Experts and their comments on the second quarter update to SANS Top 20 Internet Security Threats

Alan Paller, Director of Research, SANS Institute
paller@sans.org

The Experts

Rohit Dhamankar Editor of the SANS Top20 and the Quarterly Updates and also of @RISK, the weekly summary of critical new vulnerabilities. Rohit oversees the vulnerability research for TippingPoint Division of 3Com, the leading intrusion prevention company that builds its rules to block attacks against vulnerabilities rather than waiting for exploits. He has an excellent understanding of how the vulnerabilities in various software packages actually work.

Ed Skoudis Author of Counter Hack and Malware and the top teacher in the US on hacker techniques and how to stop them. He and his partners are often called in to investigate break-ins in large organizations, and he is one the most knowledgeable people on how attackers successfully penetrated large companies.

Johannes Ullrich Chief Technology Officer of the Internet Storm Center (the Internets Early Warning System). Johannes has his finger on the pulse of the large scale attacks going on every day on the Internet and the techniques being attempted. Internet Storm Center is a first source of new trends in cyber attacks used regularly by law enforcement, intelligence, military and corporate defenders all over the world. (http://isc.sans.org/)

Marcus Sachs Director of the Internet Storm Center (the Internets Early Warning System) and currently at SRI International supporting the Department of Homeland Security. Previously on Dick Clarkes staff in the White House responsible for the technical side of cybersecurity policy and before that, technical director in the Pentagons Joint Task Force on Computer Network Operations. A great translator of technical security information for management consumption.

Gerhard Eschelbeck Chief Technology Officer of Qualys. Gerhard oversees a group that scans more than 2,000,000 computers for vulnerabilities, every week. He is the best source in the world on how long it takes to get vulnerabilities patched, which ones are not being patched, and how the numbers of vulnerabilities are changing. The 422 figure in the press release comes from his organization.

Jerry Dixon: Deputy Director National Cyber Security Division for the United States Computer Emergency Readiness Team (US-CERT). Previously he served as the Director of the Internal Revenue Services Incident Response Team and in the private sector as Director of Information Security for Marriott International.

Plus experts from the British National Infrastructure Security Co-Ordination Center. (NISCC) and the Canadian Cyber Incident Response Centre.

Questions you might ask and their answers:

1. What is the most important vulnerability and why?

Dhamankar: MS05-021: The exploit code is out in public. Firewalls cannot stop the attack, because the TCP port 25 needs to be open for networks using Exchange as their mail server. The attacker in typical networks can get his foothold in the DMZ which hosts web, DNS servers etc.

NISCC: Internet Explorer [because] everyone uses it. There is a flaw in the way that Internet Explorer displays URLs in the address bar. By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.

Skoudis: MS05-17 is quite important because of the exploit in the wild. The rapid release of the exploit implies it's pretty easy to craft one, and that gives the attackers time to further refine it to dodge detection by IDS, IPS, and anti-virus.

Ullrich: Out of the final list, the Windows Message Queuing Service Overflow (MS05-017) is probably the most serious as it affects high value systems and an exploit is readily available.

Eschelbeck: All vulnerabilities listed in this quarterly update are most important, as they are widely existing, and exploits are circulating. They have been identified from over 400 new vulnerabilities published in Q2/2005.

Sachs: The issues concerning data backups are significant. Most users and technical administrators follow the Microsoft bulletins, but data backup utility updates are frequently overlooked.

US CERT/Dixon: Due to the number of reported incidents involving malicious software being installed on client machines through users visiting malicious websites, we are always concerned about web browsers as an attack vector. The sophistication of this attack vector, taking advantage of numerous vulnerabilities related to web browsers, will be of concern. No longer do users have to take some action, such as clicking on an email attachment, but the mere browsing to a particular website, in some instances popular websites that you would assume are safe, will cause their system to be exploited through their vulnerable web browser unless properly patched. We are equally concerned about backups as they are relied upon by organizations to reconstitute business operations and they are critical to being prepared for disasters. US CERT continues to receive reports of systems being exploited through vulnerable backup software and encourages organizations to visit their vendor websites to patch their software.

2. Which one or ones should home users care about?

Dhamankar: MS05-020 and MS05-025
MS05-026
RealPlayer and iTunes Vulnerabilities
Mozilla and Firefox Vulnerabilities as many saavy home users are moving away from IE and embracing Mozilla/Firefox.
Many of these vulnerabilities can be easily exploited to install spyware, keystroke loggers etc. on home users' systems.

NISCC: Internet Explorer, because it is open to Botnet and Trojan attack leaving the home user vulnerable. Loss of control of the users computer which becomes open to malicious use by others.

Skoudis: The IE flaws (MS05-020 and MS05-025), because they will likely lead to more spyware and bot installation, giving the attackers control of home users machines. iTunes users should be careful as well, making sure they patch quickly.

Ullrich: Browser exploits as a group are the biggest danger for home users (and business users as well). With our ISC sensors, we did see a marked decrease in remote scanning over the last few months (about factor of 2) indicating a shortage in vulnerable systems. Instead, attackers focus more on delivering well crafted browser exploits to end users.

Eschelbeck: The Browser- and Media player based vulnerabilities require attention from every home user, as they are targeting the typical home user applications.

Sachs: The Microsoft Internet Explorer updates should always be taken seriously, plus any issues concerning popular consumer software such as Apple's iTunes or RealNetwork's RealPlayer.

US CERT/Dixon: From the home user perspective, any vulnerability associated with web browsers should be on the forefront. Also any software that enables you to receive third party software can potentially introduce Trojans or other malicious software to your system, either intentionally or unintentionally due to vulnerabilities.

3. What are the big changes you are seeing? What's new?

Dhamankar: I certainly see a shift from attacking Windows itself Vs attacking programs that are installed on Windows systems, and are widely deployed. For the past couple of years we saw a surge in Windows RPC attacks - DCOM, LSASS, Workstation etc. Examples of the new type of software being attacked are backup software, management software, licensing software. None of these were probably designed with security in mind. And, all of these can be used for widespread attacks.

NISCC: There is a move to greater use of botnets, specifically when used increasingly to install spyware and adware.

Skoudis: The release of Windows XP SP 2 with its default-on personal firewall a little less than a year ago has driven attackers (and a lot of vulnerability researchers) into looking for alternative avenues into home user systems. A hundred million Windows machines are not just waiting for packets on a whole bunch of network ports anymore, making the attackers alter their avenue of infiltration. In particular, they are finding and exploiting flaws in client tools, because a victim user inadvertently pulls malicious code into the system via items like web browsers, mail readers, newsgroup readers, and media players. We see this trend continuing in force in the latest Top 20, with the IE flaws (MS05-020 and MS05-025), the iTunes flaw, and the Outlook NNTP problem (MS05-030). It's been a pretty dramatic shift, and we're living in a different world than we were a year ago when it comes to exploit infiltration.

Ullrich: The fundamental issues are still the same. Nothing has fundamentally changed. Applications are still plagued by the same classes of bugs. Delivery methods for exploit however become more sophisticated.

Eschelbeck: One of the big trends is an increased focus on securing desktop systems. This is mostly a reflection of the general trend of growing visibility of client application vulnerabilities.

Sachs: The data backup utility issues are a new threat vector, especially for enterprise administrators.

US CERT/Dixon: Based on an analysis of reported incident patterns, we continue to see an increase of malicious software being installed on machines to incorporate them into BOTNETS. They are usually infected via users visiting malicious websites or receiving emails with links directing them to the malicious websites where the malicious software will get installed on their PCs.

4. Is a ten percent increase in the number of vulnerabilities really important?

NISCC: Yes, any increase in the number of vulnerabilities requires an equal commitment to combat the threat.

Skoudis: It's not a huge change in and of itself, but it surely symptomatic of the fact that we haven't even started to get our arms around the problems of buggy code. Quite simply, we are deploying flaws faster than we are deploying fixes. We think we're making progress, but we are barely scratching the surface of a mountain of underlying flaws, and a 10% increase, while not dramatic, is a sign that we are moving in the wrong direction. We should be going down, not up. The number of flaws in modern systems feels almost like the proverbial ice berg. We see the one tenth above the water, embodied in items like the Top 20 list. But, there's a whole 90% (or more!) of flaws that haven't yet been discovered or disclosed, which will continue to plague us. And, we're adding more to the bottom of the ice berg with each major new release.

Ullrich: No

Eschelbeck: It underscores the need for increased attention towards systematic identification and remediation of those security vulnerabilities.

Sachs: Yes

US CERT/Dixon" It highlights that we still have a lot of work to do and that software\quality assurance are key aspects in helping combat this problem along with taking enterprise approaches to protecting their information technology assets. At the rate of new emerging software versions and products this will continue to be a problem. This is why awareness of the issues and efforts such as the SANS Top Twenty are critical to getting the word out to folks on where they need to focus their initial attention on minimizing their exposures to this vulnerabilities.

5. What should people do to protect themselves?

Dhamankar: Enterprises: Patching is a solution but sometimes does not scale well for large enterprises. A good firewall policy and an intrusion prevention system is a must to handle the ongoing attacks. Home: Education..Don't open suspicious looking emails, Don't open attachments, Type your domain address yourself in a browser rather than clicking attachments. Sometimes when i see password protected zip viruses spreading rapidly, i wonder whether its the curiosity which prompts folks to open the zip with the password supplied and then double click the fileinside. Education needs to kill this kind of curiosity.

1. Keeping systems and applications updated with security patches
2. Using personal firewalls and antivirus
3. Educating their user community

NISCC: Timely patching, AV ware and common sense. The introduction of a personal firewall coupled with the individual increasing their knowledge of the current threat and the means to combat it.

Skoudis: Patching is the best advice. Also, thorough deployment of anti-virus and anti-spyware tools, with continual (daily!) updates of signature bases is crucial.

Ullrich: Patching is probably still the best defense, in particular for home users. In addition, a firewall can provide a significant hurdle to many attacks. The real challenge is filtering of outbound connections from desktop systems. Limiting privileges assigned to users will significantly lessen the impact of vulnerabilities if exploited, and in many cases avoid exploitation.

Eschelbeck: With the increase in client application vulnerabilities, downloading content from untrusted servers and opening malicious email attachments are the major causes of compromise. Sudden unexplained behaviour (i.e. application crashes, slowdown, ...) of a person's computer could be a sign of possible compromise.

Sachs: Administrators need to have a good baseline of software and a way to audit what is currently deployed so that they can prioritize the update process; home users should have the "automatic update" feature turned on for as many software products as possible. Of course, the Internet Storm Center is a great place to learn about emerging threats and vulnerabilities.

US CERT/Dixon: Defense in depth is key to protecting organizations, including implementing a risk management program that helps prioritize where information technology teams need to focus so they can minimize their overall exposure to the many vulnerabilities that continue to be identified. Security Awareness, patch management, security infrastructure, and monitoring of that infrastructure are all factors in insuring business continuity.

6. How can an IE or iTunes vulnerability cause a home user to be taken over? and What happens to the person's computer?

Dhamankar: When a user browses a malicious site, the webpage being displayed can be coded to exploit the flaw even without any warning. The site can then install all kinds of malicious program on user' systems such as backdoors, Trojans, spyware, adware, keystroke loggers etc. A set of sites, we have seen exploiting the IE flaws are the porn sites! In some cases, the domain the user is trying to visit may have been poisoned, and he may be directed to the attacker's domain.

NISCC: Any exploitable vulnerability can lead to the creation of backdoors on a computer, leading to data exfiltration. In addition, use of key-loggers to record data to others not entitled to the data.

Skoudis: An attacker can create a malious website hosting content that will take over IE when someone with an unpatched browser surfs to the site. Alternatively, an attacker could create an audio file that will take over a victim machine if a user downloads it and plays it in iTunes. Either way, the attacker gets control of the victim machine, and is able to install any software of the attacker's choosing on the victim system. This control could take many forms -- the attacker could steal files from the system and hold them for ransom, use the machine to launch a packet flood against other targets, or install a keystroke logger to grab all account information typed into financial services websites. The sky is the limit for the attacker once the attacker's software is installed on the victim.

Ullrich: Either vulnerability allows the execution of arbitrary code, which will be executed with whatever privileges are assigned to the user running the application. The bad part is that frequently the user will not recognize the fact that they have been attacked. All they may see is an odd looking web page, or maybe the application will crash.

The result of such an exploit is usually a back door which will now provide the attacker with remote control to the system even after the initial vulnerability has been removed.

Eschelbeck: With the increase in client application vulnerabilities, downloading content from untrusted servers and opening malicious email attachments are the major causes of compromise. Sudden unexplained behaviour (i.e. application crashes, slowdown, ...) of a person's computer could be a sign of possible compromise.

Sachs: Internet Explorer is an integral part of Microsoft's Windows operating system, so a vulnerability in IE could be a vector for an attack coming through the web or through another application like Outlook Express. Most of today's Internet attacks are generated by groups who want to either take over a users machine (turn it into a "zombie") or try to harvest key strokes right from the computer when the user types in a password or credit card number. Vulnerabilities in iTunes or IE could provide a way for an attacker to install a secret program that allows the attacker to take full or partial control of a victim's computer.

US CERT/Dixon: Just the act of visiting a malicious website, that the user thought was legitimate or was led to believe was legitimate, will install malicious software onto the machine that can scan your PC for financial spreadsheets, your documents, or other content and send them to a sites overseas or domestically to be used for identity theft or sold on the underground. Through these Trojans, your system could also be used as spam relays or added to BOTNETS that are used in attempts to deny service to some site on the Internet.

7. Why are the vulnerabilities in back up software so important?

Dhamankar:

Two reasons:

1. The backup servers are holding important data for any enterprise. Compromising these servers may let the attacker erase all the data. I do recall seeing a Court TV show where in a disgruntled employee just did that for a small company bringing the company to its knees.
2. The backup clients typically run on many desktop systems and the mission critical servers being backed up. An attacker can control all of these and rule an enterprise!

NISCC: Any attacker can connect remotely to an index server, thuspermitting access to any machine being backed up. A malicious local user may access any partition or any files on a machine backed up through the network.

Skoudis: Because, by definition, back-up software stores huge amounts of very valuable data. If it weren't valuable data, it wouldn't be backed up. Furthermore, back-up software often runs with very high privileges, so that it can read and back-up the hard drive of the machine. Thus, exploiting it gives the attackers significant control of the target. If the attacker is a worm, that is, a self-replicating piece of malicious code infecting enormous numbers of systems, it could cause significant damage by deleting files or preventing back-ups from happening. Without back-ups, very sensitive data could be destroyed. What's more, most organizations are using the same back-up software for their production networks and their hot stand-bys, making compromise of both quite likely and undermining the hot stand-by systems' ability to be ready for a disaster. And, finally, these back-up tools are quite widely deployed in enterprise environments, very likely targets for attackers looking for sensitive information.

Ullrich: Backup software usually deployed throughout the entire network of an organization. For some of the backup related vulnerabilities, not only the server is vulnerable, but the client is vulnerable as well.

In addition, backup servers tend to hold a copy of the entire organizations most critical files. With one strike, an attacker can gain access to the entire organizations collective knowledge.

Eschelbeck: Backup software is typically at the core of critical and important data for any organization. Compromise of a backup infrastructure is equal to compromise of a complete organization.

Sachs: (repeated from number 1) The issues concerning data backups are significant. Most users and technical administrators follow the Microsoft bulletins, but data backup utility updates are frequently overlooked.

US CERT/Dixon: Backup software is relied upon to reconstitute business operations. They often have direct access to sensitive or proprietary data. If this data were to be corrupted and the need arises to recover systems in a time of need but were compromised, you can imagine the problems this will cause. These typically do not get as much press as other vulnerabilities but are just as critical.