mailing list archives
RE: News, dumbug, prediction rebuttals.
From: "Marc Maiffret" <mmaiffret () eeye com>
Date: Tue, 27 Dec 2005 11:44:31 -0800
A Windows Vulnerability Drought
I don't think there will be any Windows vulnerability drought. If there
was going to be we would currently have started to experience it since a
*lot* of the effort has already been done. I do think however that the
types of attacks we see will change. The massively propagated attacks
either via worms or remote SYSTEM style attacks are going to slow down
because Microsoft *is* putting a lot of resources into fixing *those*
types of vulnerabilities, but it would be short sighted for companies to
think a decline in those types of attacks means systems are more secure.
That being said though there are still many more products and lines of
code than Microsoft, even with its supposed army, can completely audit.
With that there is also the fact that automated tools still are not
flexible enough to replace the lack of enough *good* source code
auditors. That means you will continue to see more targeted
vulnerabilities, which are typically going to be in client applications
or other non-built-in OS software, that are not typically audited nearly
to the extent at which the OS and a few main apps are. For example all
of the business logic management software Microsoft has been acquiring
lately, and hey it only stores all your financial data and has plugins
on top of IIS.
At the end of the day though it is a lot of times futile to try to guess
where security will or wont be, as it pertains to bugs and protection.
To do that you really need to predict where business will be or more so
how people will be doing business. That is one of the main drivers
behind the types of security solutions that are produced, with the
exception being the consumer market which has its own drivers. And that
brings us to my own "prediction" or really food for thought... How do
you audit what you don't have access to?
There is currently a big battle being waged "behind" the scenes and soon
to be running in the streets between companies like Microsoft and Google
to decide who will dominate the hosted/asp/whatever application space.
Google obviously is building their whole company around the fact that
people will live inside their web applications. Microsoft also is making
many moves into this space with its Microsoft Live initiatives. There
are also the "other" companies, such as Salesforce.com, which are taking
typically large scale enterprise applications and turning them into
hosted web applications. So what does this mean for security and more
These movements start to create a barrier in the ability for third
parties to verify the trust/security of applications that businesses are
depending on. That is because the core of the application that would be
tested for security weaknesses is going to be hosted by a third party
(obviously). This means for researchers to audit these applications it
truly means attacking a companies servers which is (obviously) illegal.
I am sure the Microsoft's of the world love this idea because everyone
today who is auditing and finding MS Office vulnerabilities, for
example, would now not be able to do so because the majority of the MS
Office attack surface will be hosted on a server that Microsoft owns
which makes it illegal to audit. That might be great for Microsoft PR
and might also lead companies to believe these types of applications are
more secure. This is because good intentioned researchers are boxed
out... This "new" type of application does not however persuade people
who do not abide by laws. You end up creating an environment where the
"bad guys" are still finding vulnerabilities however the "good guys" are
not. Unless of course they work for the company in question. This truly
leaves the fate of product security up to vendors and with the lack of
bad PR to motivate them they will be purely motivated by the bottom line
of revenue which is usually not focused on security as a profit maker,
but instead a profit taker. The threat also increases due to the
increased instantaneous nature of attacks.
We already all understand that the problem with comparing real life
crime to cyber crime is that you can be robbing a bank in New York and
Tokyo at the same time instantly from Russia while living in California.
When everything goes hosted you now have all types of data being store
in centralized locations for all businesses. In the example of using
hosted Human Resource, Finance, Document type applications that means if
I break into the Microsoft Office Live, or Salesforce.com I could
*potentially* have instant access to Documents and Financial statements
on thousand of corporations. While this might be an obvious statement it
is important for the companies building these solutions to truly
understand data and privilege separation. So that when they are
compromised, and they will be, it is not easy for attackers to gain
access to *everyone's* data. Most of the companies I have seen do not
seem to have thought about this much. (Side note, one of the greatest
feats that U.S. intel. could have pulled off would have been the
creation of Google.).
This will also cause a rebirth in some of the hacker culture that has
been missing for so long where it is not about the waste of fuckin time
infighting and more about "sticking it to the man" which in this case
would be illegally hacking hosted applications as the only means to show
the world they are insecure. Much like back in the day where the only
way to learn about systems was to hack into them because you didn't have
your high speed cable modem and warez connection to download VMWarez and
play with whatever you wanted. But I'm digressing... And speaking of the
old days, technology like so many things is reinventing itself in the
form of new twists on dumb terminals and distributed component
platforms. Which brings us to...
Return of the Dumb Terminal
Many of the largest corporations in the world, especially financial
institutions, are moving back to a dumb terminal like environment where
the majority of all processing is happening on a central server (really
a cluster of servers) rather than on the workstation. Again this is not
any sort of new technology however due to a lot of business drivers (In
fact 9/11 being a big part of that for the financial firms) many large
companies are going to thin client deployments so that they can
literally lose a building over night and still be able to have all of
their employees working the next day (forget the social right/wrong of
that idea for a moment). This push is also in part being helped by
companies like Citrix whom are creating the software infrastructures to
be able to handle such an endeavor on Windows based platforms. There is
the obvious implications that when companies do move to such
configurations the threat of local privilege escalation vulnerabilities
will greatly increase because now they are worth more. I.E. I don't just
go from joe user to admin on my own box ... I now go from joe user to
privilege user who can read data on any of the other thousands of
employees and business documents etc... This is of course unless the
vendors who are making this technological push actually think about
adding security as a part of the process. This is another funny aspect
of Windows catching up to things "UNIX" has experienced for years. Local
priv. escalation has always been interesting for multi-user "UNIX"
environments' its finally going to be more interesting for Windows.
A Credible Open-Source SIM
I think you can more broadly say "Open source security products are
dead." Although you start sounding like Gartner. But the reality is that
most people realize after dumping a couple years of their life into an
open source project, that becomes of the level of a real commercial
product, that it is not really fair that everyone else is getting paid
to do it for a living, or getting bought and paid even more. That is
obvious when you look at the two most popular open source products,
Snort, Nessus, going away (from what they were). And as a side note
anyone who thinks that statement is incorrect about Nessus/Snort can
save me the ignorance of a debate as the question is easily answered
when you understand what they were once and what they are today, and
they are both *very* different.
That is not to say you will not see people getting all hyped up to "Save
Nessus!" or create another open source product. They will run their
course when people realize that open source projects of that magnitude
really are not as open source sexy as they sound. They usually result in
only a very small (even couple) of people who actually do the real work.
Nessus is a great example of that as even Renaud et al have stated.
Speaking of which... What happened to all those save Nessus projects?
Reminded me of when all the musicians got together to say how shit Bush
was yet it all faded as soon as the hype cycle of looking cool ended.
But now I'm rambling...
Some tidbits for 2006:
* Another person writes a paper about how they wrote the smallest
windows shell code
* The lack of news worthy attacks (worms) creates a lulled state in IT
people whom believe their systems are secure. This creates a rebirth in
the 90's mentality where you need to prove to people they are vulnerable
(the pen-test golden days). Real demand is created for exploit platforms
and Core and Canvas battle it out. (2yrs)
* Improvements aside, the same 10 people talk about the same 10 things
* Symantec sues Microsoft (in the U.S.) as a last ditch effort to not be
screwed by Microsoft's move into the consumer security space, Symantec
* Oracle continues to make the most vulnerable enterprise software and
spends more money on marketing that they are secure than fixing the
problems. It is Microsoft 1999, they eventually get screwed in a big way
and wake up.
* Lack of Microsoft worms does not mean lack of worms, some worm writer
realizes that writing a worm for things like the Anti-Virus file
decoding overflows would be just as devastating as any Microsoft RPC
worm. The first big non-Microsoft worm happens?
Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
Message not available
Re: News, dumbug, prediction rebuttals. sgc (Dec 22)
RE: News, dumbug, prediction rebuttals. Marc Maiffret (Dec 27)
- Re: News, dumbug, prediction rebuttals., (continued)