[unisog] Security patches

Paul L Schmehl pauls at utdallas.edu
Tue Aug 7 14:44:08 GMT 2001


Let me see if I can reframe this debate by leaving Microsoft out of the 
equation.  But before I do that, I'd like to apologize to the list.  When I 
wrote of the Solaris relay problems, I chose a term that was inappropriate, 
and I know that I offended some readers.

What I'm trying to get at here is that there's far too much vendor blaming 
going on.  The reason I say this is because blaming the vendors for every 
problem (and believe me, there is much to blame them for) distracts people 
from the real problem - a lack of understanding of the threats that are out 
there and the proper precautions one should take to avoid being a victim.

As long as we keep whining about the vendors not getting their act 
together, the average person listening will assume that if the vendors 
would just get their acts together, the problem of breakins, worms, etc. 
would be solved.

Yet nothing could be further from the truth.  The vast majority of exploits 
still depend on some sort of social engineering, and they work because the 
level of security awareness is so low.

To illustrate: we have an admin (over whom we have no control) who is 
responsible for two servers in a sensitive program funded by commercial 
companies.  Her servers are not critical to the program, but they certainly 
reflect upon the credibility of the program.  (The *real* critical servers 
are in a locked, secured access room which requires an access card and a 
key to be operated simultaneously to gain entrance.  These servers aren't 
even hooked up to ethernet.  Their only access is physical.)

Her servers, which are used as a front end to the program (running web, ftp 
and bulletin board services) have been broken in to seven times.  She has 
configured anonymous ftp upload three separate times.  She still can't 
understand how someone outside UTD could possibly know that she has these 
servers, much less want to break in to them.  She got Poisonbox, on both 
servers.  She got Code Red, on both servers.  She keeps changing the Admin 
password to blank.

Now, she is the extreme, but there are many people out there with a similar 
lack of security awareness.  They just find it really hard to believe that 
someone would actually want to break in to their computer.  After all, 
"there's nothing important on it".

Don't we, as security professionals, exacerbate the problem by wringing our 
hands and complaining about the vendors getting their act together?  What 
is the impression we leave the general public with?  I submit to you that 
we leave them thinking that nothing can be done about it unless the vendors 
fix the problems.

When we complain about not having time to do patches, how does this appear 
to the average user?  When 400,000 *servers* can be broken in to **three 
weeks*** after the initial attack and almost *two full months** after a 
patch is released, how does this appear to the public?  I submit to you 
that it leaves the impression that patching is really hard, and probably 
not worth the effort.  "They'll probably just find another hole tomorrow. 
What's the use?"

**This** is the point I'm trying to make.  If we're really serious about 
security, we need to start talking about patching and stop complaining 
about vendors.  We need to make it as easy as possible for our users to 
patch their machines.

Yes, we need to complain *to* the vendors.  Yes, we need to *demand* better 
programming.  Yes, we need to find *somebody*, *anybody* who has a clue 
what bounds checking is.  But if we keep pounding on the vendor issue, 
that's all the general public hears, and they think it exempts them from 
worrying about security.  Hey, if *we* are helpless to solve the problem 
(because it's the vendors' fault), what are they supposed to do?

I hope this clarifies what I'm trying to say.  I'm not exempting Microsoft 
from blame by leaving them out.  I'm trying to shift the focus to what I 
believe is a huge problem in our industry today.  If Code Red isn't a major 
wakeup call, what is?  How many more Code Reds do we have to go through 
before we finally start getting mad at the networks that, by not patching 
their servers in a timely manner, put all of us at greater risk?

Should ISPs be totally blameless?  Why can't they block Code Red attacks 
before they get to the naive home users?  Why can't they stop SirCam at the 
front door?  Right now, ISPs are an open playground for crackers and script 
kiddies.  Is this the vendors' fault too?

Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list