Re: Security Firm Blamed For Code Red Costs

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

"InfoSec News was known to say....."
 
> http://www.newsbytes.com/news/01/168934.html
>
> By Brian McWilliams, Newsbytes
> ALISO VIEJO, CALIFORNIA, U.S.A.,
> 10 Aug 2001, 5:11 PM CST
>
> The damage toll from the Code Red worm has sparked a new debate
> over what security experts call "full disclosure."
>
> Richard M. Smith, chief technology officer for the Privacy
> Foundation, today criticized the company that found and publicized
> the glitch in Microsoft's Internet Information Server (IIS) which
> led to the creation of the malicious worm and a copy-cat.

Am thinking Mr. Smith's head has either swollen in size due to his
self-professed track record (as he posted to BugTraq at Date: Fri, 10
Aug 2001 15:32:53 -0400: "I've probably found a dozen or so security
holes in Microsoft products.  Many of these problems were reported on
BugTraq list without full disclosure.  How come so few people have
ever approached me for the full details?") or he is feel a bit of a
deficit of attention lately, but this is fucking ridiculous.

> Eeye published a detailed advisory about the new IIS flaw on June
> 18, the same day that Microsoft released its own bulletin and a
> patch to correct the problem. In its description of the problem,
> Microsoft thanked eEye for working with the company "to protect
> customers."

Good to see the truth shine through (for once).

> "One thing is now crystal clear with Code Red: full-disclosure
> comes with one of hell of a price tag. There has to be a better
> way," said Smith.

A single case example doesn't make for good modelling.  Mr. Smith
should be well aware of this.

I am posting this to ISN as I wasn't able to get in on the BugTraq
thread before Aleph1 killed it off.  I know that the more technical
minds on this list will yawn over my rantings, but I know there are
many here who are openly not the most proficient people in the world,
and while the article points a good defense to eEye, I really am
rather pissed at Mr. Smith's allegations.  His way or the highway?  
Bah!

The following is an email I sent early today to journo at the Register
UK.  The article, while being well written, I felt was off base on the
attacks on eEye.

The article was posted to ISN, it's located at
http://www.theregister.co.uk/content/55/20908.html This mail relates
more to the Reg's article than the issues Mr. Smith brings up (worm
hype as marketing vs.  "it's their fault").

My mail (in part) to the author:

[begin]

Thomas,

Regarding your article located at:
http://www.theregister.co.uk/content/55/20908.html

I have always enjoyed the reporting that The Register UK has to offer,
by far superior to the piddly OC Register that I have local to me.  
Beyond the local cage-liner, the Reg/UK's tongue in cheek humour and
dry wit has always appealed to me, I find myself often possessing
similar qualities, much to the dismay of coworkers and superiors :)

Anyways...  I do take issue with one point that you make, that being
about Marc@eEye.

I know that line alone is going to put you on the defensive, and for
once, I am *not* out to flame the living shit out of someone just
because their views are contrary to mine (if you knew me, you'd be
shocked over this, really).

The points you make are all valid and intelligent, and I respect you
for that.  However, I do see things a bit differently than you do, and
I hope that, despite differing, possibly drastically, you can respect
my thoughts equally, or at least a close approximation of such.

eEye has multiple products other than SecureIIS, which I will assume
that you have performed some mild dilligence and are aware of.  Based
off their security scanner, Retina, and the ongoing signature
development that they are constantly undergoing, "new" vulnerabilities
are found.  The .ida bug is of course one of these.

eEye has discovered multiple bugs over the last couple of years.  
This has multiple effects.  One, they have a signature in their
database which can give their product a competitive edge, which is of
course good in a free market economy such as we have here.  Be mindful
that there are bugs in existance which "the underground" (lordy, I
hate that phrase, but it's convenient enough for this correspondace)
is aware of, and security vendors and practitioners are not privy to.  
eEye may be discovering *completely* new bugs, or they may be
discovering something which the underground has known about.  Either
way, through their findings, administrators can attempt to tighten up
their systems a little more.

SecureIIS is a marvelous product both in theory, and largely in
operation.  For being first generation, the tweaks and adjustments
that it'll be getting for the next rev are really relatively minor.  
And yes, it would have protected any non-patched system from .ida
attempts.  Being the only product I know of that doesn't rely on a
signature database, and is flexable enough to handle unseen attacks is
pretty friggin cool.  Let them brag! ISS, NFR (Network Flight
Recorder), no one comes to mind with a product that can compete with
it.  I also have yet to see a filter set for any commercial firewall
(Check Point, Raptor, Gauntlet) that can block Code Reds. If there is
one that I've missed, I humbly accept correction.  But, SecureIIS is
unique and well thought out. Deal.

Microsoft admitted that eEye had been fundamental in working with them
on the bug, the exploit, and the patch development.  eEye, in a
gentleman's agreement with MS, didn't release the exploit until the
patch was prepared and available.  Hardly the maneuvering of a company
that is using the bug as a fundamental sales tool.  Yes, they've
pointed out time and time again that SecureIIS is the only product
that would prevent infection on an unpatched server.  While this may
be ego and posturing, this is also the truth.  As a company, marketing
is important, and pointing this fact out is worthwhile.

Marc and the crew at eEye are similar to myself in regards to having
at least been greyish in our hats before making the transition to
"professional".  I was speaking with a local FBI Field Agent
yesterday, and was telling him why I thought the NIPC was a joke, and
it's because, for the most part, the people that comprise it aren't
technophiles by nature.  They're textbook.  It's not in their blood,
in their heads, in their lungs.  For Marc, Ryan, Riley, and others at
eEye, for myself and for associates with whom I have collaborated on
large contracts, it is.

As such, it's frustrating for ALL of us to have to see the net
congested as fuck because a known bug, with a known and *well
documented* patch, is causing headaches for many people.

My cable modem segement at home is slammed with v2 requests.  A 10
second timeframe at any given point shows 55-70 arp requests.  Last
saturday I was receiving 75-85.  At the same time, I was talking to an
associated in Los Angeles.  His cable segement was showing 650-800 arp
requests.  Sorry, that's unreasonable and unreal, both. The father of
the CTO for my current empoyer uses Time/Warner's Road Runner service,
and was down for two days while they (Road Runner) tried to figure out
what to do.

Not sure how aware you are, but the AUP (Acceptable Use Policy) one
signs when getting a cable modem specifies that you are not to run any
services from your machine.  There is no reason for all these machines
to be running IIS at all.  The fact that they are, unpatched, points
not only to user ignorance, but to how this ignorance is coddled by
Microsoft.

As I write this (~ 1:45 PM PST), my web server Code Red stats (since
Aug 01) look like this: Summary findings -- CRv1: 140 CRv2: 438

My firewall on my @home cable modem?  From 2am Saturday August 4th:
Summary findings -- CRv1: 26 CRv2: 1699

So yes, Marc rants about it.  So do I.  So do a lot of people.

(I'm nearing conclusion, hang with me a bit longer, yeah?)

As for your assertion that eEye's publicizing of this vulnerability
being somewhat responsible for the authoring of the worm....

What hole, and what publicizing led to the the Melissa virus?  Fun
Love?

None, really.  As I stated earlier, the underground has tools for
holes that corporate America isn't even aware of.  Obviously, not all
of these have a specific worm written for them (some aren't even
worm-able), but at some point, someone could write a worm for one.

If eEye had found the hole, if MS had issued a patch, and if it were
done with little fanfare, some sociopathic 16 year old would be
trolling MS's site looking for patches, finding holes, and possibly
coding a worm or a virus or even a basic non-worm, manually run
exploit for said hole.  Familiar at all with FTP daemon exploits?
WU-FTP 2.4.2 ?  2.6.0 ?  Nothing like remote root-access exploits
found far before a patch was available!  This is the nature of the
net, of tech-heads, and malicious crackers.  That this .ida bug
affects the flagship web server for argueably the largest corporation
known to mankind makes it stand out a bit more than full-bore root
compromises for free, open source ftp servers which actually have a
larger install base than IIS does.

It is also worth pointing out that, unlike most crackers, among
others, when eEye does find a vulnerability, they don't release
exploit code, which also differs from the typical routine found not
only against MS but also in the open source community.  If they
*really* sought to profit from their findings, they're release exploit
code, thereby compelling corporations to purchase an eEye product to
secure themselves against a bug written by eEye itself.  It'd almost
be aking to MS charging for security patches :)  It should be duly
noted that eEye does *not* do this.

This was played out by the media.  Ya can't blame Marc for saying to
the media what he'd say on BugTraq.  Ya can't blame the media for
listening.  Ya can't blame any company for pointing out that their
product could avoid certain types of catastrophe, either.

Why am I even bothering to write this?  I like eEye.  Retina is not
only more cost effective than competing products (notably the
"industry standard" ISS), but also works faster, and requires less
hardware to run on. When I servered as a mobile consultant, finding a
laptop with enough horsepower to run ISS was either impossible to
find, or cost prohibitive.  I also like the Retina because it makes it
easy to correct registries on a large number of machines from a single
point, rather than having to touch every desktop in a large
installation.

I like the fact that they are driven through desire, not compensation,
to pursue bugs, worms, and development. I like Marc's title as Chief
Hacking Officer.  It's what he is, it's what he does.  I don't like
ISS's "X-Force".  Their constant claims that they "won't hire hackers"
is utter crap.  They do have members of the underground on staff, and
a small percentage of them don't always behave in legal manners.  Not
a company I'd want to pass my duckets off to.


I'd be intereted in any reply you have, at your leisure.


[end]

So, in closing, to any journo's or PHB's or other managerial types who
don't have half the clue you should, the dissemination of knowledge
isn't a bad thing.  On the net, ignorance most certainly is NOT bliss,
and I would personally like to be the first to knock half the smiles
off the ignorami out there.  If you're scratching your head right now
wondering what all the ranting is about, what "full disclosure means",
among other things, consider resigning post haste.


-aj.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.