Computer Crime Research Center


No patches for human stupidity!

Date: January 23, 2006
Source: Computer Crime Research Center
By: Tony Bradley

Author of Counter Hack Reloaded and Malware: Fighting Malicious Code
A couple of years ago I did an interview with Ed Skoudis, Founder and Senior Security Consultant with Intelguardians, a Washington D.C. based information security consulting firm.

A lot has changed in the information security landscape in the years since that interview. Skoudis addressed some of those changes and more when he recently teamed up with Tom Liston, a Senior Analyst with Intelguardians, to write Counter Hack Reloaded, a 2nd edition of Skoudis' 2001 book Counter Hack. I managed to steal some of Skoudis' time to get his input on how things have changed and his insight on where information security is heading.

TB: What made you decide to write this updated version of Counter Hack?

ES: The world of computer security has changed an incredible amount since the original Counter Hack was published, way back in mid-2001. We've seen an avalanche of new tools and techniques released since then that have really revolutionized the attackers' abilities. For just a handful of new topics that have emerged into the attack mainstream since the original Counter Hack, consider Google hacking, the Metasploit Exploitation Framework, extremely covert channels, and the rise of spyware. Each of these new topics and more are included in Counter Hack Reloaded. The threat has also expanded, going beyond script kiddies to organized crime and terrorist groups. Attackers have ramped up their game in amazing ways. If we don't ramp up our game as defenders, we will surely lose.

TB: Two years ago you named patch management and deployment as a key area that companies needed to improve on. Have they succeeded?

ES: While the battle to keep our systems patched is hardly over, we have seen huge improvements in the speed of patch deployment in the last two years. It's been wonderful, and we need to pat ourselves on the back as an industry for this major accomplishment. Back then, it wasn't unusual to see a company that would take a month or more to get critical patches on very important machines. Today, most organizations can push a critical patch in days or even hours.

But, we're not out of the woods yet. While organizational patching has improved, the free-range consumer users are still not getting patched quickly enough, which leads to these massive bot-nets we see growing daily around us.

TB: What is the key area you feel companies need to improve on in terms of their Information Security in the next couple of years?

ES: Given that many organizations have dramatically improved the patching process, we now face an even more difficult problem: user awareness. With targeted phishing and Trojan horse attacks, an unwitting user can be duped into running an attachment, surfing to a happy-looking-but-evil website, or entering information into a form that pops up on the screen. Such attacks represent a real threat to most organizations. And the real problem here is summarized well in that wonderful T-shirt: "Because there is no patch for human stupidity" Our entire culture needs to come to terms with the risk of computer crime and how to identify and avoid its common forms. Pretty much everyone that uses computers has to learn about e-mail and website con jobs, phishing, Trojans, viruses, and other scams.

TB: Recently, it was announced that future versions of Nessus, the open source vulnerability scanner, would be commercial rather than open source. What are your thoughts on that move? Do you think open source security tools are, or can be, viable in an enterprise?

ES: That's not entirely true. While the base engine of Nessus will be closed source, it will still be free. Of course, the latest and greatest functionality will be folded into the commercial solution from Tenable for paying customers, but we'll still have a vital (and free) Nessus world for quite some time, I believe. How this world will evolve is going to be interesting. Will developers use the closed-source Nessus engine for continued development of plug-ins, or will they use a fork of the last open source Nessus engine for their future refinements? The jury is still out, but I'll bet that one of the open source forks of the engine will become dominant, while other shards of Nessus continue to percolate for years.

As for my thoughts on whether Tenable should have done this or not, that's their call, not mine.

In a free market, they have the rights to their intellectual property, and if they want to take all their marbles off the table, that's their prerogative. I do understand their frustration with the lack of contributions to the open-source engine over the years, as well as their desire to make some money for all the hard work they've done. But, at the same time, it did cause damage to the Nessus legacy, and makes it harder for us all to get quality, low-cost tools. I'd have rather seen them not go closed source in the end, but respect their freedom in doing so.

Open source security tools are viable in the enterprise. The Snort IDS, Swatch log analysis tool, Nmap port scanner, and uncountable others (to say nothing of the Linux kernel!) are used by all manner of enterprises, and will continue to be. Open source is here to stay, and enterprises have gotten increasingly used to relying on such software even in their security operations. I'm quite happy about that.

TB: In the past couple of years, there has apparently been an increasing trend from 'script-kiddie' malware to professionally developed threats developed in conjunction with organized crime. What impact do you think this has had on malware?

ES: This is the single biggest trend fueling the explosive growth in malicious code- the profit motive. You can ask anyone in law enforcement and they'll tell you: When bad guys figure out a safe, reliable, and repeatable method for making money from a given crime, we'll see a lot more of that crime. And that's what we've got with malicious code associated with spam, over-aggressive web advertising, phishing, money laundering, and identity theft. The bad guys can get rich indeed from these activities, and, if they operate overseas, the chance of going to jail is almost nil. It's really kind of sad.

But all that cash being funneled into malicious code by organized crime is forcing innovation by the bad guys, making them stealthier, more pervasive, and more targeted all at the same time.

TB: What can home Internet users do to protect themselves from such threats?

ES: Keep your system patched. No, really. Remember, I said earlier that although many organizations have done well with the patching problem, consumers haven't gotten their issues resolved yet. If you aren't a computer genius or don't have time to follow patches, use the auto-update feature of your operating system. And, when your operating system tells you that it has critical patches to install and needs to reboot to apply them, don't just think, "I'll surf a few more websites and then reboot." You could be asking for trouble if those sites are hosting evil content that can exploit your box. So, patch, and treat an unpatched system as a grave threat.

Next, get personal firewall, anti-virus, and anti-spyware software installed on your machine. There are several good tools out there, but note that you need one of each. Your personal firewall is not going to be very robust against the various kinds of viruses or spyware, so make sure you are firing on all three cylinders here.

Finally, just be suspicious. Don't trust everything that everyone says...including me. Think about what kind of cons might be manifested in the web sites you surf and the e-mail you read. In short, just be careful out there!

TB: What would you say has been the single best innovation, development or improvement in information security in the last couple of years?

ES: I think the biggest development is that Microsoft finally got serious about security. Before about 2 years ago, they treated it as an ancillary problem in a lot of ways. Then, I think the powers-that-be within Microsoft realized that security represented a significant threat to their market dominance. The slow trickle of users to Linux, Mac OS X, and other operating systems would have turned into a deluge if our industry joined the 'Blaster of the month' or the 'Sasser of the week' clubs. Some people think that Microsoft's newfound interest in security was merely hype and marketing, but I think they were legitimately scared of the evolving attacks.

But, rather than panic, Microsoft introduced some major improvements, including Windows monthly patch releases, Automatic Updates, and Windows XP SP2. With monthly patch releases from Microsoft, we can build repeatability into our patching processed. With Automatic Updates, those who trust Microsoft can turn their computer over to the vendor for patching. Sure, that's not an ideal solution, but again, it is a vast improvement over what most consumers are able to do themselves. And Windows XP SP2 makes the list, because it radically altered Windows with an infusion of security technologies, including the Security Center control panel, Data Execution Prevention, and, my favorite, severe limitations on anonymous SMB sessions. Have you noticed in the past year and a half, when a new worm or bot comes out, it tends to hit Windows 2000 the hardest, and Windows XP SP2 the least. A lot of that has to do with the restrictions on anonymous SMB sessions. Windows 2000 let unauthenticated users connect to all kinds of resources and pull information; it was really ridiculous. Microsoft has...
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo