StillSecure, After All These Years

Was reading an article by Ellen Messmer and Tim Greene over in NetworkWorld today on Black Hat buzz.  I am interested to see some of the security issues around Vista they talk about, especially the rootkit from COSEINC and Joanna Rutkowska.  It is called Blue Pill and seems like a particularly nasty one.  Perhaps not something you would patch to fix, but goes to Vista's architecture.  I think it is a very smart move by Microsoft to encourage this sort of thing by sponsoring and being visible at Black Hat.  Lets find out about the holes, before Vista is released while we can do something about it. This seems like a refreshingly different approach by the folks in Redmond and I commend them.

Another presentation that I am looking forward to, for a different reason though, is the one by Ofir Arkin of Insightix. I wrote about this one back in early July.  These are the guys who are going to show how it is possible to evade every NAC solution, except theirs of course.  This is one where I think the folks at Black Hat were duped.  Does Ofir think he has discovered something by showing how NAC solutions that rely on DHCP can be evaded by static IPs?  Every customer we speak to about DHCP enforcement brings up this same issue. No rocket science here folks. This is why we don't think DHCP is the optimum way to deploy a NAC solution.  But in the absence of other enforcement technologies like 802.1x, it is the best of the rest.  I still think it more secure than the SNMP based stuff.

Bigger picture, in security it is always about choices and risk.  If you don't feel your risk is high enough to warrant upgrading your network to a more secure way of doing NAC, you make do with DHCP.  I think for every security technology out there, there is a way for a determined hacker to evade it.  That is exactly why a defense-in-depth is the way to go.  Not that it is impossible to get through, but the time and effort involved in doing so, will outweigh the gain.  Specifically with NAC, I think most people want it to make sure they are enforcing access policies against managed and unmanaged devices, not necessarily to be the uber-hacker stopper.  It is more the inadvertent polluter that NAC is going to stop. 

Over the last few days it seems that Open Source software is under attack as the root of all evil around hacking.  First on darkReading an article on open source security being used by hackers and bad guys.  Then the folks at McAfee blaming open source tools for helping bot developers organize and be more effective. 

In the case of McAfee, this is not the first time they have blamed open source tools for helping hacking.  Back in April it was rootkits that were being encouraged by open source according to McAfee.  Of course the McAfee folks give the usual left-handed compliment to open source by saying, "We think [open source antivirus products] are fine. They've never been something that was really in the same class as ours, but we've always been big supporters of open source antivirus," yeah right, give me a break. Can you show me how McAfee has always been a big supporter? I don't think so.  It is just another chance for the McAfee people to take another swipe at open source.

The darkReading article says hackers and bad guy types are using nMap, Nessus, Metasploit and such to recon and hack into networks.  So if they were using commercial software instead of open source would it make a difference?  This is a case where you can't blame the tool, blame the people hacking in.  These tools all have legitimate uses and are very valuable to infosec professionals. My rule of thumb is substitute commercial software every time I see the open source software term.  If the sentence still makes sense regardless of whether it was open source or commercial software then how can you blame it on open source. 

Sounds like a ridiculous question doesn't it?  This was exactly the question posed to one of our StillSecure account executives, Sam Van Ryder, a few weeks ago.  He was not sure what the question was trying to get at.  Do we here at StillSecure approve of rootkits? Do we install them with our software? Do we try to detect, alert and remove them?  Maybe he should have said, hey, we like them, they are good for security vendors. 

First of all you need to understand what a rootkit is.  According to Wikipedia, "a rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge." Of course rootkits went mainstream with the Sony CD controversy last year. They certainly sound like bad stuff.  The obvious answer is that as a responsible network security company, StillSecure is not for anything that installs hidden software on a computer that can be used to compromise that computer.  Maybe the better question is what can StillSecure do to detect and remove rootkits. However, you must also realize that in some circumstances rootkits actually perform an innocuous, if not beneficial purpose.  How do you tell the difference.  Even a "good" rootkit can be used for bad purposes.  This is the crux of the issue, which makes the opening question not as easy as it sounds. 

Detecting, determining they are malicious and removing rootkits is one of the most difficult tasks in network security.  Today, it is falling mostly on the shoulders of the anti-virus vendors to try and stop malicious rootkits from implanting themselves onto your computer.  However, they are not doing a great job at it.  We have received requests from several customers to try and detect rootkits as part of the pre-admission testing in our Safe Access NAC product.  Also, some have asked that VAM, the StillSecure vulnerability management platform detect them.  I am not sure if either of these categories of products will be effective as they currently exist.  I do know that over this year, there will be products dedicated to this problem and I think NAC products will start incorporating technology to be more effective at finding them. 

Ellen Messmer at NetworkWorld writes today that McAfee is releasing a new report, about the dramatic rise in the number of rootkits it has collected as malware samples this quarter as compared to the same quarter last year.  Additionally, they are becoming harder and harder to detect.  I don't doubt any of this, but the part that I disagree with is where Stuart McClure, SVP of global threats at McAfee blames it on sites like Rootkit.com and other sites that share source code.  The rootkit.com site is a legitimate site that our own SAT team has used on occasion.  It is a valuable resource to the  security community and though some may misuse the code posted up there, I think it is not fair to blame it and others like it for the problem.  Whether it existed or not, today's sophisticated cybercriminals would find ways of sharing their illicit methods.  Don't shoot the messenger, if you don't like the message.  I do think rootkits represent a new battlefront in security though.  I think this will see new, more effective means of combating them this year.