc and the crew at eEye are similar to myself in regards to having at least been greyish in our hats before making the transition to "professional". I was speaking with a local FBI Field Agent yesterday, and was telling him why I thought the NIPC was a joke, and it's because, for the most part, the people that comprise it aren't technophiles by nature. They're textbook. It's not in their blood, in their heads, in their lungs. For Marc, Ryan, Riley, and others at eEye, for myself and for associates with whom I have collaborated on large contracts, it is. As such, it's frustrating for ALL of us to have to see the net congested as fuck because a known bug, with a known and *well documented* patch, is causing headaches for many people. My cable modem segement at home is slammed with v2 requests. A 10 second timeframe at any given point shows 55-70 arp requests. Last saturday I was receiving 75-85. At the same time, I was talking to an associated in Los Angeles. His cable segement was showing 650-800 arp requests. Sorry, that's unreasonable and unreal, both. The father of the CTO for my current empoyer uses Time/Warner's Road Runner service, and was down for two days while they (Road Runner) tried to figure out what to do. Not sure how aware you are, but the AUP (Acceptable Use Policy) one signs when getting a cable modem specifies that you are not to run any services from your machine. There is no reason for all these machines to be running IIS at all. The fact that they are, unpatched, points not only to user ignorance, but to how this ignorance is coddled by Microsoft. As I write this (~ 1:45 PM PST), my web server Code Red stats (since Aug 01) look like this: Summary findings -- CRv1: 140 CRv2: 438 My firewall on my @home cable modem? From 2am Saturday August 4th: Summary findings -- CRv1: 26 CRv2: 1699 So yes, Marc rants about it. So do I. So do a lot of people. (I'm nearing conclusion, hang with me a bit longer, yeah?) As for your assertion that eEye's publicizing of this vulnerability being somewhat responsible for the authoring of the worm.... What hole, and what publicizing led to the the Melissa virus? Fun Love? None, really. As I stated earlier, the underground has tools for holes that corporate America isn't even aware of. Obviously, not all of these have a specific worm written for them (some aren't even worm-able), but at some point, someone could write a worm for one. If eEye had found the hole, if MS had issued a patch, and if it were done with little fanfare, some sociopathic 16 year old would be trolling MS's site looking for patches, finding holes, and possibly coding a worm or a virus or even a basic non-worm, manually run exploit for said hole. Familiar at all with FTP daemon exploits? WU-FTP 2.4.2 ? 2.6.0 ? Nothing like remote root-access exploits found far before a patch was available! This is the nature of the net, of tech-heads, and malicious crackers. That this .ida bug affects the flagship web server for argueably the largest corporation known to mankind makes it stand out a bit more than full-bore root compromises for free, open source ftp servers which actually have a larger install base than IIS does. It is also worth pointing out that, unlike most crackers, among others, when eEye does find a vulnerability, they don't release exploit code, which also differs from the typical routine found not only against MS but also in the open source community. If they *really* sought to profit from their findings, they're release exploit code, thereby compelling corporations to purchase an eEye product to secure themselves against a bug written by eEye itself. It'd almost be aking to MS charging for security patches :) It should be duly noted that eEye does *not* do this. This was played out by the media. Ya can't blame Marc for saying to the media what he'd say on BugTraq. Ya can't blame the media for listening. Ya can't blame any company for pointing out that their product could avoid certain types of catastrophe, either. Why am I even bothering to write this? I like eEye. Retina is not only more cost effective than competing products (notably the "industry standard" ISS), but also works faster, and requires less hardware to run on. When I servered as a mobile consultant, finding a laptop with enough horsepower to run ISS was either impossible to find, or cost prohibitive. I also like the Retina because it makes it easy to correct registries on a large number of machines from a single point, rather than having to touch every desktop in a large installation. I like the fact that they are driven through desire, not compensation, to pursue bugs, worms, and development. I like Marc's title as Chief Hacking Officer. It's what he is, it's what he does. I don't like ISS's "X-Force". Their constant claims that they "won't hire hackers" is utter crap. They do have members of the underground on staff, and a small percentage of them don't always behave in legal manners. Not a company I'd want to pass my duckets off to. I'd be intereted in any reply you have, at your leisure. [end] So, in closing, to any journo's or PHB's or other managerial types who don't have half the clue you should, the dissemination of knowledge isn't a bad thing. On the net, ignorance most certainly is NOT bliss, and I would personally like to be the first to knock half the smiles off the ignorami out there. If you're scratching your head right now wondering what all the ranting is about, what "full disclosure means", among other things, consider resigning post haste. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 03:26:23 PDT