Am I being Chicken Little in thinking that remote kernel attacks such as one leveraging the MS08-001 vulnerability will be the next chapter in the arms race between hackers and network defenders?

Alex Wheeler, one of the two responsible for discovering and researching the vulnerability said this; “This is a severe vulnerability across the board. I agree with Microsoft that this is critical and wormable.”

Holly Stewart of ISS said the following on the X-force’s blog; Frequency X

These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP.

I usually have a good FUD radar (FUD-ar?) and it isn’t picking up anything on recent chatter on MS08-001. So far I’m hearing specifics on why this is potentially a big deal, not to mention the caliber of analysts chiming in on the subject.

This week I’ve been sending emails to vendors of our various security applications, seeking clarification on what level of protection they provide. One prominent vendor replied with the following:

Based on the information contained in the MS bulletin we are unsure that [our HIPS product] would mitigate against an exploit targetting that vulnerability - that is why its not listed in that particular row [of a spreadsheet detailing protection levels].

The disclaimer in the [snip] document is because there has been no exploit testing. Just because there is a MS vulnerability does not mean an exploit will be written against it or available.

This despite the fact that Immunity has already publicly demonstrated a successful attack method.

Now I’d like to revisit what Holly said; “These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them.” (emphasis mine)

To me this indicates a significant threat and quite possibly the beginning of a new trend in remote attacks. If I were a hacker, this one would get a lot of attention from me because 1) both XP and Vista are ripe for the picking and 2) it likely gets my code in a position where most security software can’t see or touch it. I’d worm that sucker and use it to deliver my bot and grow a big, nearly bullet-proof bot net that could be diced up and rented to the highest bidders.

Or maybe I’m wrong and the vendor has it right and this is just another MS vulnerability that will come and go. I’m still digging bomb shelters, just in case.

Last weekend at the dentist’s waiting room, I was working on my BlackBerry when the dentist called me back to the chair. I holstered the BB and handed it to my 12-year-old daughter for safe keeping. Once holstered it locks the keyboard requiring a password to get into it.

When I came back from the chair, I went to log into the BB and it said something like ‘attempt 6 out of 10, please enter the word ‘Blackberry’ to continue’. She was trying to guess my password.

She has potential!

Over the course of several years I’ve written a lot about network security and effective strategies. Mostly I’ve kept this blog, a sort of journal, as my own documentation. But as the popularity of blogs grew, my intentions morphed more towards a contribution to the community.

The aim of this document is to wed all of my observations on network security to produce a single document that hopefully defines the nature of network security so that one can understand the very nature of the struggle and thus gain empowerment. Delusions of grandeur? Sure, why not?

Default Disadvantage

The defender of the network is at a near-constant disadvantage for various reasons. The conflict between attacker and defender is asymmetrical. The two parties don’t meet on the Internet; two opposing networks squared off for battle. Instead, the attacker uses guerilla tactics, such as compromising one node, then using it to compromise the next, or using psy-ops (social engineering) to leverage users to aid the attack.

The attacker ultimately chooses where, when, and how to engage. The defender, by definition, can do nothing more than wait, anticipate, and then try to fend off the attack. This requires the defender to have at least some basic knowledge about a huge range of attacks, whereas the attacker can be specialized.

There is inherit chaos in the network that the defender must contend with and conversely, the attacker can leverage. Often there are many factors of a given network that are unknown to the individuals charged with its defense. For example, there is likely a wide range of system types and roles within the network, all of which must be known and understood before they can be properly defended. There is also likely to be various generations of a given operating system, each with unique vulnerabilities and defense requirements.

Disproportionate Costs

The cost of defense is immensely disproportionate to the cost of offense. This is due to many factors. For example, the knowledge requirements that must be met by the defense come at a cost in training, cost to travel to the training, and cost in lost man hours while attending the training. Another example is the broadness of defensive systems adds to their cost. For example, a HIPS infrastructure incurs the cost of licensing for numerous hosts. Many solutions incur yearly maintenance fees and/or support fees. Penetration tests or audits are also rather expensive. This is not to say that the cost of attacking is trivial, but I argue that it’s nowhere near the monetary investment required for a solid defense.

The attacker has an ethical advantage over the defender because the attacker, by definition, need not abide by ethics or morals. The defenders are rarely able to ethically initiate an attack or even ‘attack back’. The exceptions to this would of course be legal action (which is still hit-or-miss, the legal apparatus needs to catch up) or in the event the attacker is physically located on the network owned and operated by the defender, in which case all bets are off. Call it the Castle Law of the network.

Arms Race

Zero day attacks are an interesting topic for debate and I find they have an integral, necessary function in the evolution of defensive tactics. For the sake of argument, I’ve defined a zero day attack as one for which there is currently no patch available to correct. Because the vulnerability can’t be programatically corrected (because no patch is available), it forces other countermeasures, which often push the envelop and thus create new defensive techniques not previously needed or known by the defense. This defines the arms race between attacker and defender and the successful defender is one which is agile and flexible in their techniques and able to adapt to any situation.

Based on the fluidity of the network and the constant evolution of the attack and its defense — the arms race — we can conclude that the best defense is not a product or combination of products. It’s a process; a collective knowledge, a learned behavior, and an efficient, learned method of learning. The best defense becomes the ability to adapt.

Network security is a game of chess stuck in a perpetual state of middlegame. Just as in chess, its important to know how to best lose an asset and to always learn from the loss.

Now that we know the nature of the conflict, how do we proceed?

That’s the topic for the next installment.

I am loved!

And to prove it, my secret admirer has some tasty malware for me. Holy shit she’s a keeper.

I took the Presidential Candidate Quiz and below are my results. Keep in mind that in order to keep the quiz succinct they had to limit the options. There were many questions that I felt should have more options, like health care and immigration.

74% Rudy Giuliani
73% Mitt Romney
70% John McCain
65% Fred Thompson
64% Mike Huckabee
62% Bill Richardson
59% Tom Tancredo
55% Hillary Clinton
53% John Edwards
50% Barack Obama
48% Ron Paul
45% Chris Dodd
44% Joe Biden
37% Mike Gravel
30% Dennis Kucinich

2008 Presidential Candidate Matching Quiz