[unisog] Security patches
Paul L Schmehl
pauls at utdallas.edu
Tue Aug 7 14:44:08 GMT 2001
Let me see if I can reframe this debate by leaving Microsoft out of the
equation. But before I do that, I'd like to apologize to the list. When I
wrote of the Solaris relay problems, I chose a term that was inappropriate,
and I know that I offended some readers.
What I'm trying to get at here is that there's far too much vendor blaming
going on. The reason I say this is because blaming the vendors for every
problem (and believe me, there is much to blame them for) distracts people
from the real problem - a lack of understanding of the threats that are out
there and the proper precautions one should take to avoid being a victim.
As long as we keep whining about the vendors not getting their act
together, the average person listening will assume that if the vendors
would just get their acts together, the problem of breakins, worms, etc.
would be solved.
Yet nothing could be further from the truth. The vast majority of exploits
still depend on some sort of social engineering, and they work because the
level of security awareness is so low.
To illustrate: we have an admin (over whom we have no control) who is
responsible for two servers in a sensitive program funded by commercial
companies. Her servers are not critical to the program, but they certainly
reflect upon the credibility of the program. (The *real* critical servers
are in a locked, secured access room which requires an access card and a
key to be operated simultaneously to gain entrance. These servers aren't
even hooked up to ethernet. Their only access is physical.)
Her servers, which are used as a front end to the program (running web, ftp
and bulletin board services) have been broken in to seven times. She has
configured anonymous ftp upload three separate times. She still can't
understand how someone outside UTD could possibly know that she has these
servers, much less want to break in to them. She got Poisonbox, on both
servers. She got Code Red, on both servers. She keeps changing the Admin
password to blank.
Now, she is the extreme, but there are many people out there with a similar
lack of security awareness. They just find it really hard to believe that
someone would actually want to break in to their computer. After all,
"there's nothing important on it".
Don't we, as security professionals, exacerbate the problem by wringing our
hands and complaining about the vendors getting their act together? What
is the impression we leave the general public with? I submit to you that
we leave them thinking that nothing can be done about it unless the vendors
fix the problems.
When we complain about not having time to do patches, how does this appear
to the average user? When 400,000 *servers* can be broken in to **three
weeks*** after the initial attack and almost *two full months** after a
patch is released, how does this appear to the public? I submit to you
that it leaves the impression that patching is really hard, and probably
not worth the effort. "They'll probably just find another hole tomorrow.
What's the use?"
**This** is the point I'm trying to make. If we're really serious about
security, we need to start talking about patching and stop complaining
about vendors. We need to make it as easy as possible for our users to
patch their machines.
Yes, we need to complain *to* the vendors. Yes, we need to *demand* better
programming. Yes, we need to find *somebody*, *anybody* who has a clue
what bounds checking is. But if we keep pounding on the vendor issue,
that's all the general public hears, and they think it exempts them from
worrying about security. Hey, if *we* are helpless to solve the problem
(because it's the vendors' fault), what are they supposed to do?
I hope this clarifies what I'm trying to say. I'm not exempting Microsoft
from blame by leaving them out. I'm trying to shift the focus to what I
believe is a huge problem in our industry today. If Code Red isn't a major
wakeup call, what is? How many more Code Reds do we have to go through
before we finally start getting mad at the networks that, by not patching
their servers in a timely manner, put all of us at greater risk?
Should ISPs be totally blameless? Why can't they block Code Red attacks
before they get to the naive home users? Why can't they stop SirCam at the
front door? Right now, ISPs are an open playground for crackers and script
kiddies. Is this the vendors' fault too?
Paul L. Schmehl, pauls at utdallas.edu
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member
More information about the unisog