In Case of Vulnerability, Do Not Discard Brain

I saw this while reading Bruce Schneier's blog last night and felt it entirely appropriate to the recent reaction of the security community to flaws in major pieces of software.

First, there was Dan Kaminsky's DNS flaw. EVERYBODY PANIC! Not only was the community in an uproar about how this could be the end of the Internet as we know it, but adoration of Kaminsky was rampant, with some claiming he even changed the future of internet security by being the umteenth person to practice responsible disclosure. The flaw was serious. Swift reaction by administrators was in fact necessary to stymie widespread problems. But the panic induced and irrational aspects of the response are not much different than US citizens immediately surrendering their civil liberties post-9/11 somehow thinking this would prevent another terrorist attack. The one unusual example set by Dan Kaminsky was his rational approach to a serious vulnerability. That, my friends, is what is lacking in our community today.

Case in point: the most recent Microsoft RPC vulnerability and corresponding out-of-cycle patch: MS08-067. Should we be concerned about this? Absolutely. Does PoC code exist? Yes - and we know our Antivirus vendors won't detect it because they feel proof-of-concept code is insignificant rubbish. Oh, woe is the security analyst! Even the venerable SANS Internet Storm Center is in a tizzy:

It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak or botnet activity.

Look, a swift response is necessary, and for those responsible for software patching this is most certainly an all-hands-on-deck scenario. I maintain, though, that this is mostly a concern for home users. In light of the Nimdas, Code Reds, Slammers, and Blasters of the past, companies have built and honed their software patching infrastructure - especially with respect to Microsoft products. And once our Anti-Virus masters deem the proof-of-concept code "in the wild", when their job becomes easy, I'm sure we'll get detection for our AV products. Distribution of virus definitions is also a mostly-solved problem for the enterprise. The only folks who need to worry are those who work in environments where management has decided that these infrastructure components are not important, and therefore problems still exist despite a litany of products available to address them... and Mom and Dad, of course.

The security community needs to make sure the appropriate urgency is communicated to individuals responsible for infrastructure components, and keep their ear to the ground, but this is not a time for panic. Panic leads to irrational decision-making like slamming out patches without adequate testing on mission-critical systems, and reduced focus on sophisticated adversaries in favor of these more broad issues which, in the end, will most likely have a smaller impact in terms of net loss if handled with grace.

In case of vulnerability, do not discard brain.


Antivirus is failing; long live antivirus

From the most recent SANS Newsbites:

--Security Suite Vendors Question Secunia Study
(October 15, 2008)
Makers of antivirus products and security suites are calling into question the validity of a recent study from Secunia. The study tested a dozen security suites against "300 exploits targeting vulnerabilities in various high-end, high-profile programs" and found the highest scoring suite caught just 64 of the 300 exploits. Some of the companies whose products were tested say that just one aspect of their products was examined. Others whose products were not included called the study a publicity stunt.
[Editor's Note (Skoudis): Designing a thorough and fair test regimen is quite difficult, and running the suite of tests against increasingly complex products is very time consuming and expensive. Matt Carpenter and I did this in 2007 for seven endpoint security products, and it consumed two months of our time. Whenever you see a test report of security products, make sure you look carefully at the description of the test methodology and testbed to determine what they measured and how. No test suite is perfect, but some better reflect operational environments than others.]

I took a look at Secunia's test methodology. They cover a broad range of exploits used by sophisticated adversaries in modern highly-targeted attacks. Their results for particular malicious files & attack types I've seen reflect my own experiences at a large enterprise CIRT, defending against highly-targeted attacks designed for the explicit purpose of compromising proprietary information. Not surprisingly, their resulting detection rate reflects my experiences as well. While the proportions used by Secunia may not have fairly reflected the universe of malware that's "in the wild" today, I don't care. There's no point in comparing detection rates for Blaster, Slammer, and other previously-solved problems. What I care about are the serious threats; the Malware that's being used against carefully-selected targets, that's working. The malware that only has to change by less than 5% (as measured by fuzzy hashing ala ssdeep) to evade detection by leading vendors. That's where the adversaries' foci is today, it's where we need anti-virus the most, and it's where anti-virus is failing us. Naturally, their conclusion is spot-on:

These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities.

Kudos to Secunia for standing up to the industry.

Most of the anti-virus vendors are fighting hard to maintain a status quo which no longer reflects reality. If you'll recall, they lashed out against Skoudis and Carpenter when their tests led to similar conclusions about the state of the AV industry almost exactly a year ago. They're better off putting their resources into product engineering to address 21st century threats, than marketing and PR.


Airplane ephiphanies

I have the strangest epiphanies on airplanes. And I fly a lot for work. The convergence of these realities means I have many strange epiphanies that I need to sort through and figure out which are worthy of a second thought and which aren't. I wish I knew why - it must be something about the combination of the effects of altitude, boredom, the random musings of my iPod's "shuffle" feature, and the occasional overpriced adult beverage. But I digress...

My iPod randomly happened across Stevie Wonder's Sir Duke this evening, which naturally made me reminisce about how much I used to love his music. I went on to listen to his many other brilliant recordings I had. I then browsed around and found my purchase of Michael Jackson's Thriller, on the recent 25th anniversary of the release of the best-selling album of all time. I thought to myself how much I loved both of these artists back in the 80's, only to forsake them for nearly a decade as uncool or otherwise irrelevant to contemporary rock. Oh how I would've lamented my future had 21-year-old me seen 30-year-old me lip-singing Part-Time Lover with the zeal of a teenager on a flight to Las Vegas. But today I look at these artists, and their work, with a sense of greater perspective. Yes, there are cheesey elements to these songs that often relegate them to the bowels of dentists' offices, but the important components that made them great in the first place - the groove, the feel, that were all fresh and new then and now serve as the basis for so many other hit songs - those elements are still there and worthy of study. Listening again, I could only shake my head that I had ever thought that these important components had been overlooked by myself or others, and feel guilty for having let such a obviously timeless elements be forgotten, even if temporarily. But yet they were, and now the same thing is happening to music produced in the 90's.

Where could I possibly be going with this? On the eve of delivering a presentation that will call the classic incident response model 'irrelevant,' I see similar veins of amnesia in the security community. We started off with email viruses, and "evolved" to large-scale worms with the dawn of the new millennium. In 2003, if you had asked any one of us about a Word document with a macro that drops code, we would've laughed in your face at your ignorance and failure to evolve with the rest of the world. Yet that very mechanism is how malicious code is being delivered today, with adversaries exploiting the KISS principle like we never would've guessed. Email attachments that compromise systems - what could be more elegantly simple? The bad guys remember how Stevie Wonder's groove totally drove Superstition, or how the unique combination of rhythm and tambre absolutely set Michael Jackson's hits a whole level above anything else at the time. They know how to take these key elements and build new art with them. I've seen Macro viruses incredibly effective as recently as 2007, when married with highly-effective social engineering that convinces users to bypass mechanisms there to protect them from that very danger.

Today, many scoff at the Blaster and Slammer worms of 2001-2003 as bygones of a past era. They are no longer the key focus of our adversaries, and we must evolve along with them (make no mistake about it - the bad guys, not the good guys, drive this industry). But in our haste to move forward, we must remember the elemental components, the groove, of the internet worms of the past, or we'll be destined to suffer from them again.


Fostering the Multidisciplinary Analyst

In my years in information security, I've come to appreciate my liberal-arts undergraduate degree in ways I never thought I would. This has driven me to increasingly read up on ostensibly unrelated subjects in science and engineering. At the very least, it has been interesting. And at times, it has lent insight into new ways of solving problems that I otherwise would not have likely thought of. It's been this drive to broaden my technical horizons that has made me a huge fan of Scientific American over the past year. I've become an avid reader. If you don't have your own source of broader knowledge, I would encourage you strongly to find one. It has been the catalyst that has allowed me to take my career to that always-desired "next level."

On a related note, I have two specific recommendations. In the most recent SciAm (Vol 299, Num 4) Perspectives, editor Matt Collins writes Questions for Would-be Presidents. If you're planning on voting in the US this fall, which any responsible citizen should, this will be an interesting one-page read for you. Make no mistake about it, while issues of science are rarely if ever discussed in national media, the questions Matt poses are the type that will drive the country's innovation and inevitably determine our place the globe 10, 20, and 50 years from now.

The second recommendation I have is the entire Vol 299, Num 3. The featured articles in this issue focus on the area of security and privacy, and include the best single article on encryption I've ever read, How to Keep Secrets Safe, by Anna Lysyanskaya. I'm quoting liberally from it in a revision of an encryption class I teach at the company I work for, and I'm certain that anyone finding this blog of interest will enjoy it.


Ex-Tip registered on Sourceforge

I've (finally) registered version 0.1 of Ex-Tip on Sourceforge. Naturally, if you have any questions or would like to contribute, by all means contact me. I'm also accepting any modules you may develop that work well with the framework.

Also, I'd like to thank SANS fellow Rob Lee for inviting me to contribute to the SANS Forensics blog. He and the current contributors have a good thing going here, and I look forward to contributing. Naturally, I will continue to write here as well.