RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Andrew Plato (aplato@private)
Date: Wed Sep 04 2002 - 17:53:05 PDT

  • Next message: T. Kenji Sugahara: "Re: CRIME Issues"

    > Finding a hole absolutely does demonstrate that a product is 
    > insecure. 
    
    No it doesn't. Finding a hole means the person looking for holes has the ability to find holes. It does not, necessarily, mean the product is insecure. Virtually every product ever made has security holes if you pummel them hard enough. 
    
    > The only barrier to entry is the difficulty of deploying the attack. 
    > Some vulnerabilities are difficult to exploit, and they are 
    > marked "low 
    > risk." Other vulnerabilities may be difficult to exploit, but 
    > are easy 
    > to script, and they turn into worms like Code Red.
    
    And that is a very significant consideration. It isn't enough to just go out and find holes. Those holes have to be exploited. Thousand of holes are discovered every week that never see the light of day or are quickly rendered meaningless by firewalls, OS patches, or a sea of other factors. 
    
    > Remember, exploits are easy to replicate. The attacker 
    > doesn't have to 
    > be skilled enough to write their own exploits when they have Internet 
    > access.
    
    Agreed, but just because a hole is found, does not therefore follow that that hole will ravage your network and cause you unmitigated grief. It also does not mean the product with said hole is instantly unsound and should be tossed out the door. 
    
    > >Therefore, the intense focus on security holes is very 
    > misleading. It places an extraordinary emphasis on locating 
    > holes, but virtually zero emphasis on the PROBABILITY of 
    > those holes ever being exploited. 
    > >
    > Your intense resistance to looking at security holes is very 
    > disturbing. 
    > It suggests that your risk analysis is seriously flawed. Point 
    > vulnerabilities are deadly security flaws if they are easily 
    > scripted. 
    > Pay attention to them, or be 0wned.
    
    I am not "resisting" security holes, I am rejecting reasoning that says:
    
    "Product A has a security hole, therefore product A is insecure and should never be used."
    
    Security holes do not, necessarily, render a product unusable or unsafe. Some holes can be plugged, mitigated, or accepted. Some holes pose minimal threat to an organization. But to brand all products possessing security holes as useless is ridiculous. As I have said before, that type of reasoning would render virtually ALL technology useless. 
    
    Furthermore, as part of any risk analysis I perform, there is a comprehensive review of the PROBABILITY of holes being exploited. If I look at a machine, I don't mark INSECURE on it and throw it in the trash because it has a single security issue. Again - that would be the case for virtually ALL systems.  
    
    >> Just because I CAN perform a certain kind of hack, doesn't 
    >> mean the Internet will be flooded with those hacks. 
    >
    > It does if the attack is easy to script and the vulnerability 
    > is widely deployed.
    
    Well of course. But assuming steps were taken to mitigate such risk, then said product with said security hole is no longer insecure. 
    
    > As Seth said, Gibson is a wanker, and I'm not going to bother 
    > defending  him. He is not representative of this discussion, and the raw 
    > socket  issue you refer to is an example of crying wolf about a 
    > non-vulnerability.
    
    Agreed, Gibson is a wanker. But you're using Steve's same "wanker-esque" line of reasoning. Steve saw a hole (real or not) and then jumped to the conclusion that said hole would become a major problem rendering everything insecure. This turned out not to be true and said hole was not a real hole or more importantly, was not exploited in the ways Gibson thought due to numerous mitigating factors. 
    
    > None of it came true because Gibson was 100% wrong :)
    
    Well, "raw sockets" as he understood them did exist in Windows XP (as they did in 2000 and many other OS). Its just he didn't understand the reality of the problem. My point with Steve was that he saw something was possible and then jumped to the conclusion that therefore because it was possible, everybody would immediately take advantage of it rendering all Windows systems insecure. This was not the case. 
    
    I think a lot of the security holes out there fall into this same category. They exist, sure, but that does not mean they pose an threat to everybody.  
    
    ------------------------------------
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    (503) 644-5656 office
    (503) 201-0821 cell
    http://www.anitian.com
    ------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 18:35:57 PDT