EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Debunking mania – early warning systems and better security

September 7th, 2006 · No Comments ·

Previously we discussed:

>New threats and national warning systems – lessons to be learned

>Debunking 7 myths about network security – have you fallen for any of them?

>5 myths about Linux security

>24 Windows XP myths exposed

>Gattiker and Kaspersky – Debunking myths about hacking – outlining the trends

>Debunking the myths about PKI or – why it will most likely never work properly

Today we will focus on the challenge and problems with Early Warning System(s) [EWS(s)] to deliver what they are supposed to deliver. We have suggested one way going about this challenge is by developing the criteria for subsequently measuring the EWS’ success here:

> What could be the characteristics of a successful Early Warning System?

One of the problems for a national early warning system is how to clearly define what audience it is supposed to deliver relevant content to. Are these our grand-parents or our teenage children or both. If both, do they need the same type of information or put differently, are their computer skill levels similar?

To illustrate this challenge, a recent zero-day exploit was addressed and reported upon by most national EWSs such as:

> Melani – UPDATE of the warning: Vulnerability in Microsoft Powerpoint – patch available

However, when a zero-day exploit was reported this Tuesday (2006-09-05) for Microsoft Word, CyTRAP Labs in collaboration with CASEScontact.org decided to issue an advisory as outlined here:

>CASEScontact.org advisory – zero-day exploit – Microsoft Office 2000 and Word 2000 (2006-09-05 16:30)

things were no longer so clear (but many more put an alert out some time later :-) ). Should a national EWS report such a vulnerability? It depends if the target users do have this type of software installed. But a few EWSs felt that this appeared not to be the case, since they decided not to issue any warning or advisory in this regard:

>WAARSCHUWINGSDIENST.NL

>IT Safe UK

>CERT-In India

>AusCERT – Australia

>US-CERT

However, a few of the above warning systems will surely issue an alert or advisory once Microsoft has issued a patch. But until then, users seem to be left to their own devices and to fend for themselves regarding this recent social engineering attack using a Trojan Horse to take advantage of this vulnerability.

But why should a warning not been issued, while an advisory is dispatched when the vendor has issued a patch? The danger with zero-day exploits is that the exploit code is in the wild. Moreover, as is the case with the above, they tend to be exploited by malicious users right now.

Whatever the target audience is, most home-users have Windows and Microsoft Office installed on their machines. Hence, zero-day exploits affecting these products are generally of interest if one has the same version of the software running on one’s PC.

The media attention this zero-day exploit using a Trojan Horse got was substantial. In fact, several high traffic news sites had articles the same day CASEScontact.org released its advisory, see here:

>Trojan targets 0-day Word vuln (2006-09-05)

>New Microsoft Word flaw being used in attacks. Microsoft confirmed the bug, but would not say when it plans to fix the problem (2005-09-05)

The above suggests that home-users will definitely have heard about the exploit. Hence, even if one considers the threat to be a minor nuisance, since one has to fall for the social engineering attack before getting infected, the widespread attention given the threat in the news justifies a response. Accordingly, an advisory might be a good strategy to communicate to subscribers and target audiences that one is on the ball and aware of this development. Naturally, how they can protect themselves must be addressed in such an advisory, since no fix is currently available to patch the vulnerability. However, most anti-virus software vendors have updated their signatures to catch the culprit.

This would suggest that a clearer focus regarding target audiences and relevancy (what is important) must be addresed by many national EWS services. If an EWS fails to do this, then it may neither be effective nor serve citizens as well as was expected when the founders launched it and the policy makers approved funding. Get a greater in depth analysis about this challenge here:

>Gattiker, U. E. (2006). An Early Warning System for Home Users and SMEs: The Ropes to Skip. In Proceedings Critis 06 – Critical Information Infrastructures Security, Samos – Greece

If these critical issues are not addressed, then EWSs will continue in having difficulty satisfaying their various stakeholders. This would be unfortunate, since the threats to our information assets have not decreased but seem to go in the opposite direction.

_Update 2006-09-07

Sometimes it is better late than never.

>Melani Warning: Temporary higher risk for Microsoft Word users (07.09.2006 09:50)

“The rumors about a critical vulnerability in the word processor Microsoft Word have been confirmed by Microsoft. …”

But it does not necessarily instill trust to hear that we are talking about rumors when tests have shown the code is available and works – infects system. Moreover, waiting until Microsoft comfirms implies that until they do, the vulnerability is not a problem… or just bad choice of words?

_Update 2006-09-09

> US-CERT Warning – Microsoft Word Vulnerability (07.09-2006 22:22)

US-CERT also decided late last night to issue an alert (technical one as well as one for home users), just about 3 days after vendors had announced this zero-day exploit.

|

→ No CommentsTags: cert · challenge · ewss · melani · microsoft · trojan · word