From: Dave Aitel (daveimmunitysec.com)
Date: Wed Feb 11 2004 - 10:44:38 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Betasystems.com released an advisory today about their backup product,
"Harbor Backup" (Also known as Tantia). Originally I was going to
release one too, but they know who their customers are, and if you have
a CANVAS subscription, you can just download the exploit and find out
all about it.

For those of you who wern't at my BlackHat talk in Seattle, one of the
themes was that the management and monitoring software and other
enterprise-level software that people install is rarely looked at, and
highly vulnerable. I remember when stake posted a message saying that
people sould test their internal Oracle financials application and I
crashed it (format string bug) in about 3 seconds and it took two days
to bring back up. Turns out they meant they wanted it tested for
functionality - like, can you enter in a time sheet. A common
Functionality-QA vs Security Testing problem.

My suggestion during the talk was that you should write in your IT
aquisition contracts a phrase that requires a third party review from a
security company you trust before you purchase the software, at the
vendor's expense.

I listed about 5 or 6 products (including Harbor) that will be having
advisories soon. But the point was not that "company X has bugs" it's
that every product you install on your gold build needs to be looked at,
and the ones that don't have a bugtraq thread five pages long on them
are the ones I, as a hacker, will look at first. Hacker's aren't above
breaking into one box on your network, and writing 0day for everything
on it to use to own every other box, without fear that some IDS will
catch them.

There's a common practice of developing "gold builds" or "standard
builds" which you place throughout your enterprise, or use as a desktop
build. And I like to divide the things you do to generate a gold build
into three catagories:

Catagory 1. Software you can download off the internet: Often has
hardening guides you can download off the Internet. The NSA Windows
Hardening guides, for example, or various Solaris hardening scripts.

Catagory 2. Software you own that few other people own: Rarely has any
good information available on the Internet related to configuration or
hardening guides. Often has not been looked at by the public security
community, and so has many "low hanging fruit"

Catagory 3. Software you wrote: Obviously other than broad guidelines,
there is no specific documentation on how to harden your own
applications. There probably should be though - and a good CSO will make
sure that it gets produced and used before the application gets put on
the net.

To produce a gold build that is actually hardened, you need to go
beyond #1 (which is where most people are) and take some control of #2
and #3. This is rarely done, and I think a serious misstep by any
information security department who fails to do so. To get control of 2
and 3, I recommend:

1. Get a third party review done by the vendor by a information security
consulting firm that you trust. Trust is important. If a company makes
50% of their income from selling information security to Oracle, it's
hard to say that they are trustworthy regarding Oracle or other database
software.

Alternatively you can hire a company to do this at your own cost. Keep
in mind that without source code and access to developers, it's harder
to do a complete review, but that for this kind of software, a complete
review is rarely needed to find several major problems.

2. Create business guideline for your gold build. I.E. When I look at
it, I need to see "why we have SNMP enabled" written somewhere. Then
when I review it, I can write "This is the risk you are running" and you
can check "ok" and be done with it, rather than having to revisit it
every time you do a review or derive a new Gold Build from it.

3. Whatever everyone else on the list pipes in to say that makes sense.

Dave Aitel
Immunity, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]