[ISN] Security flaws under the microscope

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 22:59:13 PDT

  • Next message: InfoSec News: "[ISN] Hacker Gets Acxion Customer Information"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,83811,00.html
    
    By Andrew Brandt
    PC World.com
    AUGUST 07, 2003
    
    A study unveiled at the Black Hat Briefings conference in Las Vegas 
    last week paints a grim picture of network security problems. 
    Among the study's surprising results: Some kinds of computer security 
    vulnerabilities--especially ones with an aggressive "exploit" 
    (something that takes advantage of the vulnerability, such as a worm 
    or virus)--may plague computer networks indefinitely. 
    
    "I wanted to understand how prevalent critical vulnerabilities are," 
    said Gerhard Eschelbeck, chief technology officer of security software 
    provider Qualys Inc. and author of the study. His first-of-its-kind 
    research is the result of 18 months of constantly probing his 
    customers' networks for common security problems. 
    
    The study, along with guidelines proposed by the Organization for 
    Internet Safety (OIS) on how to report buggy and insecure software 
    dominated the first day of the conference. 
    
    
    Perpetual vulnerabilities 
    
    Thought Slammer was over? Not according to Eschelbeck's study. 
    
    In his research, the security hole that allows entry to the Microsoft 
    SQL Slammer worm, which first appeared in January of this year (and 
    for which a patch was available as of July 2002), was detected more 
    than 30 times in the first week of February, then sharply declined 
    over the following six weeks to just five detections the week of March 
    22nd. That sounds like good news, but since attention to the worm 
    waned, Slammer's hole has made a comeback, with 22 vulnerable PCs 
    detected the week of June 28. (The research did not indicate whether 
    the scanned computers had become infected or otherwise fell victim to 
    the security problems, only that they were in peril.) 
    
    For the Code Red worm, the rise is less dramatic, but detectable. From 
    the end of April through the end of June, Eschelbeck's research 
    detected a slight rise in the average number of Code Red-vulnerable 
    computers among the networks he scanned. Code Red first made an 
    appearance in June 2001. 
    
    Eschelbeck theorized that IT departments are partly to blame for the 
    resurgence of some old security problems. Computer support staff store 
    "images" of hard drives with pertinent data, drivers, and software 
    configurations, so they can quickly restore a laptop or desktop to the 
    company's defaults. But often the IT department doesn't update those 
    images to include the latest patches to the operating system or the 
    applications. When a computer hard drive has the old image 
    reinstalled, all the old problems come with it. 
    
    In addition, a number of home computer users didn't apply recommended 
    security patches to their systems, so their 
    vulnerabilities--detectable by Eschelbeck's software--remain a threat 
    to the rest of the networked world. 
    
    After he built his scanning tool, Eschelbeck got results by keeping 
    track of the number and type of known security problems as he scanned 
    more than 1.5 million IP addresses. Armed with a database of 2,041 
    different security vulnerabilities, he also created the first Top 10 
    Vulnerabilities List, which updates in real time as new scan results 
    come in. This is an ongoing project for Eschelbeck. 
    
    Computer users may test their own systems, anonymously and at no 
    charge, using Eschelbeck's RV10 tool. 
    
    
    Eschelbeck's laws of vulnerabilities 
    
    In analyzing his research, Eschelbeck spotted patterns that helped him 
    develop what he called his four Laws of Vulnerabilities. 
    
    Law 1: The half-life of vulnerabilities (meaning the amount of time 
    that passes from the point a vulnerability is discovered until the 
    number of affected computers is halved) is 30 days. 
    
    Law 2: About half of the most prevalent serious vulnerabilities change 
    over the course of a year, but others persist. And the associated Law 
    3: Some security problems will remain indefinitely. 
    
    Law 4: Eighty percent of vulnerabilities have an exploit within 60 
    days, on average. 
    
    Don't let that 60-day figure make you complacent, though. "The 
    underground is ramping up their efforts to build exploits because they 
    know they have a very short window before a fix gets released," said 
    analyst Simple Nomad of Bindview, a company that helps businesses 
    secure their computer networks. 
    
    
    Bug report procedures proposed, criticized 
    
    As a result of the speed with which some hackers build exploit tools, 
    software companies are scrambling to develop procedures to respond to 
    people who discover and report security vulnerabilities. 
    
    One set of such procedures has just been released by OIS, a group of 
    security companies and software makers that includes Oracle Corp. and 
    Microsoft Corp. The OIS Vulnerability Handling Guidelines describe a 
    comprehensive set of "best practices" software makers should use to 
    handle security bug reports. 
    
    The guidelines call for the maker of the software for which a security 
    vulnerability has been detected to restrict release of full technical 
    details of a bug to a short list of businesses, such as antivirus 
    vendors, while a patch is being developed for the vulnerable software. 
    Only after a period of no less than 30 days would technical details 
    become widely available. 
    
    "We saw that releasing [full technical details of] exploits at the 
    same time as the patch was doing more harm than good," said Chris 
    Wysopal, director of research and development for security consulting 
    firm @stake. The company's clients, including major corporations, 
    "were getting owned on the first day the [security bug] exploit was 
    getting released," he explained. Wysopal helped develop the 
    guidelines. 
    
    Some attendees suggested that this delay in sharing information 
    benefits some companies by increasing the value of paid security 
    mailing lists, while harming academic research into security problems. 
    Several others also derided the guidelines for being too optimistic, 
    making assumptions about the motivation of people who find and report 
    vulnerabilities, as well as their willingness to cooperate. 
    
    The guidelines remain controversial. However, the companies that 
    participate in the OIS are not bound by them--they are 
    recommendations. 
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 01:00:15 PDT