Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Yet another fascinating advisory!

From: Dave Aitel <dave () immunitysec com>
Date: Wed, 11 Feb 2004 11:44:38 -0500
Betasystems.com released an advisory today about their backup product, "Harbor Backup" (Also known as Tantia). Originally I was going to release one too, but they know who their customers are, and if you have a CANVAS subscription, you can just download the exploit and find out all about it.
For those of you who wern't at my BlackHat talk in Seattle, one of the themes was that the management and monitoring software and other enterprise-level software that people install is rarely looked at, and highly vulnerable. I remember when @stake posted a message saying that people sould test their internal Oracle financials application and I crashed it (format string bug) in about 3 seconds and it took two days to bring back up. Turns out they meant they wanted it tested for functionality - like, can you enter in a time sheet. A common Functionality-QA vs Security Testing problem.
My suggestion during the talk was that you should write in your IT aquisition contracts a phrase that requires a third party review from a security company you trust before you purchase the software, at the vendor's expense.
I listed about 5 or 6 products (including Harbor) that will be having advisories soon. But the point was not that "company X has bugs" it's that every product you install on your gold build needs to be looked at, and the ones that don't have a bugtraq thread five pages long on them are the ones I, as a hacker, will look at first. Hacker's aren't above breaking into one box on your network, and writing 0day for everything on it to use to own every other box, without fear that some IDS will catch them.
There's a common practice of developing "gold builds" or "standard builds" which you place throughout your enterprise, or use as a desktop build. And I like to divide the things you do to generate a gold build into three catagories:
Catagory 1. Software you can download off the internet: Often has hardening guides you can download off the Internet. The NSA Windows Hardening guides, for example, or various Solaris hardening scripts.
Catagory 2. Software you own that few other people own: Rarely has any good information available on the Internet related to configuration or hardening guides. Often has not been looked at by the public security community, and so has many "low hanging fruit"
Catagory 3. Software you wrote: Obviously other than broad guidelines, there is no specific documentation on how to harden your own applications. There probably should be though - and a good CSO will make sure that it gets produced and used before the application gets put on the net.
To produce a gold build that is actually hardened, you need to go beyond #1 (which is where most people are) and take some control of #2 and #3. This is rarely done, and I think a serious misstep by any information security department who fails to do so. To get control of 2 and 3, I recommend:
1. Get a third party review done by the vendor by a information security consulting firm that you trust. Trust is important. If a company makes 50% of their income from selling information security to Oracle, it's hard to say that they are trustworthy regarding Oracle or other database software.
Alternatively you can hire a company to do this at your own cost. Keep in mind that without source code and access to developers, it's harder to do a complete review, but that for this kind of software, a complete review is rarely needed to find several major problems.
2. Create business guideline for your gold build. I.E. When I look at it, I need to see "why we have SNMP enabled" written somewhere. Then when I review it, I can write "This is the risk you are running" and you can check "ok" and be done with it, rather than having to revisit it every time you do a review or derive a new Gold Build from it. 

3. Whatever everyone else on the list pipes in to say that makes sense.


Dave Aitel
Immunity, Inc.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: