CyberSecurity Institute

A silicon.com article (http://software.silicon.com/security/0,39024655,39128296,00.htm) revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded “unethical” but entirely above-board. The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities.

One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc. Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is “extremely unethical”. Simon Perry, VP security strategy at CA, told silicon.com: “Knowledge cannot be effectively controlled. “NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit. It does not improve security overall,” he added.

Perry also questioned whether Aitel’s customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity’s customers are given a workaround. “You’re given a workaround by Immunity, but you don’t have a fix — a patch from the vendor that permanently addresses the problem.

http://software.silicon.com/security/0,39024655,39128621,00.htm

At its recent TechFest event, it described how its Vigilante project is using “honeypots” to automatically spot and remove worms as they enter networks. Microsoft added that this is a research project, and it has not decided if or when such tools should be built into Windows.

A computer honeypot is a server with an unpublished IP address. Honeypots are usually connected to the internet rather than a LAN, and the use of otherwise redundant IP addresses virtually guarantees that any attempts to access the server are from a worm or other unauthorised activity. Worms often select random IP addresses to attack, so are just as likely to attack a honeypot server as they are a genuine server. Monitoring tools running on the honeypot inspect the incoming TCP/IP connections and can automatically produce signature files that would allow a suitable firewall to filter out any such packets sent to production servers.

Honeypots are popular with security experts, but Microsoft would be the first major software vendor to build such tools into mainstream computer software. It is well placed to do so because honeypot systems are best deployed using server virtualisation tools.

Microsoft detailed the Vigilante project in a paper written by two Microsoft researchers with Manuel Costa and Jon Crowcroft from the University of Cambridge. In a section examining the scale of the problem, the authors note, “Worms can spread too fast for people to respond. For example, the Slammer worm infected 90 percent of vulnerable hosts in 10 minutes.”

The report concludes that honeypots can deal with the problem. “Our preliminary results show that Vigilante can effectively contain fast-spreading worms that exploit unknown vulnerabilities.”

Lab data from the Vigilante project indicates that a small number of honeypot systems could protect a large network of servers. “[Our data] shows that a very small fraction of detectors, 0.001, is enough to contain [infection from a worm like Slammer] to less than 10 percent of the vulnerable population.” The researchers noted, “Dynamic dataflow analysis is able to detect an attack even when it does not overwrite program data structures. Dynamic dataflow analysis can also be used with self-modifying code and dynamically generated code. Furthermore, access to the source code is not required.”

In addition to the honeypot project, Microsoft is developing a protective architecture that can re-write software as it is being run, to add new checks to prevent hackers from hijacking servers by exploiting buffer overflows.

http://www.vnunet.com/news/1161845