Why Defense in Depth Is So Important

Last week in Las Vegas, Nevada, the temperature averaged well above 100 degrees (with a high on Tuesday of 117 degrees). That's a bit too much heat for my taste, but I bet it's even hotter there this week. Why? Because the Black Hat USA 2005 security convention is being held in Las Vegas this week.

Every year, the Black Hat conference serves as both a showcase and a barometer. This year is no different. Security firms will try to demonstrate how smart they are, either by their cleverness and the importance of the security problems they've discovered or by the quality of their protective security tools. This year they've come up with some winners.

Alexander Kornbrust, a German security researcher, has discovered that attackers can recover encryption keys from Oracle databases. (See http://www.infoworld.com/article/05/07/25/HNblackhatoracle_1.html?source=rss&url=http://www.infoworld.com/article/05/07/25/HNblackhatoracle_1.html for more information about his discovery.) This announcement follows Kornbrust's disclosure last week of six Oracle security vulnerabilities that he reported in 2003 and still aren't fixed, even though he apparently followed the responsible path of notifying the company and giving it the opportunity to release patches for the flaws before he announced them.

Oracle was quick to claim that encryption is no substitute for access control, which is absolutely true. But if you have sensitive data, encrypting it (properly, that is) can help secure the data in case a user has--or can get--access to the data but shouldn't be able to read it. Microsoft is more or less tackling the same problem with the Windows Rights Management Service (RMS), which is designed to protect documents and messages from being read by unauthorized users who have somehow come into their possession.

Speaking of Windows, SPI Dynamics CTO Caleb Sima and his team have revealed a worrisome new Windows vulnerability. When you plug in a USB device, Windows (and Linux and Mac OS X) loads the appropriate device driver, which is supposed to make USB devices "just work." However, SPI's engineers discovered flaws in some Windows USB drivers; by building a fake USB device with custom firmware (a neat trick that certainly isn't outside the realm of sophisticated attackers), they forced a flawed driver to load, then forced it to overflow its buffer. At that point, an attacker's code can be locally executed. Game over.

SPI hasn't said which drivers have the flaws but that isn't the point. There are so many USB devices and so many poorly written vendor-supplied drivers that I'm sure we'll see copycat versions of this attack for years to come. Instead, there are more important things to consider in light of SPI's announcement.

First, vendors don't always get a chance to patch flaws before they're announced. Oracle had more than 650 days to fix Kornbrust's six reported vulnerabilities before he made them public, but Microsoft didn't get any advance notification of SPI's discovery. Microsoft's Security Response Center has effectively driven the quick development of patches for newly discovered vulnerabilities but only when the Center finds out about them. As if it weren't bad enough that SPI didn't give Microsoft the courtesy of an advance notification, 3com's TippingPoint division announced this week that it plans to essentially pay people who discover vulnerabilities. This follows on the heels of a similar program from iDefense. (I think both programs stink, and later I'll discuss why on my blog at http://www.e2ksecurity.com .)

Second, defense in depth is more important now than ever. The USB-based attack can be mitigated several ways, starting with physical security measures that keep attackers away from computers in the first place. I've heard of one large site that actually puts blobs of epoxy in the USB ports on its desktop machines, physically preventing users from plugging in devices. Other sites are deploying software to better manage the use of USB devices. As vendors release updated versions of their drivers, I'm sure we'll see a wave of solutions that are intended to ease the installation (and verification) of these updates.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.