EZSecurity Bulletin for July of 2010
My thermometer got stuck at 47.9 centigrades, most of them as a result of it breaking down. Now it shows 27.5 and it’s the coldest it has been since the morning. But who am I to complain? But enough about the weather and all the other non-IT stuff. What’s up in this part of the security landscape? Windows 2000 has now gone the way of the dodo and with it goes its old buddy Windows XP service pack 2. On the 13th of July 2010 Microsoft officially dropped support for all versions of Windows 2000 and Windows XP not running service pack 3. The most important implication is that there will be no more security patches coming out and therefore security flaws will remain unfixed.
It seems to me that those pesky zero day exploits are becoming more and more common on the Microsoft platform. The bulletin MS10-042 fixes a vulnerability in the “Help and support center” that is actively being exploited. The vulnerable help center exists as a service and a program on Windows XP and Windows 2003. The service runs under the SYSTEM security context.
Other than that I hardly think it’s worth mentioning that Adobe Acrobat has a couple of new flaws in the open as I can’t remember a month when it didn’t. Sure I’m unfair and unbalanced … as per usual.
MICROSOFT SECURITY BULLETIN SUMMARY FOR JUNE OF 2010
As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 4 bulletins.
MS10-042 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593) MS10-043 - Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276) MS10-044 - Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335) MS10-045 - Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
IT’S JUST NOT FAIR!
You may think of them as super-geniuses doing the impossible, villains bringing the Internet to its knees or heroes “sticking it to the man”. Forgive me for not being impressed, but I never have had any high thoughts about those so called “hackers”. I’m talking about “hackers” in the meaning “people that attack and subvert IT-systems” not the positive term meaning “computer wizards”.
My sympathy goes to the embattled system administrators fighting an unfair fight to keep systems secure. Ok, let’s be honest. My beef is not with the people finding, documenting and communicating vulnerabilities to the world. They deserve a big collective thank you-note. I’m just tired of how media tries to give the cyber-villains an almost godlike status. They miss out quite a few things about how tilted the balances are.
Here’s my (incomplete!) top 10 list why hacking is so unfair to us defending the networks. When I use the term “we” I refer to any organization, corporation or group of people owning an Internet presence that they’re trying to keep secure. This essay covers a general view of security problems that we all can relate to, not a state of any specific entity.
10. We can’t see them in their true form – they see us only that way
“The ultimate in disposing one's troops is to be without ascertainable shape. Then the most penetrating spies cannot pry in nor can the wise lay plans against you.” - Sun Tzu, “The art of war”
We, the defenders, have a shape and a size. As does the systems that we seek to defend. The assets we protect are most likely physical to a certain degree. Consider the cost of finding information about us: it’s relatively small. We want to be found as we want to be seen. Hackers prefer to be anonymous and hard to trace. You do the math.
9. They’re simple – we’re complex.
“Fatal accidents never have just a single cause, they happen at the end of a whole series of errors.” - Charles Stross, “The Fuller memorandum”.
As the size of the organization grows, so does the complexity. But don’t forget that time works against us as well. We install new servers, setup support systems, install applications, add functions, add features and create our own programs and scripts. Over time many of these become obsolete, forgotten or we may stop developing them. We may not even remember if they’re in use or who used to be responsible for their care. Complexity increases exponentially, since systems interact and all components have the potential to affect each other. Especially if we know they shouldn’t be able to. Then we won’t even consider the possibility. Let me give you list of places where vulnerabilities appear. It’s mercifully short: everywhere. However one type of vulnerability that gets way too little attention is the misconfiguration vulnerability. But I digress.
A good hacker generates just a modest amount of information in our logs that he then tries to remove. In a flood of legitimate activity his actions tend to vanish. Especially if he understand the concept of time (See point 5)
8. They can pull the plug – we can’t
“Beware lest you lose the substance by grasping at the shadow.” - Aesop
There’s an episode of the TV-series “NCIS” where two of the characters find out that a virus is running rampant on one of their computers. They scramble to stop it the way Hollywood always deals with this situation: by letting the characters frantically hammer the keyboard while going through various stages of panic. Finally their boss walks in and pulls the plug on the computer, solving the problem in the best possible way.
If this is a good idea in real life is hard to say. If you pull the plug you risk losing logged activity not yet written to disk and you may make the hacker to realize that he’s been caught. The calling card of a good hacker is not leaving one. But they may feel the need to erase all logs and evidence if there’s a risk that we’re onto them. So instead of a few “doctored” logs, missing relevant data, we might end up with nothing. Or we might cut them off before we get enough information about what they’re up to and how far they come.
Then there’s the problem with shooting ourselves in the foot but shutting down the network. We kind of need our network and our servers running in order to exist and make money, right? Hackers can drop of the network, lay low and then find a new proxy or connection to strike from.
7. Neither of us have a full overview – They don’t need one
“Every solution breeds new problems..” - One of Murphy’s laws.
Knowing the land should be our advantage. The hackers have to figure it all out, but we already know everything, right? Maybe. Hopefully. The problem is that we may have this advantage, but they don’t need it. Before a hacker strikes, he or she does some serious background information gathering … or not. We have to understand that the attacks may not target us specifically. Hackers have their reasons. Often the fact that we have a fast enough network, people trust us and that we have computational power in the form of servers can be reason enough. Automated SQL-injection scripts scour the Internet for vulnerable web/application servers they can exploit and use to attack unsuspecting web surfers trusting them. Or we could have an attacker targeting us that actually needs to do some research about us. Either way, they only need enough information about us to find a way in.
Our security cannot be based on withholding as much information about ourselves as possible. This is “security by obscurity”. But we can use it as a way to make us a tougher target and to win a bit of time. Time that is wasted unless we can also detect them.
6. Hackers have one goal
Concentration is the secret of strength. - Ralph Waldo Emerson
We have a lot of goals. If we’re a political organization, reach out is an important one. If we’re commercial, the bottom line is king. We also have many smaller goals, mission statements and requirement to attend to. A hacker has one or a few. We have one thing in common, though: a finite amount of resources.
5. Time is on their side
“Ability is of little account without opportunity.” - Napoleon Bonaparte
How time works for an attacker depends on their goals. A hacker that needs to get full access to a network may take over one server or a PC and then use it as a bridge head. This allows the hacker to try to monitor network traffic or to attack other systems. He might be able to take over a PC and make it crash. After a while, when it’s back online, he can connect to it again and harvest the passwords-hashes. It’s quite likely that an administrator has logged on to restore the PC, and thus stored his password on it. If the hacker lays low and let some time pass between every action, he can use the time to his advantage. Any suspicious pattern drowns in the sheer amount of data being logged and the logs eventually roll over and it gets deleted. The key is that a good hacker working to get into the network of a known target lays low and awaits opportunities. A hacker just searching for any vulnerable target on the Internet does not necessary need to concern himself with timing at all. The good news is that time can be on our side too. It depends on if we can detect the intrusion and keep monitoring the hacker while he works. Then time is on our side and we can gather evidence.
And another thing about time: security deteriorates over time. We cannot just stop applying patches, verify settings, harden baselines and monitor traffic. And there’s no guarantee that we won’t miss one or a few systems.
4. We can’t strike back
"For every problem, there is one solution which is simple, neat and wrong." - Henry Louis Mencken
I admit that the legal side of IT-security is not my strong side. But it’s all about a bit of common sense: as a white hat working for a reputable organization you really should think twice before trying to strike back or “counter-hack” the hacker. The reasons are mostly legal ones, but as you probably understand there are many bad things that could happen. What if the system the hacker uses belongs to an unsuspecting party, like a corporation or foreign government?
The correct approach to this problem must be involving your incident response team. But this is out of the scope of this discussion.
3. We can’t repair the damage right away
“Haste in every business brings failure.” - Herodotus
When hack happens, trying to sanitize the systems and get everything working again seems like a good idea. It may actually be a good idea, if you have no intention to catch the perpetrator. If you do, touching the crime scene will invalidate the evidence and probably destroy some or all of the tracks.
2. They gain reputation the same way we lose our
“Character is like a tree and reputation its shadow. The shadow is what we think it is; the tree is the real thing.” - Abraham Lincoln
They stand to win reputation, money and “goodwill” with organizations that hire hackers to do things like this. The opposite is true for us. We risk losing reputation, money and goodwill with people that trusts us.
1. Hackers only have to find one way in – We have to close all of them.
“If a elderly but distinguished scientist says that something is possible he is almost certainly right, but if he says that it is impossible he is very probably wrong.” - Arthur C. Clarke “As a young boy, I was taught in high school that hacking was cool. “ - Kevin Mitnick
And the number one reason it’s unfair: you can prove a system vulnerable but not the opposite. Proving that something does not exist is known as “proving a negative”. It just can’t be done. Sorry.
It’s the big thing that works against us. If we could apply hard work and reshape the network with all its components into a provably invulnerable network, we could just close the door and leave the whole security problem. But we cannot! And off course, a hacker can get lucky and gain entrance by exploiting just one single vulnerability. Most of the time, they need more than one, but you can’t prove it isn’t possible to fully own a network through one single vulnerability.
So to conclude: complexity is the killer. It comes back in all of the examples.
LINKS AND TRICKS
The official bulletins from Microsoft:
ISC Sans's monthly Microsoft-analysis is always a good read:
All back-issues of this newsletter can be found here:
And on the EZSecurity blog at Tieto DF:
Bruce Schneier’s excellent news letter:
A collection of useful security links:
A good site to check for known vulnerabilities for your favorite programs:
What's the general state of the Internet?:
OWASP Sweden's email list archive:
Recommended for you developers out there:
My own, random knowledge base:
And my blog:
Certified Ethical Hacker
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
Mobile: + 46 (0)70 673 07 54