Are editors so excited to use the headline “Vulnerability in Windows Vista” in their SEO URLs that they will have their reporters write a story on a non-issue?

IDG News has published a news report titled, “Researchers find vulnerability in Windows Vista“. The report says:

An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC.

The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system’s kernel.

In one of the scenarios, a person would already have to have administrative rights to the PC. In general, vulnerabilities that require that level of access somewhat undermine the risk since the attacker already has permission to use to the PC.

Somewhat undermine the risk? If you need admin rights to exercise a bug it is not a security issue since you could already run any code with whatever privilege you wanted. Microsoft is not issuing a patch, but creating a bug fix in a service pack, yet this is newsworthy? This story has no comment from anyone but the finder of the bug. Let’s see if other news outlets pick up on this one.

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer’s approach and implement research discovered by others and not credit them as it’s the implementation into a tool that matters to us.

The latest Microsoft patch MS08-68 is a great example. It is a problem with NTLM authentication where the attacker can force a client to authenticate to him and the credentials, while not exposed in cleartext, can be relayed to another server or brute forced to obtain the cleartext. This is a very classic crypto protocol vulnerability. It’s not the crypto algorithms that are the problem, but the protocol implementation.

Microsoft recently fixed the problem, perhaps due to the availability of exploit code, the availability of an easy to use Metasploit implementation, or perhaps Microsoft’s changed tolerance for vulnerabilities. We can sum it up as a change in the threat space that made it worth fixing. But make no mistake, this is a very old problem.

News reports have been citing Sir Dystic’s SMBrelay tool, which was published in March, 2001, as the first knowledge of this vulnerability. Eric Shultze who worked at MSRC in 2001 just yesterday is quoted as saying, “I have been holding my breath since 2001 for this patch.” Obviously it is a long time coming. But this wasn’t the first publication of the problem. In 2000, one of my collegues on the research team at @stake, Christien Rioux (aka Dildog) published the telnet NTLM authentication vulnerability.

Rioux’s advisory has a great description of the credential relay and cracking weaknesses. I have talked to him and he says he discovered these problems independently, but he didn’t find them first. Dominique Brezinski published exactly these NTLM vulnerabilities in the SMB protocol in 1996 in a paper titled, “A Weakness in CIFS Authentication”. The earliest reference I can find on the paper on the net is here where it is included in another paper published in 1997. Such is the ad-hoc world of independent security research of 12 years ago which still continues today.

It seems ridiculous that a field like security research, which is so important to the running of modern society is so ad-hoc. Shouldn’t we know who discovered a vulnerability? Shouldn’t all researchers and engineers know about it? More importantly if someone implements a tool that takes advantage of a vulnerability shouldn’t they credit the discoverer? Don’t get me wrong. Implementation takes a lot of work and sometimes makes all the difference in makeing people aware of a security problem. After all when I was at the L0pht our slogan was, “Making the theoretical, practical”. I still think researchers should get credit when credit is due.

The security community has gotten better at documentating our research but I still see instances of independent discovery, misplaced credit, and tools giving no credit to researchers. I hate to say it but getting a bit more academic is in order. Credit is the currency of a researcher and placing it well will reward the right people and we will all benefit.

With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.

In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.

The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely fell apart. It kicked off a number of other analyses of the NTLM protocol that finally resulted in this patch. Eight years after it’s discovery.

At least they got around to it. Thanks!

Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied.

…the FBI and the Secret Service came to the campaign with an ominous warning: “You have a problem way bigger than what you understand,” an agent told Obama’s team. “You have been compromised, and a serious amount of files have been loaded off your system.” The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: “You have a real problem … and you have to deal with it.” The Feds told Obama’s aides in late August that the McCain campaign’s computer system had been similarly compromised.

This information demonstrates that the US government has a sophisticated intrusion detection capability. This is likely part of the NSA internet surveillance system that was made public by an AT&T technician in 2006.

It is likely that the system has a set of watch IP ranges that are sensitive from a national security perspective. The campaigns’ computers were probably on this list. The traffic between foreign IP addresses and these watch IPs is then scrutinized for espionage. The pattern of activity flagged would be Microsoft Office documents and PDFs being retrieved or other intruder signs such as an encrypted tunnel with a foreign endpoint.

This shows that the US Government has the capability to detect some types foreign attacks although they probably have to be selective of the IP ranges they monitor. It’s nice to know that if the White House computers were leaking documents to China or Russia that there is some detection capability, but the fact that this is done at the Internet backbone level means any IP could be targeted and it might not just be to look for foreign intrusions.

It’s been a long road since the early 90s when people first started public sharing of vulnerability information. Back then there were flat LANs, no network filters, and world writeable NFS mounts hanging out on the Internet. But with the spread of vulnerability information it all started to change. The first major shift in exploit targets was the move from network vulnerabilities to system vulnerabilities. As organizations got better at firewalling, using switch technology and encryption, attackers started exploiting misconfigured hosts. The major second shift to operating system code level vulnerabilities came when OS vendors started locking down their systems out of the box and users started to get better at managing security configurations. Now we are in the midst of the third major shift. OS vendors such as Microsoft and Linux have scrubbed out most of the defects in the OS code. Microsoft Windows went over a year without a remote unauthenticated “wormable” vulnerability. Attackers have moved on to applications.

No longer are OS vendors and other large infrastructure technology providers the main source of vulnerabilities. It’s the thousands of applications, produced by thousands of software vendors, that make up this huge 3rd wave. ISS reported that in 2007 that the top five sources of vulnerabilities: Microsoft, Apple, Oracle, IBM, and Cisco, had dropped to supplying us with only 13.6% of our vulnerabilities. 86.4% came from the other thousands of software vendors that supply our computers with a seemingly unending supply of vulnerabilities for attackers to exploit.

In a recent report Microsoft has congratulated itself on doing a good job securing Windows. And by all accounts they have done a good job. But then they state this:

“Unless software development practices change throughout the industry, any improvements in the security of Windows would be meaningless.”

Whoa. Millions of dollars spent on securing the most prevalent piece of software and it could be meaningless? Yes, it’s true. Since attackers typically only need one vulnerability, if it isn’t in the network, and it isn’t in the host configuration, and it isn’t in the OS, they will happily exploit a vulnerability in an application.

At every shift of exploit target the problem has gotten more difficult to solve. Networks had choke points and could be centrally managed. It took a while but eventually host configurations became centrally managed and automated tools could scan configurations. Although OSes were huge and complex beasts with 10’s of millions of lines of code, with enough effort, their vulnerabilities have been largely tamed as Microsoft’s Windows and the Linux kernel track record shows. This was a very substantial, over five year effort, which used some of the most talented security people anywhere.

But now what to do? Instead of a few OSes we now have thousands of applications with vulnerabilities. As Microsoft found out, the attackers don’t go away, they just move on to the next incrementally less juicy vulnerability. In the world of exploits that typically means the vulnerability with the next smallest target population.

Attackers have started with the common client applications that can be found on almost every machine: Acrobat, Flash, RealPlayer, Quicktime, popular antivirus software. And they will continue down the popularity slope until they get to application populations down in the thousands which is getting to fairly small software vendors. Attackers can do this because they can bundle many vulnerabilities together, exploiting the statistical fact that you must have some vulnerable software installed. Compromised web sites have been found attacking visitors with over ten client side exploits preying on multiple versions of vulnerable client software.

The solution to this problem is all software must be written securely, not just the software from the big guys. Small vendors think they aren’t a target just like home users used to think they weren’t a target. People thought, “Why would someone want to attack my home computer?” Then they realized they did home banking, or had a fast Internet connection that could be used for DDoS attacks or sending spam. All software vendors need to get the same wakeup call. Attackers don’t want to find a vulnerability in your software to make you look bad. They want any vulnerability. If the population of your software is small they will just bundle your vulnerability together with others in an exploit pack. The days of the average software vendor not having to worry about application security are officially over.

Most consumers are aware that when you close a credit card account, it’s not really closed. For “convenience” reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it’s a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid, and I’ll update my information. Problem solved.

But that credit card weirdness is nothing compared to the one I’m about to describe.

Before we do that, let’s take a moment to discuss the design principle of failing securely. The general idea is that if a security mechanism fails, it should fail closed. If your firewall crashes, it should block all traffic, not allow all the packets through. If the power source to your card key system is interrupted, it shouldn’t unlock all the doors. If the connection between your application server and your LDAP directory is severed, subsequent authentication requests should be rejected, not approved. This is not rocket science.

So back to credit cards. I had a conversation last night with an old friend who related a bizarre situation they had encountered during the QA process for one of their web applications. One of their tests involved repeatedly attempting a credit card transaction using a canceled/expired American Express card. Here’s what they saw in their logs, paraphrased by me:

Attempt 1: Denied
Attempt 2: Denied
Attempt 3: Denied
 .
 .
 .
Attempt 49: Denied
Attempt 50: Denied
Attempt 51: Approved

What the…? Approved? That can’t be right. So they ran the test again. Every time, after multiple consecutive rejected attempts, the transaction would inexplicably go through. The threshold wasn’t always 50, but the general pattern was consistent — keep trying and eventually it’ll work. Clearly, this had to be a bug in the code, but a deep-dive into the guts of the application turned up nothing. The application security group got American Express on the phone to see if they had any insight on this odd behavior. The answer? They didn’t concede the failure was on their end, despite log data showing the successful authorization codes.

My gut instinct would be that the application requesting the transactions wasn’t failing securely (e.g. network connection to AmEx timed out, so just approve the transaction). But that explanation wouldn’t account for authorization codes coming back.

So what in the world is going on here? Why would the system behave this way? Is it by design? I can’t think of a single legitimate use case for failing open like this. If this is actually a design decision by the credit card companies, I have no doubt that someone in our audience knows the rest of the story.

First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management.

The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:

“We’re trying to pinpoint where it came from,” she said. The investigation could become “criminal in nature,” she said. Brindisi would not identify the account that pulled the information on Oct. 16.

Records show it was a “test account” assigned to the information technology section of the attorney general’s office, said Department of Public Safety spokesman Thomas Hunter.

Brindisi later said investigators have confirmed that Wurzelbacher’s information was not accessed within the attorney general’s office. She declined to provide details. The office’s test accounts are shared with and used by other law enforcement-related agencies, she said.

Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed.

It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly.

There is apparently a bit of fear going around information security circles that the next big trend in the disclosure wars is going to be “Partial Disclosure”. In the past, the vulnerability research community has embraced the concepts of “Full Disclosure” and/or “Non-Disclosure”. Once those concepts had been sufficiently played out, the general consensus was to move towards “Responsible Disclosure” whereby the security researcher responsibly discloses the discovered vulnerability to the vendor and works in a cooperative fashion in an effort to minimize the risk to the general user populous. This has worked well in the vast majority of cases that I have had the pleasure of managing the disclosure process.

Partial Disclosure - The Good

The responsible disclosure process tends to break down in rare occasions where the vendor doesn’t want to fix the issue. When this occurs, the researcher is put into a difficult position whereby full disclosure could put users’ systems at high risk of compromise. The other case where partial disclosure becomes an alternative is when the researcher has discovered a design flaw in a protocol or underlying multiple vendor component. Examples of this case include the DNS flaws published this past summer by Dan Kaminsky and the TCP denial of service condition discovered by Robert E. Lee and Jack Louis that is currently in the disclosure process. When the flaw affects a very large number of vendors and the actual problem is located within the underlying protocols that support the communications of the Internet as a whole, one possible solution is to follow a partial disclosure model where phasing the details to the general public can be used to encourage adoption and creation of patches throughout the enormous target audience.

Partial Disclosure - The Bad

What is driving the fear surrounding partial disclosure is the potential for abuse. When a major flaw is partially disclosed, a number of potential issues may occur. First and foremost, the further along the partial disclosure path we are, the more details will be released to the public, and the higher the probability that someone (either good or bad intentioned) will figure out the exploit and disclose the details. Second, when partially disclosing, the vendor’s hand is being forced into a situation that could speed up fixes, reduce testing, and cause ripple problems elsewhere within the infrastructure. It is difficult enough to dance the fine time line when doing responsible disclosure, but if we are escalated to the point of partial disclosure, additional fuel is added to the fire.

The Ugly

The real ugly part of partial disclosure is when we add to the equation the ability to spread fear, uncertainty, and doubt into the normal user community. It is generally well accepted that FUD can be used to drive additional revenue. If it is possible to increase the perceived magnitude of the “problem” that your product or service solves, it is possible to directly impact the demand for that product or service. That is the major fear imposed by the growing trend of partial disclosure. By releasing just enough information to trigger wide scale speculation into the flaw, it is possible to create buzz and garner media attention resulting in a lot of speculation and very little hard facts around the issue. The potential for abuse by the security industry at large is enormous.

The Fix

Some have suggested a group of security researchers be convened to vet the requirement of partial disclosure and to allow for independent peer review of any security research that requires the partial disclosure process. This suggestion leaves questions regarding who would stand on this group and who would be impartial enough to ensure that the right thing was always done regardless of profit potential. It also leaves open the opportunity for member researchers to utilize the information gathered during the vetting process to position themselves to profit from the data upon release. It might be wiser to rely on a higher level authority or government entity to manage this process and use the services of security researchers as required for subject matter expertise. While a group of this type wouldn’t ensure that all partial disclosure is appropriate, it would hopefully limit the potential for abuse and the ever present chance that people try to profit from the FUD that surrounds the current partial disclosure process.

Welcome, come on in, have a seat. There is a cold beer in the fridge, help yourself!

I may be new to the team, but I’m (reasonably) old to the game. My name is Tyler Shields and I’m the latest addition to the Veracode research team. I started at Veracode in September 2008 as a Senior Security Researcher and have been immediately thrown into the fire. Working for a fast paced, highly energetic company like Veracode, keeps you busy and challenges you every day. I plan to blog on the most interesting pieces of my work with Veracode and hope that you find it enlightening or at the very least entertaining.

In the past I have worked as the security engineer at a .com startup, as an incident response and forensics specialist for the United States Postal Service (think HUGE network), and most recently as a security consultant for @stake and Symantec. I have consulted on engagements for Fortune 500 companies, most major financial institutions, and the highest levels of the United States government. As a consultant my focus was on anything related to application security including, application penetration assessments, product security assessments, secure development lifecycle consulting, and secure application architecture engagements. I lead the @stake/Symantec Application Security Center of Excellence that was used to help guide the knowledge of the global consulting team. I also spent time as the lead for the Symantec Vulnerability Research program in which a number of interesting vulnerabilities were discovered and publicly released. In my spare time I enjoy reverse engineering and malware research. I recently completed my graduate degree in Information Security/Computer Science from James Madison University in Virginia.

So… Here’s to a new job, a new blog poster, and of course lots of fun to come.

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.

You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.

Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:

• Upload a resume showing three years of experience related to software security, or four years if you don’t have a college degree
• Write short essays (500 words maximum) discussing four CBKs of your choice
• Get a CISSP to vouch for you
• Pay $650

Let’s examine these requirements one at a time.

Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.

Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2’s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.

Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.

Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.

As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.

In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?