Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/20/2006
07:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hackers Train Sights on Vista, Forefront

Despite all advance testing, hackers aren't worried Microsoft's new security products will cut into their livelihood

This is the final in a series of articles on Microsoft's security play.

Got a visual of hackers snickering at Microsoft's Windows Vista and security tools and effortlessly hacking away at them from their workstations? Or, maybe of exhausted, caffeine-guzzling hackers pounding their fists in frustration at the newly fortressed Vista that has them locked out?

Either way, you've got the picture all wrong.

White-hat hackers, or researchers, aren't dissing Microsoft's security plans, nor are they particularly worried about it cutting into their livelihood, they said in recent interviews with Dark Reading. Instead, they give Microsoft credit for raising the bar with Vista's built-in security features, and they're mostly ambivalent about Microsoft's new Forefront Client Security antivirus and anti-spyware tool. (See 800-Pound Gorilla Sits on AV, Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)

Vista -- which officially gets launched next week, on November 30 -- is no pushover, with its built-in firewall, user account control, and kernel patch protection, they say. "It's now a lot harder -- you've got to be able to do kernel programming and debugging," says researcher Jon Ellch, a.k.a. johnny cache, who is most famous for his wireless exploits and fingerprinting tool. "This severely ups the ante." (See New Tool Dusts for Fingerprints.)

Forefront, however, will be more of a hurdle for script kiddies and other novice hacker types, Ellch says, not for skilled researchers. "Hackers don't give a damn about antivirus software," Ellch says. "It gets you caught once you're already in. If you haven't been caught by AV before, you didn't have to worry about it. AV protects you from script kiddies" only.

HD Moore, director of security research for BreakingPoint Systems and the creator of the popular Metasploit hacking tool, agrees. "Forefront Client Security does nothing to solve the core problem of vulnerabilities. It just shuts out the third-party anti-spyware/rootkit/malware/antivirus vendors."

But if Forefront is better, cheaper, and easier to get and maintain than existing AV tools, it could keep hackers on their toes, according to Moore. "Then it might raise the bar on pen-tests and drive-by download-type attacks."

Moore says Forefront could be a boon for hackers if, as third-party security vendors fear, they eventually get shut out of the market by Microsoft. He says fewer vendors would simplify the task of finding holes, since there would be fewer tools (including Microsoft's) left standing. "The [fewer] security solutions that are out there, the easier it is for me."

Vista will be a tougher nut to crack, however, hackers say, although most say they haven't wasted their energy hammering on the beta version. "Microsoft has made a lot of good improvements to security with Vista, but it's really too early to tell how things will go," says Marc Maiffret, CTO and chief hacking officer at eEye Digital Security. "We have taken a look at it from a product and overall architecture perspective, but we've not yet started to look for any bugs."

Microsoft put Vista under the hacker microscope during the development process, says Dan Kaminsky, director of penetration testing for IOActive, and one of the researchers who looked for potential hacker holes in Vista during its development. "I spent most of '06 working on Vista and working on problems hackers might be looking for," he says. "There were things we found and things we got closed... Certainly, Vista has closed lot of holes that have been around for a very long time."

Still, Kaminsky says, there will be Vista exploits. "But it will be a harder target, no argument about that."

Microsoft applauded the feedback it has received from researchers on Vista. "Security researcher feedback on Windows Vista has been unprecedented. That said, it’s important to remember that no software is 100 percent secure," says a Microsoft spokesperson. "Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off."

And researchers agree there's no such thing as a bulletproof OS or client machine. "They [Microsoft] can't eliminate vulnerabilities, but they can make it trivial to find old vulnerabilities," says Thomas Ptacek, a researcher with Matasano Security. "Microsoft makes it harder for them [researchers], but that creates a whole new slew of Black Hat talks."

Hackers aren't worried that Vista's security will slow their business. "Every new release brings new challenges and new opportunities for employment," says Mark Loveless, a.k.a. simple nomad, and security architect for Vernier Networks.

"I think if you asked most researchers, they'd say that they want the bar raised," Ptacek says. "Writing an exploit for a well-known vulnerability is a commodity skill. Teenagers can do it. And they charge less than we do."

Meanwhile, the irony of Microsoft elbowing out competitors that have been securing Windows desktop products for years isn't lost on the research community.

"I think the funniest part is how Microsoft gets to play both sides," Moore says. "Take advantage of the poor security record of their products and at the same time shut out all the third-party solutions, all to sell something new."

And hackers respect the constant game of catch-up that Microsoft is forced to play with them.

"It's an arms race and the attackers definitely have the advantage," says Loveless. "Microsoft has the disadvantage because they have to patch every single hole, and hackers only have to open one at a time."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BreakingPoint Systems
  • Microsoft Corp. (Nasdaq: MSFT)
  • eEye Digital Security
  • IOActive
  • Vernier Networks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/3/2020
    Data Loss Spikes Under COVID-19 Lockdowns
    Seth Rosenblatt, Contributing Writer,  5/28/2020
    Abandoned Apps May Pose Security Risk to Mobile Devices
    Robert Lemos, Contributing Writer,  5/29/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13777
    PUBLISHED: 2020-06-04
    GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
    CVE-2020-10548
    PUBLISHED: 2020-06-04
    rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
    CVE-2020-10549
    PUBLISHED: 2020-06-04
    rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
    CVE-2020-10546
    PUBLISHED: 2020-06-04
    rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
    CVE-2020-10547
    PUBLISHED: 2020-06-04
    rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.