Why an INFOSEC Zeitgeist report?
First things first - what does Zeitgeist mean? According to the Collins English dictionary, zeitgeist means "the spirit, attitude, or general outlook of a specific time or period, especially as it is reflected in literature, philosophy, etc." I hope to illustrate (graphically) the popular trends and topics of the INFOSEC community during 2003. The inspiration for my report is the Google Zeitgeist report which illustrates the top searches on Google.com during the preceding year.
My findings are based on numerous security mailing list e-mails that I collected during 2003 and analyzed. The report is split into two sections: Year in Review and specific topics. If you're not certain how to interpret the report, read how to interpret the graphs. A PDF version of this report will be made available to those who sign up for my low volume INFOSEC Zeitgeist mailing list.As the famous IT philosopher Yogi Berra used to say "You can observe a lot by watching." I watched over 90,000 e-mail messages and this is what I observed. I hope you enjoy it.
Year in review
General events in the news:
- SQL Slammer stunned security professionals world-wide with its record setting rapid propogation
- Gartner consulting pronounced IDS is dead
- Server theft grew as a method for stealing information
- There was a changing of the guard as Richard Clarke and Howard Schmidt moved on from their government positions
- Quantum cryptography became a real commercial offering through Magiq Technologies
- Thanks to continued dilligence by Lance Spitzner, honeypots became increasingly viable as a component of a defense-in-depth security strategy
- Keylogger software and hardware was increasingly exploited to steal information
- E-mail and Web site phishing rose in frequency as cybervandals looked for new ways to exploit computer users
- President Bush approved the National Strategy to Secure Cyberspace
- The Department of Homeland Security (DHS) established a new National Cyber Security Division
- The Department of Health and Human Services published the final version of health care information security standards under HIPAA
- DHS moved forward with plans for the creation of a US CERT
There was a small spike in early March 2003 related to a Sendmail buffer overflow advisory. Later during the same month there were a large number of messages related to Microsoft Security Advisory MS03-007.
July 2003 was a very bad month for security, with messages related to buffer overflows in Microsoft HTML, Microsoft RPC, RedHat Linux nfs-utils, and Sun Solaris Runtime Linker. Other hot topics included a Cisco IOS denial of service vulnerability, Integer Overflows in Microsoft Windows Direct X, Cisco Aironet vulnerabilities, and a FreeBSD denial of service vulnerability.
Of course the vulnerability that received the most noteoriety was the ubiquitous Microsoft RPC vulnerability that became the attack vector for MS Blaster only 26 days after its public security bulletin.
During September there was a tremendous amount of discussion related to newly discovered Microsoft RPCSS vulnerabilities as well as a remote root exploit for default Solaris OS installations and messages related to vulnerabilities in OpenSSH.
In late November there was a spike in traffic related to advisories pertaining to implementations of BIND, OpenPKG and the Applied Watch IDS suite.
In April there was a definite surge in traffic related to the release of Apache Webserver version 2.0.45 which fixed several DoS vulnerabilities. Some discussion also spread at the same time regarding two exploits 'apache-nosejob.c' and 'apache-scalp.c' that target the Apache chunked encoding vulnerability.
In July there were discussions related to limiting the execution context of Apache on Linux & UNIX servers, "strange connect entries" found in Apache logs, and a privilege execution exploit against Apache version 1.3.27.
In late October and early November there was resurgence in messages related to directory traveral vunlerabilities and data leaking vulnerabilities in older versions of Apache. During early December there were a number of messages focused on how to use secret key authentication with Apache running on a FreeBSD server.
During July there was a string of messages related to Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server posted by Rapid7 Security. In August there was a discussion of how to set up Apple iSight for videoconferening with the context of an appropriate firewall policy.
During October there was interest and excitement in Apple's release of the Panther version of the OS X. During December there were a number of messages related to OS X security holes, in particular a DHCP flaw that allows remote exploitation of vulnerable systems and a local DoS vulnerability.
During March there were a number of discussions related to the attacks. Many real world attacks on Sendmail vulnerability CA-2003-07 were seen. Microsoft Terminal Services were theorized to be vulnerable to attacks. A new timing attack on OpenSSL was released. There were also discussions on attacks against Checkpoint firewall syslog servers and how to detect various unicode string encoding attacks.
During May there was a resurgence in discussions related to OpenSSH/PAM timing attacks, attack attempts for a specific IP address (sorry - I won't list it here), how to detect cross-site scripting attacks, and recovery and remediation steps to take when under DDoS attacks.
In mid to late August there was a huge amount of traffic related to the term blast or blaster. This can be attributed to the widespread Blaster worm that exploited vulnerabilities in Microsoft DCOM RPC. (See also RPC for additional information).
Traffic related to Cisco surged as news of a DoS vulnerability in Cisco IOS spread (see CERT Advisory 2003-15 for the full story).
In late August there was a substantial amount of traffic related to the fact that the security of FTP site ftp.gnu.org was cracked by intruders. Due to the widespread distribution of software from the GNU software project, CERT produced an advisory.
In early September, there was a buzz about the fact that Israeli researchers discovered a way to crack the GSM mobile phone network encryption code.
A deluge of defacements were reported by Zone-H in April.
In early June there was interest in the "Defacement Challenge" announced by Zone-H but in the end it was a complete flop.
The debate over full-disclosure of security vulnerabilities raged on in 2003. Nevertheless, the Full-Disclosure list had a substantial amount of postings, peaking in August with 1,992 messages and September with 1,852 messages.
Public interest in eEye peaked in August as security professionals discussed eEye's analyis of the Blaster worm and eEye released the Internet Explorer Object Data Remote Execution Vulnerability Announcement.
Exploits rose to the forefront of community discussions four times in 2003:
In September there were several discussions about yet another , a fake SSH vulnerability, and possible exploitation of the Internet Explorer Object Data Remote Execution Vulnerability announced by eEye.
During October administrators and security professionals discussed risks from a new IRC exploit that was circulating and the theft of the video game source code to Half-Life that allegedly was accomplished with an exploit against Outlook's preview pane.
In November the Gobbles SSH exploit (from 2001) was resurrected as a hot topic.
November saw a large amount of discussions related to security flaws in Bluetooth as well as three flaw announcements from Microsoft: Certificate Validation Flaw Could Enable Identity Spoofing Flaw in Microsoft Word Could Enable Macros to Run Automatically Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution.
Bill Gates rose in the news after having an interview where he expressed that despite the recent SoBig virus, Microsoft software is becoming increasingly reliable.
He also created quite a stir in late October when he expressed "You don't need perfect code to have good security." While this statement may be true, it was not received well by critics of the Redmond software giant.
There was a rise in interest in "hackers" (interpretations of that term vary widely) during April, when several stories circulated about "patriotic hackers" and US funding granted to Theo de Raadt, the famous OpenBSD "hacker."
IBM was thrust to the forefront of INFOSEC discussions several times in 2003, most notably:
During April an IBM employee was "flamed" for his vacation e-mail replies that members of the Full-Disclosure list felt annoyed by. (Strange but true).
During July SecuriTeam released three security advisories pertaining to IBM's U2 UniVerse 10.x.
In August it was announced that IBM and SuSe managed to receive a Common Criteria certification for the product SuSe Linux Enterprise Server 8.
In September there were numerous discussions related to vulnerabilities discovered in some implementations of DB2.
In late March a vulnerability announcement was released by Microsoft that detailed a buffer overflow in the file ntdll.dll (used by IIS for WebDAV) allowing arbitrary code execution as LocalSystem by default.Vulnerable systems included those running IIS 5.0 on Windows 2000. Message volume related to IIS peaked as security professionals tried to share information on how to identify log entries of exploited IIS servers and on how to configure IDSes to detect this variety of exploit activity.
In mid Julythere was a renewed interest in how to generate SSL certificates for creating encrypted sessions with IIS. Another topic of interest in July was the availability of tools like IISLockdown and URLScan for shoring up the security of Web servers.
In August an advisory related to vulnerabilities in IISShield was released and the discussion of IISLockdown and URLScan continued.
During October Snort users collaborated on a number of problems related to the configuration of web-iis rules for protecting IIS servers. There was also a renewed public interest in how to configure IIS for encrypted sessions using Microsoft's built in certificate capabilities.
Linux remained a hot topic throughout 2003. During April the topics linux topics in the community were using linux and the dd utility to create forensic images, network intrusion detection systems (NIDS) running on linux, linux firewalls, and problems with SuSE Linux 8 Professional when running the security update tool.
In Maya number of discussions related to linux OS hardening popped up, as well as linux migration security issues (moving from a Windows environment ot a linux environment).
From October to December the security community was abuzz with several issues related to linux. A research from Germany discovered multiple root exploits to SuSE, linux root kits were hot, and thoughts "secure coding" dominated discussion lists. A uncommonly large number of security advisories were released, detailing vulnerabilities in many applications including: apache, BIND, CUPS, EPIC, Ethereal, Glibc, GnuPG, Libnids, OpenSSL, Pan, SANE, Sane, Stunnel, XFree86, and, apache, apache2, bind, bugzilla, conquest, cups, cvs, epic4, ethereal, fetchmail, fileutils, freesweep, gdm, glibc, gnupg, hylafax, iproute, ircd, irssi, kernel, lftp, libnids, marbles, marblesfreesweep, minimalist, mpg123, mplayer, mysql, openssh, openssl, perl, phpSysInfo, pine, postgresql, proftpd, rsync, sane, sane XFree86, screen, sendmail, teapop, the Linux kernel, thhtpd, thttpd, tomcat4, vixie-cron, webfs, xboard, xchat, xinetd, and zebra.
During 2003, "it was the best of times, it was the worst of times" at Microsoft. While high profitability continued, a number of security flaws were discovered.Major security related events:
The week of March 20, 2003, Microsoft released 'Security Bulletin MS03-007 Unchecked buffer in Windows component could cause Web server compromise'. (This refers to the IIS WebDAV vulnerability.)
The week of July 17, 2003, Microsoft released three critical Security Bulletins MS03-026, MS03-027, MS03-028, related to a DCOM/RPC vulnerability that could permit remote exploitation of Windows computers.
The week of August 14, 2003 which was the week the MS Blaster worm hit the public Internet. Blaster exploited DCOM/RPC vulnerabilities disclosed in July.
During the week of September 16, 2003, a new remotely exploitable remote procedure call (RPC) vulnerability for Windows was announced.
The week of November 13, 2003, included an announcement of security vulnerabilities in the product Microsoft Office.
The full featured open source vulnerability scanner Nessus remained a popular topic throughout the year. In February numerous discussions emerged related to the release of Nessus version 1.3.4 and Nessus 2.0.0.
In late May Nessus 2.0.6 was released and a vulnerability in the Nessus NASL scripting engine was disclosed.
During early November security researchers discussed using Nessus to detect non-random IP Ids. Other hot topics in November included how to use Nessus remotely and issues associated with using Nessus in a network with DHCP enabled.
The world's most popular port scanner was a frequent topic of discussion among security professionals. Kudos to fyodor for this great tool!
In June nmap 3.28 and 3.30 were officially released, featuring substantially improved OS detection capabilities. (Although if OS detection is critical, another OS detection program is Ofir Arkin's Xprobe2).
During late October the security community raved about the version detection features of nmap versions 3.45 and following.
In February Oracle published five security alerts referring to components of the Oracle 9i product line.
During late April an Oracle buffer overflow vulnerability was disclosed by NGSSoftware.
In late July Secunia released advisories related to vulnerabilities in the Oracle E-Business product suite.
Shortly after Halloween NGSSoftware released news of multiple SQL injection vulnerabilities for Oracle 9i
The Portable Document Format (PDF) was not a frequent topic of discussion, but it did manage to obtain some public interest during the summer. In June a hacker with the pseudonym hack4life leaked information about vulnerabilities in some PDF readers that he stole from CERT/CC
During July, further details of PDF reader vulnerabilities were discussed.
In October members of the legal community tried to determine if exporting Microsoft Word documents to PDF would strip all of the document metadata.
At the end of the year researchers explored issues related to Internet Explorer error messages related to downloading PDFs using SSL.
Remote Procedure Call (RPC) implementations were not frequently discussed, but public interest in it did spike as a result of several prominent Microsoft vulnerabilities.
In July Microsoft released MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution.
During August numerous copies of concept exploits for DCOM RPC circulated. On the 11th, the Blaster worm began spreading across the Internet, using the RPC vulnerability disclosed in July. This particular malicious code event was particularly disheartening, as it showed the window of time from public release of a vulnerability to exploit had narrowed to a mere 26 days.
Shortly thereafter in September, eEye released notification of an RPC Heap Corruption Vulnerability similar to, but not as dangerous as, the RPC flaw discovered in July.
The Sun Solaris operating system frequently was a topic of discussion during 2003. In April the dominant topics were secure FTP (SFTP) and secure copy (SCP).
In June a remote buffer overflow for Solaris was announced.
During July iDefense released a security advisory related to a buffer overflow in the Sun Solaris Runtime Linker. The same month, Secunia released an announcement of a Solaris DoS vulnerability related to IPv6 services.
In September iDefense released an advisory explaining how misconfigured sadmind on Solaris can allow attackers to execute arbitrary commands with super-user privileges.
Secunia released four advisories in October related to NFS Client Request Denial of Service, an Ethernet Driver Frame Padding Vulnerability, Mounted Pipe and STREAMS Routines Denial of Service, and a sysinfo Kernel Memory Disclosure Vulnerability.
Structured Query Language (SQL) was a major topic of discussion. In January there was a huge exchange of messages related to the rapid spread of the SQL Slammer Worm that propogated using known vulnerabilities in SQL Server 2000 and the Microsoft Desktop Engine (MSDE) 2000.
During February the security community focused on post event analysis from the SQL Slammer worm, as well as a rise in the occurrence of SQL injection attacks.
In mid-April databases were still all the rage, and discussions related to: a Microsoft SQL vulnerability announcement, an EnGarde Secure Linux advisory related to a MySQL root exploit, and problems and issues with using MySQL and ACID for data analysis.
Quite predictably, computer viruses were discussed quite a bit throughout the year. The time period of most interest was from mid-August to late September following the SoBig worm.
In November the Voltan virus rose to prominence after providing a mechanism for a criminal to steal over $100,000, furthering the trend that viruses are being written for financial profit rather than ego inflation.
The webDAV (distributed authoring and versioning) protocol jumped to the forefront of INFOSEC discussions following announcements from CERT and Microsoft that IIS was vulnerable to a buffer overflow through its webDAV implementation.
Issues related to worms (the nastiest form of malicious code) rapidly became the dominant concept of the month of August with the spread of the Blaster worm. Blaster cast a dark cloud over the security community, as it was the first ever widespread malicious code outbreak that hit the public Internet less than a month from the identification of the vulnerability that it used to spread.
ConclusionThis report does not attempt to cover every element of INFOSEC in 2003. Instead, it focuses on events and trends that surpassed the threshold of "average number of messages" for a given topic within the INFOSEC community. The graphs present the emergence and disappearance of dominant topics over time. They are interesting in their own right, but doubly interesting when combined to show the relationship between associated topics (see the combination of webDAV and IIS, or the overlay of RPC, worm, and blast below). If you are interested in my research and want more information send me an e-mail. If you'd like to receive future releases of INFOSEC Zeitgeist information be sure to sign up on my mailing list.
How to interpret the graphs
About the author
Abraham Usher received a B.S. in Modern Standard Arabic and German language studies from West Point, and an M.S. in Information Systems from George Mason University. He is a thought leader in open source intelligence collection and analysis, and has substantial experience in designing and implementing information architectures. Mr. Usher is a Certified Information System Security Professional (CISSP) and a proponent of Open Source software.