12/14/04

History Lost

I've lamented the loss of historical memory a few places this year. I grouched about it on the firewall-wizards mailing list yesterday, wherein I corrected a perfectly nice guy who said "This is the classic "eggshell" weakness of network security, hard and crunchy on outside, soft and chewy on the inside."

I said, that this was an an example of the loss of historical data we experience in network security. I pointed out the the "classic" is Bill Cheswick's, "crunchy shell around a soft, chewy center. (This is from "The Design of a Secure Internet Gateway," whose date is not stated in the version I have.")

At this point, you're perhaps thinking that I sound like a grouch, I grouched about it because I am a grouch. Well, maybe.

In my defense, please see some previous blog entries. I referred to this as a problem in this blog entry from 20 Sep 2004. That entry references an earlier blog entry Security Redux and a column I wrote.

In response to my firewall-wizards posting, Dr. Tina Bird, e-mailed the following:
2004 compromises look very similar to 1989 compromises: bad passwords, insecure configurations, unpatched software. For example:
"Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems." - October 17, 1989

So let's see:
  • the Agobot family of Windows exploits -- bad passwords
  • Blaster/Sasser/SQL Slammer -- unpatched software
  • hordes of exploits propagating over peer-to-peer apps with insecure configurations...
It's not an OS insecurity issue, it's the bloody humans!

References for compromised machines from CERT:
Thanks, Tina. I wish it weren't so.

No comments: