Certificate fingerprints:
SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89
HTTPS version.
You can find an explanation here.
With the help of Jason, my thesis has undergone some major grammar surgery. The new version is available at the usual place. There have been over 32K worth of changes since I received the commentary back from the examiners. If you're interested in patch management, take a read.
At the Information Security South Africa conference 2006 I published a paper arguing that our current understanding of the risks associated with monthly patch release cycles is pretty poor. This discussion is pretty important given that entities such as Gartner recon monthly release will be the new industry standard.
I basically argue that in the case of delayed (responsible) disclosure patch schedules work well, but in the case of instantaneous (0day) disclosure none of the purported benefits, namely better quality patches and better deployment scheduling are accrued. I then move onto some solutions.
I think this is a really important paper and a really important discussion. Of course, I am the author so I would think that. The paper is available at:
http://singe.za.net/masters/files/issa2006/issa-2006-patch_schedule.pdf
My Masters thesis on Patch Management entitled "Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation" is now available. Given some bandwidth problems please rather download a compressed version (zip, gzip, bzip2).Here's the abstract:
This document aims to provide a complete discussion on vulnerability and patch management. The first chapters look at the trends relating to vulnerabilities, exploits, attacks and patches. These trends describe the drivers of patch and vulnerability management and situate the discussion in the current security climate. The following chapters then aim to present both policy and technical solutions to the problem. The policies described lay out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, managing risk, identifying vulnerability, strategies for reducing downtime and generating metrics to measure progress. Having covered the steps that can be taken by users, a strategy describing how best a vendor should implement a related patch release policy is provided. An argument is made that current monthly patch release schedules are inadequate to allow users to most effectively and timeously mitigate vulnerabilities. The final chapters discuss the technical aspect of automating parts of the policies described. In particular the concept of 'defense in depth' is used to discuss additional strategies for 'buying time' during the patch process. The document then goes on to conclude that in the face of increasing malicious activity and more complex patching, solid frameworks such as those provided in this document are required to ensure an organisation can fully manage the patching process. However, more research is required to fully understand vulnerabilities and exploits. In particular more attention must be paid to threats, as little work as been done to fully understand threat-agent capabilities and activities from a day to day basis.
Here is a brief chapter breakdown:
The thesis is still being examined after which I will submit the final version with corrections. What this means is that if you have any corrections, please send them to me.
UPDATE: added compressed versions.
UPDATE II: added new version with over 32K worth of corrections.
I just finished my thesis! Woo hoo! At first it felt like giving birth, but now it feels like I just excised a cancer. What a slog. Will post links to it when I have them in a 'proper' place.
It is 208 pages, approx. 54 000 words with 251 references. This is me excited.
In my soon-to-be-published paper, I make a point that it is a good idea for vendors to make friends with security researchers in an effort to encourage delayed disclosure (some people call it 'responsible' disclosure).
It is interesting then to see that Microsoft will be throwing a party for security researchers at BlackHat. This, along with their BlueHat efforts is a very good idea. I look forward to seeing if it pays off given the past (and somewhat current) negative opinion of some security practitioners towards Microsoft. Or, more simply, will it have a material effect on the number of Microsoft 0days?
My ISSA paper was just accepted as a full research paper. The comments were pretty good too, of course I am only quoting the good bits, but:
Reviewer One:Reviewer Two:Excellent insight shown, well researched, very relevant topic.
The paper presents an interesting and well-written discussion, which is extensively supported by references to existing literature.
Reviewer one had mostly grammatical corrections, but reviewer two built some positive arguments against some of my points, which is always a good sign of a thoughtful reviewer and meaty arguments. I think I can rebut them pretty easily and will add them to the paper.
Rhodes is sending down a well sized phalanx of presenters, and I will be proudly representing my company. I can't wait. I just hope those lazy Sensepost bums contribute something this year, instead of recruiting ;)
Wow, it seems Microsoft managed to get their MS06-015 cumulative IE patch rolled out with only a few compatibility problems with older HP, NVIDIA, Siebel and Kerio Firewall products. Pretty good given the non-security ActiveX change they bundled in there.
Oh, they also fixed that security vulnerability that was activley exploited in the wild since March 23rd. Now given the lag time in patch deployment (current research suggests 19 days for internal machines), it should just be just over a month that attackers have been able to wade through the average windows box.
Can someone tell me why Microsoft decided that the best way to get a patch out as quickly as possible was to bundle a huge, non-security modificcation into it?
Here is the abstract of the paper I submitted to ISSA 2006 today. It's mostly cut & paste from the introduction to one of my thesis chapters. I really should hand that in sometime. After Ben Nagy pointed out the awful flaws in my last attempt, I came up with some better arguments, but you only get to see those at or after the conference. I think they're pretty good.Continue reading "Information Security South Africa 2006 Abstract"
I would like to nominate Mary Landesman and Shavlik for the "Quality FUD" award, for their paper entitled Security Patch Management: Breaking New Ground. The subtitle is "A discussion of agent and agentless technology", although how this relates to the title is beyond me.In this eight page paper with precisely five references (of which one, while using the word 'agent' is clearly referring to autonomous semantic-web based agents and not client/server architecture agents) she manages to make a plethora of unsubstantiated claims plainly meant to sell Shavlik's agentless technology. Her main ploy is to make it sound like installing agents to every machine is hard work, and so having to do that every time there is a patch emergency would be bad. Of course you only need to install them once, but lets not confuse 'facts' with the truth. She doesn't seem to realise that if her Shavlik software can deploy executable patch content it could probably deploy agents too, *sssh* don't tell.
This isn't a bash at Shavlik software or an endorsement of agent based solutions. She even quotes her CEO as saying he thinks the whole debate is a "red herring", I prefer the term "a load of crap". If you are logging into a box remotely with administrator rights, then you aren't doing much different from an agent, the code just happens to be transmitted every time instead of stored locally.
I wonder how many morons they fool with this faux-academic ninja-marketing technique?
Someone on the patchmanagement mailing list just asked how you do patch management on FreeBSD and OpenBSD! This has been a bugbear of mine for a while. Microsoft isn't good at patching, they are only just catching up. Personally I feel Debian and FreeBSD are the current industry leaders in the patch management field. Let me tell you why.
Continue reading "Non-M$ Patch Management"
Blue Lane seems to be getting more attention. I found this post through SA's own Dimension Data's blog. I once wrote about Patch Point when a reader asked for my opinion on it. At the time their site had very little information and I suspected that the product was snake oil. Since then more information has been added, and the post at Rational Security cleared up my understanding.I am now prepared to roll back my claim that it is snake oil, but it still looks like a stupid idea. The basic idea is that the 'virtual patch' will modify network traffic in the same was that the vendor's patch will. Thus if the vulnerability involves sending over large UDP packets, the inline patch will truncate them, or if it involves a SQL injection, the inline patch will strip the offending SQL.
This bring me to several point, which I will summarise:
Continue reading "Blue Lane Technology's Patch Point"
Is it just me or did Oracle release over 100 patches in their latest critical patch update (CPU, good thing they chose an acronym not used for anything else in computing). They claim that some vulnerabilities affect multiple products and their 'risk matricies' list the vulnerability for each product, which I assume would also need to be patched for each product.
They can't seem to get it right. They either release too few patches, ineffective patches, no patches or now, too many patches. Then again Pete Finnigan who knows his Oracle seems happy enough, so maybe I am missing something.
Oracle is following its usual 'partial disclosure' policy. Although several of the vulns are being researched and fully disclosed at
Good luck testing that sucker.
Creating tables in LyX is a nightmare. This LyX wiki entry describes how to perform the 'missing' table manipulation functions.
After fiddling with Brian Kreb's work yesterday, (available at SecurityFix) I decided to take it a step further and draw some pretty graphs. Here the patches were sorted into chronological order based on the date of the original report. It is interesting to note that Microsoft patches vulnerabilities reported at the end of the year faster than they do those reported at the beginning. In the graphs, blue lines are full disclosure vulnerabilities and the orange are responsible disclosure vulnerabilities. The full disclosure graph also shows the large improvement in patch times in those cases. I used a 5-point rolling average for the trend curves. It is interesting to note the cyclical nature of the Patch Times on the summary graph. There aren't just random spikes and troughs there are usually other highs and lows building up to them. It would be nice to know what projects were on at Microsoft that may lead to the general increase in patch times over that period, alternatively it could be the nature of the vulnerabilities. Any ideas?Also in the last three years, Microsoft has:
The original spreadsheet is available in:
I changed the day calculations so that they will work in Excel, however Excel is unable to display the graphs correctly and just shows two sets of bars instead of bars and a trend line, so I recommend either the OpenOffice version or the HTML.
As an aside, what are the correct terms for the two types of disclosure. Responsible disclosure is a rather morally laden term, and calling the alternative irresponsible or non-responsible seems silly. I am using 'full disclosure' in this entry, but it seems wrong.
While going over the research on Microsoft's time to patch produced by Brian Krebs at SecurityFix, I noticed a few things which didn't add up. His calculations for the number of days from internal or full disclosure until patch release appeared wrong. On double checking it seems they were. The calculations for 2005 were particularly bad with a total of 118 days going missing or being added. There are many off by one errors and in one case the disclosure date was listed after the patch release date, once the year was changed from 2003 to 2002 it made sense. For both 2003 and 2004 the number of patches were counted incorrectly! Given that the information was vetted by Stephen Toulouse of Microsoft, it is strange they they both missed this. The other possibility is that I have missed something, anyone care to double check my calculations? Brian has since seen this post and linked to it.
A spreadsheet is available with my calculations next to Krebs. In my corrected days column I have italicized and centered the days where my results and his disagree. I used Open Office's DAYS() function I just do a normal subtraction to calculate the difference in the days.
While the errors were sometimes quite large, the average calculations are not badly affected as the days were sometimes higher, and othertimes lower than they should be. The dates are still hugely useful, and all sorts of interesting information can be derived from them (eg1, eg2), it would be nice to have the same info for other vendors. Thus, the new summary is:
| 2003 | 2004 | 2005 | |
| Number of Critical Patches | 34 | 28 | 37 |
| Ave. Days from Report to Patch | 90.7 | 136 | 134 |
| Ave. Days from Disclosure to Patch | 73.6 | 55 | 46 |
UPDATE: added link to SecurityFix's follow-up post and Dan Geer's work
(Page 1 of 10, totaling 138 entries)
Articles
Vulnerability Life Cycle - threat modelling
Web Hacking 2.0
Why Exploit Markets are Bad
The Zotob Summary
How-To's
Linux SSH Jail with pam_chroot
Firefox Privacy & Security Extensions
Papers
Managing Patching, my MSc Thesis
Risk Analysis of Monthly Patch Schedules
Tools
Automated Vodacom SMS (VodaSMS)
RSS 2 SMS
DShield Hack Detection
Neologisms
Encryption principles
Zoolander's Law
SensePost
Schneier on Security: Adi Shamir's Cube Attacks