So it's all a joke. HA HA, friggin' HA. What am I talking about? The Toorcon presentation by two "kids" that purported to have found a 0-day exploit that allowed remote code execution in Firefox. The PC World coverage is here.

This is bad. They both should be drawn and quartered. In a public square preferably. The guy that works for Six Apart should be fired. This is a nightmare for his employer. The spin-meisters will be cleaning up this turd for weeks, as opposed to doing their job.

But Six Apart seems to be coming to the guy's defense, based on this quote:

"To hear Six Apart spokesperson Jane Anderson tell it, the Toorcon presentation was a joke invented by two kids barely out of their teens who didn't understand the ramifications of their actions."

Bad move. I'm not trying to be harsh or insensitive. But these fellows need to be made examples of. If Six Apart tolerates this behavior, why wouldn't other vendors? No thank you. Take decisive action. Nip this in the bud. Send them out of the airlock.

We are having enough trouble with responsible disclosure given the behavior of vendors like Apple. So now I'm coining a new term to describe this "fictional disclosure."

I'm a big fan of "so what?" So here's what: Every hacker presentation at good conferences like Black Hat and Defcon will now be suspect. Part of responsible disclosure is that the real exploits are NOT used and published at these conferences. But who is going to know if the attacks are real?

So now we face a two-step process. Cool stuff will be presented at Black Hat, and a couple of weeks later we'll figure out whether it's real or not. It's sad and innocent people are going to get hurt because vendors that are just looking for excuses to ignore holes in their software you can drive a truck through will now have another reason to do nothing.

And these guys are young is no excuse. Kids go to jail for doing stupid things. I'm pretty sure these guys are over 18. That makes them responsible for their actions. And take responsibility they should. Be contrite. Show remorse. And get ready for your new career's as freelancers.

 

In this week's NetworkWorld column, I address how some folks are starting to game Microsoft's patching process. The inspiration for this story was George Ou's post here, but it also gave me an opportunity to revisit the 3rd party patching concept and also give some thought to what Microsoft can do to deal with the situation.

Check it out: http://www.networkworld.com/columnists/2006/073106rothman.html

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

On my Security Incite blog, I've made no bones about how sick I am of Patch Tuesday (here and here). Thankfully the preamble to July's festivities happens during a holiday week, so many of the beat reporters that need this stuff for content are MIA. That's a good thing in my book. But it got me thinking, why does Microsoft pre-announce what they are going to fix anyway?

I checked out Microsoft's web site and saw the following explanation:

 

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

The cynical and devious bastard in me thinks Microsoft is opening holes by pointing out exposures that folks may not have known about. So now the bad guys have roughly six days to get an exploit out there and do some damage.

It's kind of like a bank saying, "We're fortifying the sub-basement under our vault next Tuesday." If you are a bank robber, you know your timetable and where the exposure is. Of course, there is still a lot of work to get in, but you've got a lot more information than you did before. You probably assumed the sub-basement was already fortified, no?

Alas, I also see the other point of view, which is that enterprises (both small and large) need to plan. If Microsoft drops a bomb on Tuesday with a very high profile patch that requires immediate attention, administrators get really pissed. They like to know exactly what is happening and why, even though many of them use automated patching products to "set it and forget it" once it's QA'd by the patch vendor.

The conclusion I come to is that Microsoft is dealing in numbers that mere mortals could only dream about. When they patch something it goes out in volumes of HUNDREDS of millions, not like 10 or 15 or even 1000. They've honed in on a patching process that is far from perfect, but works pretty good over a long period of time. To my knowledge, no one has taken a pre-announced patch and exploited it in the window of opportunity. So they have their bases covered.

There is also a halo effect with most customers about coming clean with issues. Everyone knows that every piece of software has vulnerabilities. Sure Microsoft's software has a lot (relatively more than others), but they acknowledge it and are moving to fix the systemic root causes of the problems.

One man's opinion is that Oracle and Apple should communicate a bit more about things they find. Apple just fixes things, but their software makes the updates relatively transparent and their lack of presence in the data center makes this a non-issue for most enterprises. Oracle, on the other hand, patches once a quarter and doesn't even get to everything. So it's hard to point to Microsoft as a security innovator, but they are eons ahead of the other folks relative to patching problems they created.

I'll be the featured speaker at a webcast, sponsored by CORE Security next Wednesday at 1 PM EST. Sign up here. Here is the description:

Webcast: The Art of Penetration Testing: How to Figure Out What's Really at Risk

Overview: With new security attacks being unleashed every day, it's tough to know which ones threaten your business the most. Vulnerability scanning can reveal the sheer number of exposure points, but it doesn't help you pinpoint wherein your key risks actually lie.

Join analyst Mike Rothman of Security Incite to learn about the evolution of vulnerability management systems and to find out how and when you should use automated penetration testing to supplement your existing vulnerability management processes.

Hosted by moderator James Hilliard and sponsored by Core Security, this live TechRepublic Webcast will address these important questions and more:

• How does penetration testing differ from vulnerability scanning?
• Is one annual penetration test enough?
• What tools are available to automate penetration testing?
• Will these automated tools take down the entire network?

If you've been spending a lot of time addressing vulnerability issues but aren't sure your efforts are making any difference, this TechRepublic Webcast is for you. Join us to get expert advice on how to make penetration testing work better for you. Pre-register today!

Hope to you'll attend. I'll keep it lively. I promise!

 

I just read a blog post by Larry Greenemeier that set me off (http://www.informationweek.com/blog/main/archives/2006/03/microsoft_secur.html) in that he wonders aloud whether there is actually a market for 3rd party patches. Some European dude and now eEye have gotten a lot of PR because they issued patches and now this is a market.

WRONG! This is not a market, this is a PR exercise. I'm sure the researchers have the best intentions for why they are issuing these patches. They probably even believe they are helping out the community, and maybe they are. But let's be clear on this one, this is a way for each organization to increase their visibility with the express goal of selling more of their product.

eEye does not invest in their own research group because they are trying to help the community. That may be a fortunate byproduct, but rather it increases their visibility and enhances their credibility in the security circles that buy their product. IT IS PUBLIC RELATIONS.

But the question still remains whether there is a business there. I say a resounding no. Why? Because over the past 5 years that Microsoft has been serious about their patching process, this is the 2nd situation that they've been dreadfully late and caused others to take action. And dreadfully late is a matter of opinion. If eEye didn't issue the patch, would this be as big a deal?

Maybe I'm being naive and the world really has changed because folks are using these exploits to create zombies that can then be monetized later. So, if the patch is wildly successful we'll still have another 150,000 new zombies today. I guess that's better than 250,000, but how much better? 

Also, how long do you think that each product is applicable for? The answer is until Microsoft fixes the problem. What, a week or two? You can't build a business on waiting for Microsoft to screw up and then issuing a patch until they get their act together. Maybe you can build a hobby, but definitely not a business. 

As I mentioned in the 3rd party patching perspectives blog post (here), defense in depth helps you to be insulated against one exploit that Microsoft hasn't fixed yet. I must admit that all this 3rd party patching stuff is starting to annoy me. I hope Microsoft rolls something next week (not waiting until the 11th) and shuts everybody up.

Then we can finally get back to sharing our angst about data privacy and xenophobia. It is angst that makes the world go around after all.

Did you like the alliteration I used in the title? Kidding aside, Microsoft is again being called to the carpet about how long it's taking to release patches, especially when exploit code is in use in the wild. That's a good thing, but the question remains whether using a 3rd party patch makes sense.

Alan Shimel brings up the discussion (here), but doesn't really draw any conclusions besides that we'll see more of this. Thank you, Captain Obvious. Thankfully a guy like Alan can take a little ribbing. Martin McKeay (here) follows Alan's ideas and provides his opinion on the matter, which is that he'd rather trust Microsoft and wait.

My opinion is that Martin is both right and wrong. My driver ed teacher told me, "You may be right, but you'll still be dead." So staying true to something (like waiting for Microsoft) is all good and well until your network is down because the outbreak hit you hard. The problem is you never know when your number is up, so you need to evaluate on a case by case basis. I suspect waiting for the official patch will be the right answer 95% of the time.

Both Alan and Martin rightfully point out the risk of downloading something nasty if dealing with a third party patch from an unknown quantity. It would be a bad day when your 3rd party patch creates more problems than the risk of the exploit.

Martin's real point is that he strives to have multiple defenses against attack vectors. So even if the patch takes a few days, he's protected via other means. Whether you want to call it "defense in depth," "layered security" or just plain common sense; it's exactly right.

Those of you that keep all of your eggs in one basket (even if it is a basket made of gold residing in Redmond, WA) should revisit the story of Humpty Dumpty. That one didn't end too well.

 

Bill Gates of Microsoft kicked off the festivities at RSA yesterday with his seemingly annual keynote. At times Microsoft announces new stuff and puts other vendors on notice that the "Redmondsters" are coming for them.

The hope was that Bill Gates would say something of substance. Basically give customers hope that their lives would get better. That the "new" standards friendly Microsoft would not continue to focus on locking customers into a homogenous Windows environment. That Microsoft could evangelize a convincing and achievable security framework for how all the pieces fit together, including legacy (and non-Microsoft) platforms.

I'm sure customers were disappointed by what they saw. I know I was. I thought the keynote sucked.

OK, I said it. Bill was not on his game. The demos were simplistic and not compelling. Their strategy depends on WIDESPREAD, actually UBIQUITOUS adoption of Microsoft's technology on both client and server. Everything was based on Vista, and customers won't be able to get Vista until the end of this year. Deployment won't start in earnest until mid-07 and be sufficiently pervasive (for security to work anyway) for years after that. The really interesting stuff (like Network Access Protection - NAP) won't be available until Longhorn Server, which is mid-2007 best case.

There was also no mention of how Microsoft's stuff is supposed to work with the network. If I totally adopt Microsoft's stuff, do I get to throw out my firewalls? 

Microsoft basically said customers are on their own unless they can fully adopt Vista and Longhorn Server. That's disappointing. So customers, hunker down and make sure your patch process is strong, because you'll be using it for the next 4-5 years. Don't throw out your firewalls yet.

On the positive side, NAP looked pretty cool, but it was also not clear what kind of overhead is involved in setting up access policies for the network. Microsoft's focus on Identity is also good and sorely needed. Their work to harden the Windows platform is positive, as well as upgrading development tools to be more secure.

That's good stuff, but will take years to take root. I remember a quote from Bill himself about how we overestimate the amount of progress in 2-3 years, but underestimate the progress made in a decade. That's absolutely true. But Bill must have forgotten based on another "projection" he made.

"Passwords should be gone in 3-4 years."

You figure he would have learned something from the RSA spam debacle two years ago... But I guess not. Seems that Bill's new pet project is smart cards (since the SecurID didn't work for that purpose), so he envisions a world without passwords. It's not going to happen. Not anytime soon anyway. Here are a couple of reasons why:

1. Adoption timeframe - It takes customers 3-4 years to decide to upgrade to a new Microsoft operation system. Some of the technology requires new products, or at least the latest current version of Windows Server.
   
   
2. Federation must happen - Sure, large companies are already working on it, but in order to move away from passwords, every company must jump on board. And there are still competing standards (WS-* and SAML 2.0), though most products will support both, the presence of both complicates things.
   
   
3. Passwords are good enough - If I'm transferring a million dollars, I probably want stronger authentication. To log into my network, a password is fine. And will remain fine. Reduced sign-on can make passwords easier to deal with, but to think everything will move to a new smart card based reality is plain delusional.
   

Ultimately, I get that Microsoft needs to have a good reason for customers to upgrade to the new platforms (to keep growth going) and maybe trying to vilify passwords is a way to stimulate action. But I don't think so. There are places for stronger authentication and places where it's not worth the effort.

I hope John Chambers of Cisco does better tomorrow.

 

Being out at the annual RSA show is always interesting. You try to get a feel for what is "hot" and what is actually selling. Over time, it has been amazing to track the hype and watch carefully for the signs of adoption.

Hype began in earnest a couple of weeks ago for "on-demand" security, driven by the formal announcement of Microsoft's Windows One Care and Symantec's Genesis. You can read the analysis of Genesis here. At the show, expect big thought leadership messages from the RSA keynotes, specifically VeriSign's Stratton Sclavos and ISS' Tom Noonan.

Noonan hit the circuit last week to start building up momentum for ISS' on-demand strategy. Check out eWeek to get the news. The article starts off with:

"Tom Noonan is fed up with the security industry. He's tired of seeing every new point solution touted as the savior of the Internet, and he's had it with the hodgepodge of security technologies from various vendors not working together and causing administrators more headaches than the threats they're trying to protect against."

Amen brother. That's awesome. I'm fed up too, and we are largely on the same page about too many narrowly focused products trying to solve every minor security issue. That's what "no mas box" is about and it's right. Something has to change. Best of breed is fine, as long as it fits into the existing infrastructure.

Is ISS the right company to be driving this change? They have a good a claim as any, I guess. But success will require more than fancy slides at RSA. To be clear, I have not spoken to ISS about their strategy (even though they are right down the street) and am planning to do so right after RSA. But let me give a couple of early impressions:

1. ISS needs to do something - Clearly the company has seen a bit of a renaissance driven by the move to Proventia appliances. But, in order to convince folks they are a security player with longevity (as opposed to waiting for Cisco or CA to buy them out), a big story demonstrating this is critical. Of course, executing on this over time is pretty important too.
   
   
2. On-demand security is nothing new - You get anti-virus updates on your machine every couple of days. Your anti-spam gateway may update signatures every 10 minutes. It seems every Tuesday you are getting patches for Windows. What is different about "on-demand?" Basically nothing. The idea of linking your asset base to a vulnerability scanner to get relevant updates is not novel (we tried to do that at TruSecure and Tenable and Sourcefire do it today). Packaging and pricing as a service is kind of novel. Moving to the razor blade model probably makes sense over time.

I'll also pull another quote from the article, this time from the reporter.

"But the security community has been slow to adopt the software-as-a-service model, in large part due to the concerns that many enterprises have about putting the security of their networks in the hands of outsiders."

This is actually wrong. Have companies TOTALLY outsourced their security? No, but how can you do that unless you've totally outsourced your infrastructure. But the adoption of targeted services is happening right now. Lots of folks have their ISP or outsourcer manage their firewalls and IDS devices. That is increasingly becoming the purview of the carriers and that trend will continue. And services for vulnerability scanning and email security tend to have as great (if not greater) market share than their on-prem counterparts. Check out the MSS Incite for more detail.

So, there will be lots of stuff announced this week at RSA, much of it aimed at driving hype to usher in the "on-demand" age of security. Much of this will be re-branding of the existing stuff, so we will see some innovative marketing to make the old stuff seem new. But, the short-term impact is minimal.

Yet, the idea of leveraging the "network" where it makes sense to increase security and speed reaction is right and this will happen. The question is just when. You know I'll be watching closely for when it becomes real.