Another six months has passed – must be time for BlueHat, Microsoft’s internal security conference.
This one is shaping up to be an interesting one. The early BlueHats were all about the raw technology – Shok blowing out the memory manager, Brett Moore facepalming over yet another file format vulnerability. But determining vulnerability requires more than just understanding technology. At the end of the day, there are bad guys, and bad guys don’t necessarily have to take the geekiest of routes to get what they want. So there’s an interesting thread that appears to run through many of the talks this year, linking what we are capable of doing as engineers, with what attackers have been doing as criminals.
For my part, I’ll be talking (unsurprisingly) about the DNS vulnerabilities that made a bit of noise earlier this summer. That was quite the experience, and indeed, continues to be. DNSSEC is making astonishing progress – there’s no question about that. It’s also not going to be deployed on 99% of authoritative servers anytime soon – even .GOV is looking at two years to get coverage across their bailiwick. And the numbers for the pragmatic fix (Source Port Randomization) continue to be astonishingly good. But there is indeed demand for better, and one of the interesting things I’ll be able to discuss is:
What now? What should the next interim fix look like? What is the full set of scenarios that needs to be covered, to justify going through another patch cycle? What sort of real-world deployments do we need to be compatible with?
And why do we have to fix this, anyway? Why are so many things broken, to the point that they fail trivially when attacked by a basic man-in-the-middle?
These are hard questions. The answers to them are not all to be found in DNS, or even just in technology. What has been a clear and fascinating realization is that not just this one vulnerability, but all the major vulnerabilities of 2008 have all been linked to a complete failure to authenticate. Whether it’s Mike Perry finding that many (most?) SSL sites leak their authentication cookies out to unencrypted parties, or it’s Mike Zusman finding that many (most?) SSL-VPN’s don’t actually validate that they’re encrypting their payloads to anyone in particular, or it’s Wes Hardakar finding out that SNMPv3 barely makes a user authenticate at all – a remarkable number of problems are all being found that trace back to us having no idea who we’re talking to.
Identity is not, and never will be, merely a problem of technology. It will take tech to fix – but it will take something more, too. It will take some work to figure out exactly what that something will be – but we have at least one significant data point showing a shocking number of companies expending a tremendous amount of effort, all in pursuit of doing the right thing for themselves and for their customers. We can, and should, learn from this experience, and I look forward to exploring this all at BlueHat.
Dan Kaminsky, IOActive