While it's fairly quiet, security professionals should be out looking for bugs - before others find them.
August is here. With all those long hot lazy days. The time for summer holidays, and, for those interested in country pursuits, traditionally the start of the hunting season on the “glorious twelfth”. Cut to reality, and, of course, we are all stuck indoors waiting for well-known security researcher Dan Kaminsky to unveil the gory details about the recent DNS vulnerability. And wondering if the outcome will be a significant weakening in one of the fundamental building blocks of the internet.
Will we be able to soldier on for a few more years with the DNS that we know and love, or will it need to be replaced, perhaps by DNSSEC? Kaminsky appears to have succeeded in hunting down a flaw in the protocol as a whole, rather than just a bug in a particular implementation of DNS. And although the various vendors have issued patches, these may just buy us a bit of time before the protocol needs to be overhauled. This underscores just how much of the internet is based on trust. If you can no longer be sure that the site you're entering your personal details into, or the server to which you are sending your email is what it claims to be, the effects on the “new economy” could be chilling.
Of course, the reality will probably be that we will just soldier on with DNS, accepting the risks – in the same way we put up with that other highly trusting protocol, SMTP, which is now primarily used to deliver emails containing malware, phishing attempts or other scams from people pretending to be someone else.
But while Kaminsky enjoys his time in the spotlight, criticism has been levelled at these “bug hunters” from other quarters. There appears to be a bit of a backlash in Linux land, with recent release notes keeping quiet on vulnerabilities fixed.
Linux creator Linus Torvalds has criticised the “whole security circus”, which, in his view, focuses on the wrong aspects of the problem and “makes ‘heroes' out of security people, as if the people who just fix normal bugs aren't as important”. If you take the view that all bugs are security bugs, then maybe he has a point.
Of course, it isn't just the security researchers hunting for bugs. The bad guys are at it as well. We've had a busy few weeks doing incident response on the recent wave of SQL injection attacks – from the Danmec worm/Asprox botnet. The bad guys have put together a great toolkit for finding SQL injection vulnerabilities – far better than most of the tools security testers have at their disposal. In this case, the attacking machine tried a vast number of different methods and, if successful, executed a stored procedure that iterated through every text column in every table in the database, adding in the HTML tags to force a web browser to download a Trojan from the attackers website.
To be successful, as well as the site being vulnerable to SQL injection – through failure to validate input – the site also had to output the data directly from the database – a failure to validate output. Two cardinal sins of application developers. A quick Google search during the attack revealed tens of thousands of websites that had been compromised. Even some that proudly bore a “guaranteed secure”-type logo.
While you can make the point that it is important to distinguish between security bugs and, in particular, grade their impact in order to prioritise what to fix first, maybe hunting for bugs shouldn't be left either to the researchers or the bad guys. Whether you are a developer, and implementer, or simply in charge of security, perhaps you should be the one looking for bugs? It would be far better if you found them first, in your systems, than the security researchers or the bad guys.
So, while things are quiet this month, with everyone on holiday, maybe we should declare open season on bugs – perhaps set aside the 12th for this purpose. So, wherever you are, happy hunting.
Ian Castle, CISSP, is a senior consultant at information security consultancy ECSC