A vulnerability study based on bad math; cyberwarfare is sexy; more.
Need to be able to cite some sort of explanation as to why there are
a ton of vulnerabilities out there? There's a study posted
on this blog
from IBM Internet Security Systems that provides a highly
speculative explanation as to why they believe there are 139,000+ vulnerabilities
discovered each year.
The study suggests that the vast majority of vulnerabilities are being
discovered "under contract"; the study even goes so far as to suggest
that more than three million vulnerabilities are discovered every year
by pen-testers under contract. Unfortunately, the essay does a poor job
of explaining what a vulnerability is, and strongly suggests that a Web
site of 30 pages, each containing the exact same problem, would count
as 30 vulnerabilities. Using this sort of math, it's surprising the author
didn't come up with numbers in the billions. After all, if there's a billion
Windows boxes out there, all with one common vulnerability, then that's
a billion vulnerabilities to be discovered right there!
I argue that there's a difference between a "vulnerability" to be discovered,
and an implementation flaw that leads to a point of vulnerability. If
I put a vanilla Windows XP box on the Internet with a blank administrator
password, I haven't created a new vulnerability, merely implemented a
vulnerable system. The same is true when people deploy systems with known
vulnerabilities present, such as an outdated Apache Web server with known
In the end, the question you need to ask yourself is how many new vulnerabilities
have been discovered in systems you've used since the last time you looked
at the security of your system? Or, how often do you check for new vulnerability
discoveries in your systems?
This all assumes that what you're interested in is strictly vulnerabilities.
I firmly believe that this is a myopic view -- you need to consider risk,
not just vulnerability. If there's no threat against your vulnerable system,
does its vulnerability matter? The article suggests it doesn't matter,
but I believe it makes a significant difference. It even goes so far as
to suggest that it doesn't matter how well you secure your systems; the
"professionals" will always discover vulnerabilities you haven't mitigated
against. It's hogwash FUD intended to sell professional services.
Cyberwarfare Hits Home
bewildering story at PC World about how the U.S. Department of Defense
views China's currently military status: The DoD believes that China has
military "units" who develop viruses for use in information warfare.
Well, duh! If you accept that knocking out communications capabilities
has been a part of every army since the beginning of time, is it really
"news" that viruses might be employed as part of such an effort today?
I don't think so. The article also states that China is/has developed
abilities to withstand such attacks. Um, are they saying that they use
some ICSA Labs-certified anti-virus product? Or are they suggesting they
have some way to withstand computer attacks that nobody else has thought
of yet The article is meatless in this regard.
Cyberwarfare is a sexy word these days, but could simply denote attempts
to disrupt the use of computers during war. That could take the many forms,
from knocking out communication capabilities to attempting to implant
viruses or rootkits. One would expect that all such means would be used
in a conflict ... and why not?
However, if you read the 36-page
report, you'll find scant references to China's Information Warfare
efforts and capabilities beyond the sound bite already mentioned. Further,
if you look at similar reports on other countries, it's hard to believe
you wouldn't find very similar statements.
Risky Browser Extention Updates? Maybe
has a piece on third-party browser extension vendors -- who also include
the ability to update their extensions via the browser -- that are making
updates using plain HTTP rather than HTTP over SSL. As such, it's speculated,
users may not realize the update tools are connecting to spoofed sites
to obtain the updates. This could allow a criminal to mimic the update
server and provide criminally crafted code of their choice to the updater.
Yup, it's possible but highly unlikely. The update method here serves
as an example of a problem that requires some other vulnerability to be
exploited before it can happen. To become a victim to such an attack,
your computer must use a criminally controlled DNS server or have your
own DNS cache poisoned.
With all that said, one does have to wonder why an update site wouldn't
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
One Small Flaw Looms Big for This P2P
Poor design in an earlier release of their product has led developers
of DC++, a file sharing tool, to admit now that "It's difficult to impossible
to restrict this." (SecurityFocus has the story here;
DC++ has blog post of its own here.)
The network is based on a few hubs, which offer up files and millions
of clients who want to obtain those files. Earlier versions of the hub
server software allowed hub owners to identify the IP address where a
file could be found, redirecting clients in search of a file they don't
have. Sounded like a pretty good idea at the time; however, now that feature
is being abused to point millions of clients seeking a file to a totally
unrelated Web server in order to DoS it.
The story is that this is being used to extort monies from site owners.
DC++ boasts that there have been 35 million downloads of their software
so far, meaning there's a large base of client systems to enlist in your
DDoS efforts if you're a criminal.
It's unclear why they couldn't simply introduce something into the hub
server software that would prevent down-level clients from being able
to connect to them without upgrading. The upgrade would then introduce
some client code that would prevent them from communicating with the older
version hub servers. This, claims DC++, is impossible.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.