Security and the "Booga-Booga" Factor

Whenever I can, I attend talks and classes about securing Microsoft networks. In general, I always learn something, so the time spent is worthwhile. But I've noticed a thread that runs through about 80 percent of the security presentations I've seen, something I've come to call the "booga-booga" factor.

Here's an example. I recently attended a Microsoft-sponsored 1-day class about intrusion methods and countermeasures. The presenter was generally informative, and I learned a lot about root kits, Network Mapper (Nmap), privilege-escalation attack utilities, and similar tools, as well as how to recognize signs that someone is poking around my network. During every class, though, he stressed the same notion: You're never secure.

His most oft-repeated message was that you can spend all the money you want, but you'll never completely secure your network. In other words, "The bad people are out there, and they're going to get you no matter what you do—booga booga!" The unspoken remainder of the message seemed to be, "unless you retain a security expert guy like me."

I got tired of hearing that the sky is falling and that no one makes good umbrellas. So I asked the instructor for details. For example, at one point he explained an attack class called an escalation-of-privilege attack. In this sort of attack, the criminal gets access to a user account, even a fairly powerless one such as a guest account, then exploits a bug in the OS to run commands that require administrative privileges. He claimed that this method is foolproof, saying, "If you let me get access to any account in your system, your system's mine." I asked, "Any system?" He said yes and named three hacker tools that escalate privileges. Pretty scary stuff, so I hastened to find, download, and try out those tools.

I found out that the tools exploit a bug in the ClipBook service that lets attackers essentially take control of that service and feed it commands. Because ClipBook runs under the all-powerful System account, attackers get to play System and can therefore take dangerous actions. The result is escalation of privilege, in which guest accounts can play as administrators.

This scenario had just one problem: The attack didn't work on my system. I tried using the tools on my Windows XP system, which I keep up-to-date with patches, and my system must have found and patched the ClipBook bug more than a year earlier, so the escalation-of-privilege attack failed. Ditto for my Windows 2000 and Windows NT 4.0 systems. The result? Escalation of privileges on Microsoft systems doesn't seem to be a concern on systems that have applied patches in the past year and a half.

Don't misunderstand; I'm not quibbling about whether the class was a worthwhile venture. But it would have been more valuable if, instead of doing a lot of hand waving about all these scary escalation-of-privilege tools, the instructor had simply said, "ClipBook had this hole that a bunch of tools used to escalate privilege." The knowledge that someone in Redmond created one bug in the past few years that led to a class of attacks would have been more useful than giving us the notion that this kind of bug pops up all the time. It doesn't.

I don't mean to pick on this particular instructor. But his message—that you can't possibly stay ahead of all the exploits—is all too familiar. I've heard that message and its underlying attitude from most security presenters. The message is counterproductive for two reasons.

First, it's largely untrue. I'm as willing to criticize Microsoft for buggy code as the next guy, but the fact is that the patches for all the big exploits of the past 3 years—CodeRed, Nimda, and Slammer, to name three examples—existed months before anyone wrote the exploits. Well-patched systems didn't have any problems other than slower Internet response times on the days that other unpatched and infected systems searched for systems to infect. A popular book about hacking network systems has sold tens of thousands of copies, and I find it interesting to read about how the bad guys accomplish their fell deeds. Read this volume, and you'll walk away saying, "Wow, they can get my system any time they want." Fortunately, that statement isn't true: I tried every hacking tool in the book on my systems and, again, none of them worked because I stay up-to-date with patches.

Second, creating a miasma of fear and uncertainty about network security imposes a further burden on an already overworked class of people—network administrators. Saying that security is a job that's never done to folks who are already used to getting home late doesn't do anything for morale, particularly when the assertion isn't true. A little common sense and a few basic techniques can secure a network. I often wonder whether security experts say that security is a job that's never done to let themselves off the hook when they don't do their jobs.

Let me finish with a suggestion that will help you deal with security experts or, for that matter, any expert. When you hear experts speak in vague terms about a threat or a class of threats, ask them to be more specific. What tool would the attacker use? Does the tool apply to modern systems? How would the attack progress? Armed with that information, you're better prepared to assess your risks and the potential costs of not hiring five more security guys.

It's easy to see hackers as evil masterminds who are so smart and so equipped with powerful tools that even trying to understand how they do their work is a useless endeavor. But the fact is that most exploits are variations on the same small number of themes. Ask questions of enough security experts, and in no time you'll see that securing networks isn't that difficult. Rather, it's just a job that requires some knowledge, a lot of elbow grease, and persistence.