Don’t Tell Mom the World is Gonna End
Today, another vulnerability has been making the headlines, various industry security professionals predicting apocalyspe, genocide and famine along with everything in between. It first started earlier this summer, back when Dan Kaminsky, in a multi-vendor coordinated effort, told the world of his DNS vulnerability. Then came the BGP hijacking, disclosed by Tony Kapela and Alex Pilosov at Defcon. Granted, these were serious issues and not to discredit their research, the vulnerabilities themselves were nothing truly groundbreaking. Both DNS poisoning and BGP hijacking are literally implemented into the RFC — it was all just a matter of enumerating the various ways of doing it.
Following, came RSnake’s and Jeremiah Grossman’s browser Clickjacking bug, which when disclosed to Adobe, Adobe took upon themselves to fix within Flash and asked both to cancel their OWASP presentation at AppSec NYC 2008 last week. Today (or rather this week), was Robert E. Lee’s and Jack Louis’ SYN Cookie DoS vulnerability, affecting almost every TCP/IP stack implementation. (why people are even using SYN cookies is beyond my comprehension — it’s a hack and does not mitigate DoS attacks, though that’s a seperate discussion on its own) [Edit (10/02/2008 11:30): I misread the original post and it is not a vulnerability with SYN cookies. Robert was using SYN cookies as an analogy. See Outpost24’s TCP DOS Attack Explained]
The common occurrence between these vulnerabilities? They all were touted as super critical vulnerabilities that could bring down the internet and pwn every being in existence. In addition, the researchers behind them opted not to disclose details of the vulnerability. What this created, was an incentive, or challenge to others to discover the vulnerability before the discovering researchers decided to fully disclose. It took about two weeks before Halvar figured out Dan K’s bug, and only another couple hours for Arshan to figure out the Flash/clickjacking vulnerability.
I read this Slashdot comment earlier today which I found hysterical, that poked fun at RSnake’s “Robert and Jack are smart dudes.” I know RSnake is a smart dude too, but really, at the end of the day, you’re taking our word for it. And to quote Bruce Potter, “Don’t believe anything I say.”
But seriously though, I think the blogosphere is doing a disservice hyping these vulnerabilities to no end, and researchers doing a disservice to themselves when they disclose this way. Don’t tell the world until you’re ready. If you’re not ready, stay home. The security industry needs to stop crying wolf, because not everybody holds security to the same level of attention as we do. People are getting tired of the fear, uncertainty and doubt we spread.
Instead, let’s focus on fixing the problems and providing lessons learned so these vulnerabilities don’t crop up again. That’s what people truly want to see. If you discover a vulnerability and want to report it to the vendor, that’s great! Continue to work with the vendor until a patch has been released before going public — even to announce you have something. Just please, don’t come out and ask us to pick a hand when you know both are empty.
Syn cookies came about to mitigate DoS attacks, specifically syn floods. Systems used to burn memory keeping track of all the half-open connections. Once the half-open queue was full, no more connections could be made.
With syn-cookies, there’s no need to track half-open connections. But it does require more CPU cycles.
It’s a trade off of memory for CPU cycles. I think Rob and Jack are taking advantage of that trade off, though in their podcast they say the attacks don’t affect CPU.
Can’t wait to hear more. Love the site.
Some of the problem is how desensitized many of us are becoming to these “sky is falling” announcements and so many won’t react until the sky does fall. Of course with so much “news” in the info-space claims must be so greatly hyped for even small notice. Researchers are then put in a position to hype their work to get noticed so they can keep doing the things they love to do which the marketing department plays up even more. The majority who watch the security space to get the jump on emerging problems which will rock their infrastructure with all the gusto of a drunk hanging on a slurpy machine because they only have defenses against the hype of previous years. So they will further exaggerate and speculate because their entire security strategy is based on media opinion. Then people like you and me watch in wonder as to why this was really news in the first place only because the promoted risk hype doesn’t match the speculated reality. But it doesn’t take away the fact that it’s a pretty big problem should it become easy to exploit (script kiddie tool).
I still think Robert and Jack showed great restraint keeping this quiet for over three years while trying to figure out how it could be fixed.
“why people are even using SYN cookies is beyond my comprehension — it’s a hack and does not mitigate DoS attacks, though that’s a seperate discussion on its own”
Not sure I whole heatedly agree here. Without something like this how do you get around a SYN queue being trivially DoSd (i.e. how to you track state without having a hard stop limit)? I’m sure you understand the semantics of how the SYN cookie works — but without it I can do something just as evil as sockstress when you remove SYN cookie functionality. The major drawbacks of the technique are really only applied when the cookies are being used (i.e. when the SYN queue is full and it’s FIFOing through dropping SYN states). The bad part of it is the afterthought… It’s highly limited in it’s ability.
What sucks is when my boss or CTO reads these announcements. Then comes to my team asking if we should care or what we can do.
The answer is a blank look and a shrug of the shoulders because we neither know the details nor what is or can be done about it.
I really dislike this sort of “circus disclosure” crap.
Then again, maybe this is because it has already taken years to get anyone who can fix things to listen. But still, just out with the details. No more of this “the sky is falling, oh but only in some places and I’m not going to tell you where or even let you look up” nonsense.
In that case, we have a problem with vendors/business listening (big surprise there) and the rest of us sharing information enough to get more bodies behind Robert and Jack and get positive attention.
You know Marcin - we had this conversation at OWASP 08, and I have to say that I agree with you here. While I don’t necessarily think that the click-jacking issue was really a fair cop (since they *were* ready to disclose until Adobe/Microsoft stepped in) the rest of the “the sky is falling” disclosures are detrimental to our overall cause as Information Security professionals and researchers.
Crying wolf will eventually de-sensitize the populous (as I’ve written about in a recent paper, and repeatedly on my blog) and at some point (perhaps soon) it will become just background noise in the nasty online world everyone lives in.
Aside from that little rant, there is a much bigger problem with a lot of “offensive” research and disclosure being done and very little actual “defensive” information being provided to the people who need it most. I can’t tell you the last time I heard a solid solution to (insert issue du-jour here) that didn’t come from a vendor hocking their wares. We need real, solid, and deeply researched solutions to some of the most urgent issues like web application security.
Hearing a million ways of breaking every popular technology will drive our general population into either willful ignorance (due to overload) or retreat to pen/paper from sheer terror. What we need are solutions to these plagues that individuals and companies can apply to mitigate the risks and dangers.
Well I’m glad I’m not the only one that expresses such concerns.
@ Rafal: I guess you can say I unfairly lumped clickjacking in with the rest. It’s unfortunate the media made a circus of all these vulnerabilities, as they do present interesting areas for defensive research. I was talking with RSnake a bit about this, (you may have been there), and as you know, the security industry loves shock and awe, and would rather attend the talks that show off new attacks rather than the one that shows how to fix the problems.
And I totally agree with you on offensive research. I absolutely loved Jeff Williams’ quote during the keynote, about finding such obscure vulnerabilities, we’d “make Rube Goldberg proud.”
Given that most people who are doing research were at one stage just hackers pwning things, the fact that we as an industry don’t really seem to care about defence (beyond what we need to do to bypass it) is not surprising.
Also, in my view, most security issues are trivial to figure out fixes for (applying fixes consistently seems to be our biggest problem), and as such the people developing the attacks/exploits do not see a need to cover them.
Also, fixing shit is boring, seriously. Fixing the problem doesn’t get me all that juicy, juicy data.