News Stay informed about the latest enterprise technology news and product updates.

Exploiting systems becoming easier, expert says

Increasingly complex networks leave many doors open for attacks and the next generation of threats is gunning for IM, WiFi and VoIP.

BOSTON -- Automated attacks against widely deployed systems and applications are increasing in number and sophistication, but the real threat will come with polymorphic worms that leverage both known and unknown vulnerabilities, carry active payloads and attack via instant messaging clients, wireless networks or VoIP.

"The biggest factor is that our networks are changing significantly," said Gerhard Eschelbeck, CTO of Redwood Shores, Calif.-based Qualys Inc. "In the past we were very much focused on perimeter security with a single access point. Intercommunication with business partners, VPNs and wireless access points are all contributing to make our networks more vulnerable."

Laws of Vulnerabilities

Every 30 days the number of systems vulnerable to a critical flaw is reduced by 50%.
An example is the Microsoft IIS chunked encoding heap overflow variant vulnerability identified in April 2002. Within a month of discovery, activity around this flaw dropped by more than half and has remained low.

The lifespan of some vulnerabilities is unlimited.
Eschelbeck cited the Microsoft ISAPI extension buffer-overflow vulnerability exploited by Code Red, which was released June 2001 and still shows signs of activity.

80% of vulnerability exploits are available within 60 days after the vulnerability is announced.

50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis.

Information cited is provided by Gerhard Eschelbeck, CTO, Qualys.

These vulnerabilities, he said, arise from continued use of insecure protocols and services like Telnet, FTP and SNMP, known default settings, system design and setup and access control errors, software implementation flaws and a lack of input validation.

Also to blame, Eschelbeck said in a presentation at last week's ISSA conference in Boston, is the increasing complexity of networks and applications, a shortage of qualified security staff, increasingly sophisticated attacks, simple and automated attack tools designed for large scale attacks, and a difficulty in tracing attacks.

Threats have evolved from worms and viruses that require human interaction to spread via e-mail and file sharing (Melissa and Loveletter) to blended threats that leverage known vulnerabilities and may have automated or Trojan components (Blaster, which exploited the then three-week-old Microsoft DCOM RPC vulnerability). Future threats include using polymorphic techniques and encryption to prevent discovery, leveraging previously unknown vulnerabilities and targeting "new" technologies, such as instant messaging and VoIP.

"It's very hard for IT environments today to control the use of instant messaging," said Eschelbeck. "Very soon we will see attacks against the instant messaging infrastructure in the same ways we've seen attacks against the Windows operating system."

As far as VoIP goes, Eschelbeck said, there are fundamental security issues in the protocols it uses, flaws that can easily be exploited in a manner similar to Windows and Unix flaws today.

"Just as we've seen worms that can execute code on just about any operating system, we will see similar behavior on VoIP systems," said Eschelbeck.

At this point, Eschelbeck said, the only mitigation for these threats is the timely detection and remediation of security vulnerabilities. A proactive approach would include: identifying network topology and points of entry; identifying services, operating systems and applications; prioritizing critical vulnerabilities; and remedying vulnerabilities and verifying fixes.

Dig Deeper on Hacker tools and techniques: Underground hacking sites

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.