Vulnerabilities Die Hard

June 30, 2007 by kowsik

Yeah, I just watched the movie. Yippie Kah Yay, for sure. Nokia phones are sure handy. :-) As much as I love Matrix, which seemed a little far out with the nmap scan and the SSH CRC32 exploit, this one had a reasonable amount of plausibility. A SCADA device and a printer are not too far apart in terms of the services they offer over IP. These devices have protocols like ARP, IP, TCP, UDP, SNMP, FTP (warez on a voltage regulator anyone?), HTTP, etc. and yes they do have vulnerabilities. It has a lot to do with the Network Effect. While the utility and the value of the connected systems grows (for sure) with the number of systems connected, so does the attack surface, the complexity, the unknowns and the risks. Quoting Bruce Schneier, “Machines break, Systems have bugs“. Once you are on the network, it’s fair game for anyone to reach out to you.

Bruce Schneier talks about how we shouldn’t need a security industry. We at Mu, call it layered condoms. Enough to make you comfortably numb, but you just don’t know if it’s safe. You can trust, but you can’t verify. The security industry has successfully built out anti-virus, url-filtering, anti-spam, anti-phishing, secure-email, ips, firewall’s, deep inspection, stateful inspection, load balancers and a plethora of devices on the network all solving pieces of the puzzle. Throw in VoIP and real-time media in the mix and life is oh-so-fun. As someone said to me once, routers no longer route. And yes, I did architect and lead the team that built the first IPS to be commercialized.

Maybe I’m old school, but you could trust the good old alarm clock (no, not the digital ones). I’m all for geeking out, but you have a remote exploit on a rabbit on your home network, that’s a whole new kind of bot-net; a hole that goes deep. Alice is now going to be talking to the Bot instead of Bob or the Oz.

Most of what this rant is about anyways, is that we are now able to connect things and bring systems and applications online way faster than we can test them. The expertise, skills and know-how required to test these systems to no, not necessarily secure them, but to baseline them is growing at an incredible rate. Quite a few people found bugs on Safari a few hours after the beta was released. The irony was, they used publicly available tools. No, not IDA and it didn’t require reverse engineering.

Personally, I believe in Test Driven Development and Extreme Programming. This forces you to organize your code in a way that can be tested. Sure, it’s not going to be bug-free (it’s software after all), but it for sure raises the quality bar high. And most importantly, when your backspace key is as busy as mine refactoring code to keep up with the thought process, the unit tests help with regression. This, by the way, is a very important aspect of vulnerabilities. Just when we thought we had solved the MAC flooding with wired networks, along came wireless with exactly the same vulnerabilities.

Live free or die hard.

Categories: Rants
404 Comments
Bookmark and Share