[ISN] Rebuttal on Schneier's comments regarding eEye and Code Red.

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 23:03:47 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, August 15, 2001"

    Forwarded from: "Jay D. Dyson" <jdysonat_private>
    On Wed, 15 Aug 2001, InfoSec News wrote: 
    Bruce Schneier (in Crypto-Gram) wrote:
    > We shouldn't lose sight of who is really to blame for this problem. 
    > It's not the system administrators who didn't install the patch in time,
    > or the firewall and IDS vendors whose products didn't catch the problem. 
    > It's the authors of the worm and its variants, eEye for publicizing the
    > vulnerability, and especially Microsoft for selling a product with this
    > security problem.
    	This stunned me.  If memory serves, Counterpane's staff was quite
    pleased about receiving full details of the worm from eEye staff.  This
    afforded Counterpane the ability to accurately update their IDS and
    related.  As much as I respect Bruce Schneier's work, I have to say that
    this stance smacks of a double-standard: "Full disclosure for me, but not
    for thee." 
    	Why is it *NOT* noted that eEye worked closely with Microsoft and
    delayed release of the advisory until Microsoft had a patch?  (Microsoft
    went so far as to *thank* eEye for their assistance when they released the
    patch.  You think that comes easy?)  Why is *NOT* noted that the Code Red
    worm utilized a different attack method than eEye originally identified?
    And finally, why is it *NOT* noted that eEye went out of its way to break
    down the worm that *someone else* released into the wild so that other
    parties could better defend themselves?
    	The omission of these very crucial aspects of the ongoing Code Red
    incident invalidates Schneier's critique of eEye's full disclosure
    > You can argue that eEye did the right thing by publicizing this
    > vulnerability, but I personally am getting a little tired of them adding
    > weapons to hackers' arsenals.
    	I personally hope that eEye and other firms continue such full
    disclosure practices because their tools are as amoral as cryptography. 
    Like cryptography, hacking tools can be used by people of dishonorable
    intent...and like cryptography, hacking tools can be used by honorable
    people as a means to defend the assets for which they are responsible.  To
    suggest that release of such tools be curtailed (or prohibited) is to
    suggest that the populace at large be left totally at the mercy of Those
    Who Do Not Play By The Rules solely for the benefit of the unthinking and
    uncaring (and quite possibly incompetent) admin.
    	I've long since tired of the argument that everything has the
    potential for misuse should be rendered to the impact of a Nerf ball. 
    Malcontents will always be with us...and limiting the liberties of the
    well-adjusted based on the shortcomings of the maladjusted is little but
    another step into an Orwellian future wherein War is Peace, Freedom is
    Slavery, and Ignorance is POLICY. 
    > There are two other lessons of Code Red that I haven't seen talked
    > about.  One: Code Red's infection mechanism causes insecure computers to
    > identify themselves to the Internet, and this feature can be profitably
    > exploited.
    	Actually, I addressed this facet when I authored and released
    Early Bird (http://www.treachery.net/~jdyson/earlybird/).  Several others
    have mentioned it as well (such as Weld Pond of @Stake), though I don't
    know how far or wide their observations were disseminated.
    > How many hackers are piggybacking on Code Red in this manner?
    	Just as many as there are responsible admins who notify the admins
    of the affected networks, I imagine. 
    	And not to belabor the point, but piggybacking has been done for
    *ages*.  As evidence, I need only point to: 
    	The above page is a listing of *re-defacements* of sites that were
    listed on the Attrition Mirror.  Those re-defacements were not listed on
    the Mirror, but they were kept for statistical purposes.  This may be the
    first time this information has been made publicly known, but it pretty
    much proves the point that intruders have been piggybacking on previously
    breached systems long before Code Red.  Indeed, one of the systems in that
    list has been re-defaced over 40 (!!) times.
    	Furthermore, I'm less than half-way through a personal project
    (one that I started in late February of this year) which involves a
    longitudinal study of the state of [in]security of systems that scan
    servers I maintain.  Were I of an unethical mindset, I could have just as
    readily piggybacked onto the breached systems that scanned the systems
    over which I have charge.  Given that I've been doing such longitudinal
    studies on systems that scan mine, I have every reason to believe that
    others have been doing as much as well...and their motives may or may not
    be as purely academic as my own.
    > Two: Code Red's collateral damage illustrates the dangers of relying on 
    > HTTP as the Internet's communications medium.
    > This is a large single-point-of-failure that Code Red has illustrated,
    > and no one seems to be talking about. 
    	No argument there.  All told, I think people have become
    desensitized to DoS attacks.  Further, I think the lack of discussion
    regarding this very real problem hinges solely on the preference for
    convenience being weighed more heavily than the necessities of security. 
    Most users don't just want to have their cake and eat it...they want to
    put it on display as well.  A lot of these problems could have been
    avoided by simple use of IP filtering.  Instead, the port is open and will
    listen intently to anyone that yells at it.  Small wonder it goes deaf
    when the volume reaches a crescendo. 
    > Code Red ushers in a new form of attack: a preprogrammed worm that
    > unleashes a distributed attack against a predetermined target.
    	How is that different than the Morris worm of the '80s?  It too
    had predetermined targets and exploited known vulnerabilities.  And that
    worm, like Code Red, suffered from its own programmatic mistakes. 
    - -Jay
    Thanks to Jericho <jerichoat_private> and Aj Reznor <ajat_private>
    for their comments and suggestions on this response.
      (    (                                                          _______
      ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
     `--' `--'  `-------- Real men prefer full disclosure. --------'  `------'
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:19:47 PDT