mailing list archives
Security is not a technology, but instead attitude
From: "Trowel Faz" <trowelfaz () hotmail com>
Date: Thu, 22 Jul 2004 11:51:00 -0500
This is sort of a rant. Companies believe there is a 'black box' that will
secure them. We all know this to be false. Besides all the buggy code,
unsafe operating practices and the like, one of the biggest issues is from
the attitude of the companies themselves. Recently, I experienced this first
hand in case seperate cases:
1) Emailed major vendor about a flaw in the operation of one of their
patches that will render a vulnerable service back to life to be exploited.
After their verification this can happen, I received a FU type of response:
"At this point I don't see any further actions I can take on this issue.
I do not want to update the KB with text along the lines of 'And it is
possible to restart the service as an admin by clicking a link' since
that would allow attackers an easy pointer to a bug, even though all
known attack vectors are blocked."
So, even though all current *known* attacked vectors are blocked, a service
can still be restarted unknowningly by the user and exploited with *unknown*
attacks (or at least unknown to the vendor). If I set something to disabled,
it should stay in that state unless I explicitly enable it. Yes, one could
delete the offending files, but given the OS involved, it *will* reappear
The second case involves a vendor who offers commerce transactions to a very
large community worldwide. Their main login screen is not SSL wrapped, but
there is a tiny link near the bottom that allows for SSL logins. This
service is used by *many* non-technical people, most of who probably don't
even notice the SSL link for an alternate login page. So, when the user logs
into their account, their login/password are transmitted in clear text for
easy sniffing or recording in web proxies or on the vendors web site itself.
Now mind you, many of the users of this service probably also have the same
login/password for their ecommerce access, which is tied directly to their
credit cards and bank info (which, by the way, the vendor has a vested
interest in). Their response? "There is an alternate link for using an
encrypted login if you wish". Why not make that the default?
In case 1, then vendor acknowledged there is still a bug, but doesn't want
it to get out, and wants to do nothing to address it. When there is a
working exploit for it, they will fix it. This is reactionary mode. Don't do
anything unless something bad happens, then only fix that part instead of
fixing the problem as a whole.
In case 2, then vendor has their get-out-of-jail card handy since 'there IS
a way for encrypted login, but it is not default'. This ignorance costs not
only the vendor, but the banks and users involved hard cash. Sure, someone
who is hit by a compromised account may be able to get some of their money
refunded, but the perp probably got away with it AND the user now has the
possibility of their other personal information leaking out to who knows
where all because a vendor did not act responibly in the first place. And
this vendor has other 'security' in place to ensure you have to authenticate
if you wish to look up some 'marked public' info for other users. Why
bother? Simply sniff their credentials off the wire and have fun!
All in all, the real security threat is from attitude. Attitude for not
addressing problems that are reported. Attitude from releasing poorly coded
applications just to meet a deadline. Attitude from failing to take the
basic precautions for doing business on the Internet.
Discover the best of the best at MSN Luxury Living. http://lexus.msn.com/
Full-Disclosure - We believe in it.
- Security is not a technology, but instead attitude Trowel Faz (Jul 25)