Forwarded from: Dragos Ruiu <dr@private> On Tuesday 08 November 2005 00:17, InfoSec News wrote: > http://www.fcw.com/article91318-11-07-05-Web > > By Frank Tiboni > Nov. 7, 2005 > > The Air Force plans to test its new Microsoft standard desktop > computer configuration at five field sites later this month. The > service wants to install the configuration on 70 percent of its > computers by June 2006 and on the rest by the end of 2006, Air Force > and industry officials said. > > The Air Force will distribute Microsoft software with standard > security configurations servicewide to improve network security and > management. Military and civilian agencies are watching the testing > because they could use the software governmentwide early next year. > > Many security problems associated with Microsoft software occur when > users do not properly configure their systems. As part of this > initiative, the Air Force is standardizing desktop PCs that are set up > with all appropriate controls in place. Ok I have to call this one. Be very careful. This is a very dual edged sword. There is great strength in standardized configurations. But you have to be _very_ careful that you get it right. Because you are essentially setting up a monoculture. And if you get it wrong, and there are flaws, it means an attacker who does get a vulnerability can rip through your entire network like lightning. Mistakes in that central configuration could be disastrous. It also makes it a lot easier to test out exploits if there is only one configuration variant to worry about. To harken back to biological examples, it means a single virus can take out the entire population. I don't know about you, but the thought of an attacker owning the 70%-100% of the U.S. Air Force in one swoop makes me a tad nervous. All your eggs in one basket as it were. Putting on my pen tester hat, the weakness of this approach is that it removes one of the most difficult steps in remote penetration: the enumeration and identification of the system configuration you are attacking. You only need one set of offsets in your exploits, and you can just get a copy of the standard configuration, and test it leisurely in your single pc lab. When you get it right, you can take down the target hard, as a complete surprise. Sure, when individual sysadmins get to muck wth the configurations they can introduce weakneses and mess up all kinds of stuff. But there are some real dangers to setting up a centrally controlled homogenous monoculture too. You may be doing the exact opposite of strengthening the network - instead locking everyone into a common level of mediocrity. That variability in configuration, that can introduce weakness in the population, can also bring some measure of safety and provide one more hurdle for digital attackers to overcome. I used to work for many years at Hewlett Packard, where they had this thing they call COE - common operating environment. As I can tell you from using that system - no matter how well they sell you on the wonders of central administration, it ain't all a bed of roses. When it sucks, it sucks hard. That's why my group used Macintoshes. :-) This standard configuration approach puts a lot of responsibility on a single group. And humans are never infallible. We make mistakes. We should plan for and accept those mistakes... and this approach does not seem to account for this. Of course this all depends on what is called a "security configuration" and ymmv. "Configuration" is a sufficiently nebulous term that this could mean all sorts of things from a rule saying that everyone must turn on windows update, to a standardized os/driver config that would make traget enumeration for attack a walk in the park. But my intial reaction to this is not one of "Phew, they are finally going to patch all their systems" but rather "Ruh-roh, they are locking the entire Air Force into a single, easy to attack, configuration." And I don't know if I feel so comfortable about that when we are talking about computers for people equipped with nuclear explosives. just one man's opinion, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 14-16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Nov 08 2005 - 22:14:31 PST