A study unveiled at the Black Hat Briefings conference in Las Vegas last week paints a grim picture of network security problems.
Among the study's surprising results: Some kinds of computer security vulnerabilities--especially ones with an aggressive "exploit" (something that takes advantage of the vulnerability, such as a worm or virus)--may plague computer networks indefinitely.
"I wanted to understand how prevalent critical vulnerabilities are," said Gerhard Eschelbeck, chief technology officer of security software provider Qualys and author of the study. His first-of-its-kind research is the result of 18 months of constantly probing his customers' networks for common security problems.
The study, along with guidelines proposed by the Organization for Internet Safety (OIS) on how to report buggy and insecure software dominated the first day of the conference.
Perpetual Vulnerabilities
Thought Slammer was over? Not according to Eschelbeck's study.
In his research, the security hole that allows entry to the Microsoft SQL Slammer worm, which first appeared in January of this year (and for which a patch was available as of July 2002), was detected more than 30 times in the first week of February, then sharply declined over the following six weeks to just five detections the week of March 22nd. That sounds like good news, but since attention to the worm waned, Slammer's hole has made a comeback, with 22 vulnerable PCs detected the week of June 28. (The research did not indicate whether the scanned computers had become infected or otherwise fell victim to the security problems, only that they were in peril.)
For the Code Red worm, the rise is less dramatic, but detectable. From the end of April through the end of June, Eschelbeck's research detected a slight rise in the average number of Code Red-vulnerable computers among the networks he scanned. Code Red first made an appearance in June 2001.
Eschelbeck theorized that IT departments are partly to blame for the resurgence of some old security problems. Computer support staff store "images" of hard drives with pertinent data, drivers, and software configurations, so they can quickly restore a laptop or desktop to the company's defaults. But often, the IT department doesn't update those images to include the latest patches to the operating system or the applications. When a computer hard drive has the old image reinstalled, all the old problems come with it.
In addition, a number of home computer users didn't apply recommended security patches to their systems, so their vulnerabilities--detectable by Eschelbeck's software--remain a threat to the rest of the networked world.
After he built his scanning tool, Eschelbeck got results by keeping track of the number and type of known security problems as he scanned more than 1.5 million IP addresses. Armed with a database of 2041 different security vulnerabilities, he also created the first Top 10 Vulnerabilities List (available at: http://www.vulns.com/rv10), which updates in real time as new scan results come in. This is an ongoing project for Eschelbeck.
Computer users may test their own systems, anonymously and at no charge, using Eschelbeck's RV10 tool.
Eschelbeck's Laws of Vulnerabilities
In analyzing his research, Eschelbeck spotted patterns which helped him develop what he called his four Laws of Vulnerabilities.
Law 1: The half-life of vulnerabilities (meaning the amount of time that passes from the point a vulnerability is discovered until the number of affected computers is halved) is 30 days.
Law 2: About half of the most prevalent serious vulnerabilities change over the course of a year, but others persist. And the associated Law 3: Some security problems will remain indefinitely.
Law 4: Eighty percent of vulnerabilities have an exploit within 60 days, on average.
Don't let that 60-day figure make you complacent, though. "The underground is ramping up their efforts to build exploits because they know they have a very short window before a fix gets released," said analyst Simple Nomad of Bindview, a company that helps businesses secure their computer networks.
Bug Report Procedures Proposed, Criticized
As a result of the speed with which some hackers build exploit tools, software companies are scrambling to develop procedures to respond to people who discover and report security vulnerabilities.
One set of such procedures has just been released by OIS, a group of security companies and software makers that includes Oracle and Microsoft. The OIS Vulnerability Handling Guidelines describe a comprehensive set of "best practices" software makers should use to handle security bug reports.
The guidelines call for the maker of the software for which a security vulnerability has been detected to restrict release of full technical details of a bug to a short list of businesses, such as antivirus vendors, while a patch is being developed for the vulnerable software. Only after a period of no less than 30 days would technical details become widely available.
"We saw that releasing [full technical details of] exploits at the same time as the patch was doing more harm than good," said Chris Wysopal, director of research and development for security consulting firm @stake. The company's clients, including major corporations, "were getting owned on the first day the [security bug] exploit was getting released," he explained. Wysopal helped develop the guidelines.
Some attendees suggested that this delay in sharing information benefits some companies by increasing the value of paid security mailing lists, while harming academic research into security problems. Several others also derided the guidelines for being too optimistic, making assumptions about the motivation of people who find and report vulnerabilities, as well as their willingness to cooperate.
The guidelines remain controversial. However, the companies that participate in the OIS are not bound by them--they are merely recommendations.