Monday, April 17, 2006

McAfee out of ideas - blames internet for rootkits.

The recent article Does open source encourage rootkits? [NetworkWorld] discusses a McAfee report, "Rootkits", in which McAfee lays the blame for rootkits at the door of the open source community by name, security researchers by implication, and unwittingly at the very doorstep of information sharing -- books, libraries, and printed material. The report was issued due to a large jump in the number of rootkits they detected (nine times as many this quarter as the year ago quarter - a dramatic increase). They specifically blame rootkit.com. The unstated basis for their argument is a classic tension between open sharing of information about security vulnerabilities on the one hand and secret cabals of security research on the other. McAfee is clearly coming down for the "keep it secret to be safe" camp. Most independent security researchers reject this argument, because industry has a very long track record of totally ignoring security issues until they are made public. Most researchers also practice a policy of advanced notification -- give the vendor a reasonable notice before publishing the findings to the world and attempt to work with them so that a fix is available when the notice is published. However, the threat of publication is sometimes the only thing that motivates software companies to fix security problems. Blaming open source, web sites, and information sharing by implication is misguided. The folks who are writing the real malware could (and do) use secret members-only web sites to share ideas and code and whatnot in their pursuit of malfeasance. It's better for the community of researchers to have open sites sharing these ideas. The fact is that you don't need a web site. There are books that do a pretty good job of explaining how rootkits work and how to build them. Are libraries now to blame? Is the publishing division of McAfee's competitor, Symantec Press to blame? ( The Art of Computer Virus Research and Defense). No. Information sharing is not to blame. Symantec is not to blame (at least not in this respect). Books are not to blame. The internet isn't to blame, web sites are not to blame, security researchers are not to blame. I wonder if instead we can attribute the continuing and expensive thorn of malware to humanity's continuing struggle to ride a rapid wave of expanding technology while simultaneously attempting to preserving civil liberties and limit the destruction and damage that can be caused by Evil Doers(TM)? Frankly, we're not very good at it, and we will soon face analogous problems in the much more serious realm of biological engineering. Recall that open source specifications for the 1918 influenza have already been published. We need to get better at this stuff pretty quick, because the clock is ticking. The information genie can't be put back in the bottle, we had better figure out how to tame it. * NOTE: Evil Doers is a Trademark of The Bush Administration.

Technorati Tags: , , , , , , , , ,

3 comments:

kurt wismer said...

unfortunately the 'full disclosure is always good' argument doesn't hold up under closer inspection... while it's true that we all benefit from full disclosure of some types of vulnerabilities, that doesn't mean we benefit from full disclosure of all types of vulnerabilities...

you're clearly making the assumption that vulnerabilities are all fixable and/or avoidable mistakes... for those that are, full disclosure works wonders, but the reality is that some are not fixable and/or avoidable... some vulnerabilities are inherent to the general purpose computing platform and publishing tools to exploit such vulnerabilities (whether under the banner of full disclosure or some other information sharing dogma) increases the public's risk of exposure without doing anything to close the (unclosable) window of exposure...

not all vulnerabilities are created equal - don't treat them like they are...

Gary W. Longsine said...

Hi Kurt,

Actually I'm not making the assumption that all vulnerabilites are fixable. In fact, those which are not easily rectified are those which provide the strongest argument for public awareness.

If a web server vendor is hiding a vulnerability in their product which could expose me (and millions of others) to identity theft or other fraud because they can't fix it, as a customer of their customers (banks, etc.), I want to know about that. In such cases one could argue in favor of keeping the details of the exploit confidential, but it's difficult to support keeping the vulnerability itself a secret from the potential victims. If they know about a "non fixable" defect in a critical product, the banks could respond by switching web servers, for example, or the cutomers could respond by switching to banks that have systems without the vulnerability. "Fixable" is sometimes a matter of perspective, then.

Not that many years ago, vulnerabilites were sometimes known to both white hat and black hat hackers for months or years before vendors acknowledged them and fixed them. The most notorious example of this was the "ping of death" which was known to me and reported by some of my colleagues to the vendor literally years before it was fixed. It was only when the defect became widely known that the vendor acknowledged and fixed the problem.

kurt wismer said...

if you're in favour of keeping the details of the exploit secret in your hypothetical example then i want you to take a good hard look at rootkitDOTcom...

they distribute source code and compiled binaries... fu rootkit that greg hoglund claims is the most widely deployed 'rootkit' was written by his co-author james butler... hoglund further claims that people are using the exact binary available for download from his site rather than recompiling the source...

we can quibble over the finer details of what constitutes full disclosure if you like, but from what i'm reading now i think you'd probably agree that what i described above constitutes arming the bad guys...

i'm not suggesting people keep the vulnerabilities themselves secret, and frankly that's not what the mcafee report was getting at either... people are publishing exploit code under the banner of full disclosure... that doesn't increase security, it doesn't close any window of exposure, all it does is arm the bad guys...

as for your example, it's a poor one... when i say non-fixable, i include switching products as a means of fixing things - 'rootkits' are possible under all platforms so switching to a different one doesn't really fix the problem...