Researchers trace Witty worm to its source

Scott Pinzon over at Watchguard Wire pointed out that a trio of researchers using innovative Internet-wide forensics discovered the source of last year's Witty worm.

The conclusion? Strong evidence indiciates that the Witty worm specifically targeted a US military base and was launched via an IP address corresponding to a European ISP.

The paper shows an awesome display of how forensic investigators can use network "telescopes" (machines that record packets sent to unused blocks of Internet address space) to help pinpoint the original source of this attack. Quite impressive if you ask me. The paper goes into depth on their approach, and I would recommend anyone interested in the field to take a look. A lot can be learned here. As Scott points out, the discovery of this technique bodes well for our future ability to capture worm authors.

Adopting a Software Security Improvement Program

Dan Taylor and Gary McGraw from Cigital have written an interesting article for IEEE Security & Privacy about "Adopting a Software Security Improvement Program". In it, the authors go into software security best practices and show how a well-defined roadmap lays out the specifics of how best to deploy software security best practices given a particular organization’s approach to building software.

I like how they broke this down into six key phases:

1. Stop the Bleeding
   
2. Harvest the low hanging fruit
   
3. Establish a foundation
   
4. Craft core competencies
   
5. Develop differentiators
   
6. Build out the "nice to haves"

Sound interesting? You will have to go read the article to find out what those phases REALLY mean. You can check out the article here.

Windows SBS 2003 with Service Pack 1 Getting Started Guide

Microsoft has just released step-by-step instructions explaining how to complete a new installation of Windows Small Business Server 2003 and how to upgrade from Small Business Server 2000, Windows 2000 Server, Standard Edition, or Windows Server 2003, Standard Edition, to Windows Small Business Server 2003.

If you have Windows Small Business Server 2003, Premium Edition, it is recommended that you also download "Completing Setup for Microsoft Windows Small Business Server Premium Technologies" from the Microsoft Web site. The site seems down right now, but the link to it is here.

Windows OneCare: Microsoft's Consumer Security Service

Well, it's official. Microsoft today reveiled that their 'A1' project will be called Windows OneCare. Apparently their consumer PC security bundle is entering a new phase for release. It has entered into a closed beta, and expectations are that it will be released to consumers before the end of the year.

According to an article on Eweek, Microsoft plans to 'dog-food' the service with its employees starting next week. In the summer, they expect to expand the test to consumers in a "private, invite-only manner," and a full-scale rollout by the end of the year.

We know about the anti-spyware (most of us are testing that already for them :) ), and their new AV driver thats tick off the likes of Symantec and Mcafee. What you might NOT know is that in OneCare, Microsoft plans to include a PROPER two way firewall. (Oh that should make the ZoneAlarm people really happy) That will be a NICE upgrade past the pathetic nature of ICF. Being able to properly control packetflow in both directions is ESSENTIAL to maintain corporate security policy as it relates to network service use.

Will be interesting to see how this turns out. I am curious to see how Microsoft handles the pricing strategy here. Could work well in their favour, or have huge backlash from consumers. I also can't wait to see how integrated this really is. We will have to wait and see. Guess I will learn more this summer when I get a copy. Because you ARE giving me a copy... right Microsoft???

Doing the Right Thing: Microsoft Delayed XP SP2 Due to Integer Overflows

When XP SP2 was first delayed, there were a LOT of complaints about the fact MS couldn't keep their act together as it relates to their development cycle. It's easy to assume the worst and complain when you have no idea what is really going on.

Last week at CanSecWest it was brought forth that Microsoft delayed the release of SP2 by 6 weeks when they found some significant issues with integer overflows. I wonder if that was why Michael Howard wrote an article on the very thing in April 2003. Or why he continues to talk about it to this day.

Apparently Microsoft found integer overflows in a lot of different places in the code, and they quickly realized that they weren't looking for them the same way they looked for other things like buffer overflows. Microsoft decided that fixing the problems was more important than keeping the original product schedule, and thus let the shipping schedule slip another 6 weeks. Interesting quote from Window Snyder, the security strategist at Microsoft that was presenting this information:

"We slipped 6 weeks just for this... but it was the right thing to do."

Bravo. Damn straight it was the right thing to do.

I was recently at Microsoft for a week doing interop testing with our kernelmode security drivers in their test lab in Building 20 when I came across a potential buffer overflow based on a static #define which was used incorrectly. This was from code over 3 years old now, and really should have been caught by now. Unfortunately static code analysis tools like prefast can't catch this sort of thing, and our human heuristic tests or automated code analysis tools were not designed to look for this type of problem.

When I found this I stopped all further work until we rescanned all code for this type of error, and not the error itself. Doing so found one other instance where we did something similar. The result? A newly added code scan test to check for such things to prevent it from occuring again in the future.

I was pleased to hear Microsoft taking the same attitude. It INDEED was the RIGHT THING TO DO. Good job.

The Web Security Mailing List

Got this in email last week.

The Web Application Security Consortium (WASC) is proud to present 'The Web Security Mailing List'.

What is The Web Security Mailing List?
The Web Security Mailing List is an open information forum for discussing topics relevant to web security. Topics include, but are not limited to, industry news and technical discussions surrounding web applications, proxies, honeypots, new attack types, methodologies, application firewalls, discoveries, experiences, web servers, application servers, database security, tools, solutions, and others.

To post a message send an email to: websecurity@webappsec.org

Subscribe by sending email to: websecurity-subscribe@webappsec.org

Unsubscribe by sending email to: websecurity-unsubscribe@webappsec.org

Hackers aren't just picking on Microsoft

According to some research completed by SANS, online criminals turned their attention to antivirus software and media players like Apple's iTunes in the first three months of 2005 as they sought new ways to take control of users' computers.

On a news article I read on Yahoo, they had some interesting quotes I thought some of you may be interested in:

"Operating systems have gotten better at finding and fixing things and auto-updating, so it's less fertile territory for the hackers," said SANS Chief Executive Alan Paller.

Anti-virus products from Symantec, F-Secure, TrendMicro and McAfee, proved vulnerable as well, a prospect Paller found particularly discouraging.

"We ought to do better in our industry -- we should be a model for others," he said.

Amen. But this is an industry wide problem. Here is a poster I think I need to make for our office:

SECURITY PRODUCTS != SECURE PRODUCTS

Secure software programming is a discipline that all software vendors need to embrace. Not just operating system and security software vendors. And the issues of vulnerabilities in all software will continue to grow as hackers move on to easier and easier targets in popular applications that most people are using.

So none of us are immune. We need to be on our guard and write safe code. We need to follow the principles of secure coding and ensure our clients are not only safe, but secure in their business workflow with the tools they use built by us. And this has to have buy in from all stakeholders in the ISV, from the CEO all the way down to the junior programmer that is just starting up.