Large Exploit of MS07-004

It seems there is a widespread attack around s/w missing MS07-004

From WebSense:

"This mass injection is remarkably similar to the attack we saw earlier this month. ...  Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications"

From News.com "Javascript injection claims UN and UK government sites"

InfoSec Europe vs. RSA 2008

We just got back from a week in London to attend InfoSec Europe, the biggest computer security show in EMEA.  Much like RSA is in the States InfoSec Europe is the show of the year for security people.

The attendance at InfoSec Europe was strong, our 20x30 booth was full for 3 days straight and the show runs long hours, in short it was busy.  RSA has similar traffic but we all agreed that the crowd in the UK was much more buyer focused than the RSA crowd which was more people walking around the show floor vs. seeking products to use.  Thus I would rate InfoSec Europe as the stronger show  at least from a vendor perspective.

Its not clear what this exactly means other than the people at InfoSec were there to find solutions vs. maybe people at RSA attend to go to security training sessions and are not as much there to find products to use.

I am also finding that industry, not just the security industry, is starting to bring security into the fold much more than in the past. Its becoming part of the IT culture now, which leads to a maturing of products to meet the needs of the corporation vs. all of us ISVs trying to create the new cool thing to attract the attention of the security experts.  It is also becoming very clear that industry wants stand-alone security products instead of having security added to existing management products, security is not just milk & sugar with your tea and people are now realizing that having been burnt by making the assumption that it is.  Just as there is Web 2.0 we are now in Security 2.0 - security as a key and independent part of IT.

One other item that came out very clearly in both shows, and we talked to 1000s of people over them, is WSUS is just not cutting it.  Customers need patching beyond the basics, and the patches missed by WSUS are critical and plentiful. 

These two  shows are back to back now with just a week in between, and they are about 8 time zones apart, making it hard for companies like ours to attend both in full force but we did it and our crew did a great job.  I got the sense other vendors send separate teams as I did not see the sample people at both shows, other than us.  Next year they are moving the shows even closer which seems a bit unfair, but at the end of the day it gives us in the industry at release month to shoot for, to assure we have our latest ready to show, much like we used to do at Comdex a while back.

Cheers

Eric Schultze at RSA 2008 video

Eric talks Patch Smack at RSA video

A bit more on RSA 2008

This article in Baseline Mag notes that the security markets are mature, much like I noted in my previous entry.  They have a different take which is interesting in that they claim the maturity means we have a seat the the CEO table, which is of course something security folk have been pushing for over the years.

On part of the article that does not seem to be occurring is that the big platform companies are taking over security.  Far from it, the big platform security solutions are disasters, security is too hard to get right to make it an under-managed add-on from a large vendor.  The markets are more likely heading to the case where there are two solutions, that cooperate, one does full management and the other does great security.  Things should be shared around reporting and remediation possibly and standards like SCAP are driving that, but right now there are no signs that the security industry is being absorbed by the large system vendors (HP, IBM etc.) In fact, Microsoft continues to create security products vs. just adding security features to their management products (SCCM/MOM/SMS).

RSA show 2008

EMC's RSA security show was last week, I believe its the largest security trade show in the world.  From my perspective the show was massive based on the number of vendor booths, it was not possible to learn what each vendor did - there was just too many booths and many of the booth people were not technical so they just pointed me to their brochures (ouch). 

Vendors ranged from Microsoft and other general s/w vendors who provide security add-ons and solutions, to the traditional security vendors such as Symantec and of course us. I talked to a number of security industry veterans, some of have being in the industry for well over 10 years, I also talked with a number of large companies (ISVs) who are adding security to their current offerings - both groups are driving a very practical level of security innovation into products vs. creating new ideas.

If I had to pick one take away from the show was that all vendors were driving solid, practical, somewhat basic solutions to meet security needs vs. create new ways to do things. In the near term this is good as the industry needs such solutions, but in the longer term a lack of the more crazy innovation will start to hurt the industry.  Any industry needs new ideas to be put into it all the time, with most new ideas failing but key ones catch on and drive change. 

I recently read that Henry Ford did not work with finance people because he felt they were anti-innovation, and maybe what we are seeing occurring is heavily funded companies who at this time are looking for safe returns and large companies who need to take care of large customer bases are taking over the trade show floors, and possibly the industry which could limit innovation.

The included show photo is not a very good photo, but its the best I have.  The show floor was much larger than this picture shows. I also attached a shot of crowd waiting for the Olympic Torch which was supposed to travel very close to the RSA show, with the torch re-route I am not sure it did, I had to get back to work so I could not wait around for it...

Server 2008 patch

Coming on Patch Tuesday:  Fixes for critical vulnerabilities affecting Windows Vista and Windows Server 2008.

The most interesting thing, in fact the surprising thing to me, are the patches for both Vista and Server 2008.  I am not surprised that here are patches, but for Server 2008 its a pretty fast patch post release. 

Network Configuration

As well noted in this SearchSecurity article:

“There's a perpetual buzz around software flaws and exploits researchers disclose daily, but security experts say it often distracts IT pros from a growing and more serious problem -- networks so sloppily configured and maintained that the bad guys can drive a virtual bulldozer through them without attracting attention.”

Having systems properly configured is a tenant of good security, certainly as key as patching, AV and firewalls are when focused on securing systems from outside access.  But if a system is not properly configured and the network becomes infected by malware, these defenses become ineffective.  What good is a firewall once the malicious code is running on your network, due to an attacker gaining insider access to the network?  Basic things like easy passwords, unsecured shares, over-used administrator accounts and user rights are easy to fix and even more easy to break.  When there is a time crunch, or when someone just needs something to work, it’s convenient for users to turn off the desktop firewall to get a business critical application running, or to open the Share to everyone to distribute a report, making a software developer an admin so they can test their software – the list goes on, and it’s done by both administrators and end-users.  Of course, this is not the right thing to do from a security perspective because this is how malware finds its way onto the network, and unfortunately it happens all the time. 

GPO can help, but it lacks a double check and it’s not easy to tell if things were setup right.  Much like WSUS, GPO can help the problem, with a fair amount of effort applied by the IT staff, but it does not go far enough.  What is needed is something that automatically double checks (we all make mistakes so double checks are a good thing) and automatically enforces IT security settings in accordance with policies, which creates both a cost savings (automation equals saving money when properly done), and it gives all of us a much needed second pair of eyes.  An added plus is we can report to the C-level staff that things are being continually fixed if they fall out of compliance with company policy.  These are very practical solutions.

As technical people we all know things are continually being changed on the network, and we know exactly where on our own networks.  The problem that often arises in companies is that the boss also knows things are being continually broken, but may not know where on the network, and a lack of proper reporting can make his or her job very difficult – it’s impossible to manage what you do not know.  If automated security configuration tools that include reporting capabilities are used this will eliminate the information gap.  The boss can do his or her job, we can do our job, and our networks are secured.

As the article notes, as we start to run patching software we will soon learn that we also need to run automated security configuration software, it just makes sense.  This is something I myself have been working on in one way or another since 1983, 25 years already, and maybe soon the problem will start to be solved!