Why an INFOSEC Zeitgeist report?

First things first - what does Zeitgeist mean? According to the Collins English dictionary, zeitgeist means "the spirit, attitude, or general outlook of a specific time or period, especially as it is reflected in literature, philosophy, etc." I hope to illustrate (graphically) the popular trends and topics of the INFOSEC community during 2003. The inspiration for my report is the Google Zeitgeist report which illustrates the top searches on Google.com during the preceding year.

My findings are based on numerous security mailing list e-mails that I collected during 2003 and analyzed. The report is split into two sections: Year in Review and specific topics. If you're not certain how to interpret the report, read how to interpret the graphs. A PDF version of this report will be made available to those who sign up for my low volume INFOSEC Zeitgeist mailing list.As the famous IT philosopher Yogi Berra used to say "You can observe a lot by watching." I watched over 90,000 e-mail messages and this is what I observed. I hope you enjoy it.

Year in review


General events in the news:
Items related to specific technical issues:
  • Quantum cryptography became a real commercial offering through Magiq Technologies
  • Thanks to continued dilligence by Lance Spitzner, honeypots became increasingly viable as a component of a defense-in-depth security strategy
  • Keylogger software and hardware was increasingly exploited to steal information
  • E-mail and Web site phishing rose in frequency as cybervandals looked for new ways to exploit computer users
Related to high level policies:

Specific topics

advisory eEye nmap
Apache exploit Oracle
Apple flaw PDF
attack Gates RPC
blast hacker Solaris
Cisco IBM SQL
crack IIS virus
DB2 linux webDAV
defacement Microsoft worm
disclosure Nessus  


advisory

advisory

There was a small spike in early March 2003 related to a Sendmail buffer overflow advisory. Later during the same month there were a large number of messages related to Microsoft Security Advisory MS03-007.

July 2003 was a very bad month for security, with messages related to buffer overflows in Microsoft HTML, Microsoft RPC, RedHat Linux nfs-utils, and Sun Solaris Runtime Linker. Other hot topics included a Cisco IOS denial of service vulnerability, Integer Overflows in Microsoft Windows Direct X, Cisco Aironet vulnerabilities, and a FreeBSD denial of service vulnerability.

Of course the vulnerability that received the most noteoriety was the ubiquitous Microsoft RPC vulnerability that became the attack vector for MS Blaster only 26 days after its public security bulletin.

During September there was a tremendous amount of discussion related to newly discovered Microsoft RPCSS vulnerabilities as well as a remote root exploit for default Solaris OS installations and messages related to vulnerabilities in OpenSSH.

In late November there was a spike in traffic related to advisories pertaining to implementations of BIND, OpenPKG and the Applied Watch IDS suite.

Apache

Apache

In April there was a definite surge in traffic related to the release of Apache Webserver version 2.0.45 which fixed several DoS vulnerabilities. Some discussion also spread at the same time regarding two exploits 'apache-nosejob.c' and 'apache-scalp.c' that target the Apache chunked encoding vulnerability.

In July there were discussions related to limiting the execution context of Apache on Linux & UNIX servers, "strange connect entries" found in Apache logs, and a privilege execution exploit against Apache version 1.3.27.

In late October and early November there was resurgence in messages related to directory traveral vunlerabilities and data leaking vulnerabilities in older versions of Apache. During early December there were a number of messages focused on how to use secret key authentication with Apache running on a FreeBSD server.

Apple

Apple

During July there was a string of messages related to Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server posted by Rapid7 Security. In August there was a discussion of how to set up Apple iSight for videoconferening with the context of an appropriate firewall policy.

During October there was interest and excitement in Apple's release of the Panther version of the OS X. During December there were a number of messages related to OS X security holes, in particular a DHCP flaw that allows remote exploitation of vulnerable systems and a local DoS vulnerability.

attack

attack

During March there were a number of discussions related to the attacks. Many real world attacks on Sendmail vulnerability CA-2003-07 were seen. Microsoft Terminal Services were theorized to be vulnerable to attacks. A new timing attack on OpenSSL was released. There were also discussions on attacks against Checkpoint firewall syslog servers and how to detect various unicode string encoding attacks.

During May there was a resurgence in discussions related to OpenSSH/PAM timing attacks, attack attempts for a specific IP address (sorry - I won't list it here), how to detect cross-site scripting attacks, and recovery and remediation steps to take when under DDoS attacks.

blast

blast

In mid to late August there was a huge amount of traffic related to the term blast or blaster. This can be attributed to the widespread Blaster worm that exploited vulnerabilities in Microsoft DCOM RPC. (See also RPC for additional information).

Cisco

Cisco

Traffic related to Cisco surged as news of a DoS vulnerability in Cisco IOS spread (see CERT Advisory 2003-15 for the full story).

crack

crack

In late August there was a substantial amount of traffic related to the fact that the security of FTP site ftp.gnu.org was cracked by intruders. Due to the widespread distribution of software from the GNU software project, CERT produced an advisory.

In early September, there was a buzz about the fact that Israeli researchers discovered a way to crack the GSM mobile phone network encryption code.

DB2

DB2

Traffic related to DB2 rose sharply in September related to IBM DB2 stack overflow vulnerabilities. This announcement was all over the news and resulted in several exploits.

defacement

defacement

A deluge of defacements were reported by Zone-H in April.

In early June there was interest in the "Defacement Challenge" announced by Zone-H but in the end it was a complete flop.

disclosure

disclosure

The debate over full-disclosure of security vulnerabilities raged on in 2003. Nevertheless, the Full-Disclosure list had a substantial amount of postings, peaking in August with 1,992 messages and September with 1,852 messages.

Leading topics were: RPC-DCOM, rootkits, the Snort IDS, the report titled "CyberInSecurity: The Cost of Monopoly", , the Java Anonymous Proxy (JAP), and the e-mail virus.

eEye

eEye

Public interest in eEye peaked in August as security professionals discussed eEye's analyis of the Blaster worm and eEye released the Internet Explorer Object Data Remote Execution Vulnerability Announcement.

exploit

exploit

Exploits rose to the forefront of community discussions four times in 2003:

In July there was substantial interest in a Windows Media Services exploit, a new Cisco IOS exploit related to Cisco Security Advisory 44020, and exploits targeting the DCOM RPC vulnerability.

In September there were several discussions about yet another , a fake SSH vulnerability, and possible exploitation of the Internet Explorer Object Data Remote Execution Vulnerability announced by eEye.

During October administrators and security professionals discussed risks from a new IRC exploit that was circulating and the theft of the video game source code to Half-Life that allegedly was accomplished with an exploit against Outlook's preview pane.

In November the Gobbles SSH exploit (from 2001) was resurrected as a hot topic.

flaw

flaw

Gates

Gates

Bill Gates rose in the news after having an interview where he expressed that despite the recent SoBig virus, Microsoft software is becoming increasingly reliable.

He also created quite a stir in late October when he expressed "You don't need perfect code to have good security." While this statement may be true, it was not received well by critics of the Redmond software giant.

hacker

hacker

There was a rise in interest in "hackers" (interpretations of that term vary widely) during April, when several stories circulated about "patriotic hackers" and US funding granted to Theo de Raadt, the famous OpenBSD "hacker."

IBM

IBM

IBM was thrust to the forefront of INFOSEC discussions several times in 2003, most notably:

During April an IBM employee was "flamed" for his vacation e-mail replies that members of the Full-Disclosure list felt annoyed by. (Strange but true).

During July SecuriTeam released three security advisories pertaining to IBM's U2 UniVerse 10.x.

In August it was announced that IBM and SuSe managed to receive a Common Criteria certification for the product SuSe Linux Enterprise Server 8.

In September there were numerous discussions related to vulnerabilities discovered in some implementations of DB2.

IIS

IIS

In late March a vulnerability announcement was released by Microsoft that detailed a buffer overflow in the file ntdll.dll (used by IIS for WebDAV) allowing arbitrary code execution as LocalSystem by default.

Vulnerable systems included those running IIS 5.0 on Windows 2000. Message volume related to IIS peaked as security professionals tried to share information on how to identify log entries of exploited IIS servers and on how to configure IDSes to detect this variety of exploit activity.

In mid July

there was a renewed interest in how to generate SSL certificates for creating encrypted sessions with IIS. Another topic of interest in July was the availability of tools like IISLockdown and URLScan for shoring up the security of Web servers.

In August an advisory related to vulnerabilities in IISShield was released and the discussion of IISLockdown and URLScan continued.

During October Snort users collaborated on a number of problems related to the configuration of web-iis rules for protecting IIS servers. There was also a renewed public interest in how to configure IIS for encrypted sessions using Microsoft's built in certificate capabilities.

linux

linux

Linux remained a hot topic throughout 2003. During April the topics linux topics in the community were using linux and the dd utility to create forensic images, network intrusion detection systems (NIDS) running on linux, linux firewalls, and problems with SuSE Linux 8 Professional when running the security update tool.

In May

a number of discussions related to linux OS hardening popped up, as well as linux migration security issues (moving from a Windows environment ot a linux environment).

During July Secunia rocked the linux community with the announcement of a linux kernel vulnerability. Security professionals also discussed secure implementations of linux, such as SE linux.

From October to December the security community was abuzz with several issues related to linux. A research from Germany discovered multiple root exploits to SuSE, linux root kits were hot, and thoughts "secure coding" dominated discussion lists. A uncommonly large number of security advisories were released, detailing vulnerabilities in many applications including: apache, BIND, CUPS, EPIC, Ethereal, Glibc, GnuPG, Libnids, OpenSSL, Pan, SANE, Sane, Stunnel, XFree86, and, apache, apache2, bind, bugzilla, conquest, cups, cvs, epic4, ethereal, fetchmail, fileutils, freesweep, gdm, glibc, gnupg, hylafax, iproute, ircd, irssi, kernel, lftp, libnids, marbles, marblesfreesweep, minimalist, mpg123, mplayer, mysql, openssh, openssl, perl, phpSysInfo, pine, postgresql, proftpd, rsync, sane, sane XFree86, screen, sendmail, teapop, the Linux kernel, thhtpd, thttpd, tomcat4, vixie-cron, webfs, xboard, xchat, xinetd, and zebra.

Microsoft

Microsoft

During 2003, "it was the best of times, it was the worst of times" at Microsoft. While high profitability continued, a number of security flaws were discovered.

Major security related events:

The week of March 20, 2003, Microsoft released 'Security Bulletin MS03-007 Unchecked buffer in Windows component could cause Web server compromise'. (This refers to the IIS WebDAV vulnerability.)

The week of July 17, 2003, Microsoft released three critical Security Bulletins MS03-026, MS03-027, MS03-028, related to a DCOM/RPC vulnerability that could permit remote exploitation of Windows computers.

The week of August 14, 2003 which was the week the MS Blaster worm hit the public Internet. Blaster exploited DCOM/RPC vulnerabilities disclosed in July.

During the week of September 16, 2003, a new remotely exploitable remote procedure call (RPC) vulnerability for Windows was announced.

The week of November 13, 2003, included an announcement of security vulnerabilities in the product Microsoft Office.

Nessus

Nessus

The full featured open source vulnerability scanner Nessus remained a popular topic throughout the year. In February numerous discussions emerged related to the release of Nessus version 1.3.4 and Nessus 2.0.0.

In late May Nessus 2.0.6 was released and a vulnerability in the Nessus NASL scripting engine was disclosed.

During early November security researchers discussed using Nessus to detect non-random IP Ids. Other hot topics in November included how to use Nessus remotely and issues associated with using Nessus in a network with DHCP enabled.

nmap

nmap

The world's most popular port scanner was a frequent topic of discussion among security professionals. Kudos to fyodor for this great tool!

During May nmap was featured in the movie Matrix Reloaded. This realistic display of how nmap might be used for nefarious purposes prompted an announcement from the British Computer Society.

In June nmap 3.28 and 3.30 were officially released, featuring substantially improved OS detection capabilities. (Although if OS detection is critical, another OS detection program is Ofir Arkin's Xprobe2).

In late August nmap enthusiasts discussed the merits and draw backs of Nmap+V and problems with the Windows port of nmap.

During late October the security community raved about the version detection features of nmap versions 3.45 and following.

Oracle

Oracle

In February Oracle published five security alerts referring to components of the Oracle 9i product line.

During late April an Oracle buffer overflow vulnerability was disclosed by NGSSoftware.

In late July Secunia released advisories related to vulnerabilities in the Oracle E-Business product suite.

Shortly after Halloween NGSSoftware released news of multiple SQL injection vulnerabilities for Oracle 9i

PDF

PDF

The Portable Document Format (PDF) was not a frequent topic of discussion, but it did manage to obtain some public interest during the summer. In June a hacker with the pseudonym hack4life leaked information about vulnerabilities in some PDF readers that he stole from CERT/CC

During July, further details of PDF reader vulnerabilities were discussed.

In October members of the legal community tried to determine if exporting Microsoft Word documents to PDF would strip all of the document metadata.

At the end of the year researchers explored issues related to Internet Explorer error messages related to downloading PDFs using SSL.

RPC

RPC

Remote Procedure Call (RPC) implementations were not frequently discussed, but public interest in it did spike as a result of several prominent Microsoft vulnerabilities.

In July Microsoft released MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution.

During August numerous copies of concept exploits for DCOM RPC circulated. On the 11th, the Blaster worm began spreading across the Internet, using the RPC vulnerability disclosed in July. This particular malicious code event was particularly disheartening, as it showed the window of time from public release of a vulnerability to exploit had narrowed to a mere 26 days.

Shortly thereafter in September, eEye released notification of an RPC Heap Corruption Vulnerability similar to, but not as dangerous as, the RPC flaw discovered in July.

Solaris

Solaris

The Sun Solaris operating system frequently was a topic of discussion during 2003. In April the dominant topics were secure FTP (SFTP) and secure copy (SCP).

In June a remote buffer overflow for Solaris was announced.

During July iDefense released a security advisory related to a buffer overflow in the Sun Solaris Runtime Linker. The same month, Secunia released an announcement of a Solaris DoS vulnerability related to IPv6 services.

In September iDefense released an advisory explaining how misconfigured sadmind on Solaris can allow attackers to execute arbitrary commands with super-user privileges.

Secunia released four advisories in October related to NFS Client Request Denial of Service, an Ethernet Driver Frame Padding Vulnerability, Mounted Pipe and STREAMS Routines Denial of Service, and a sysinfo Kernel Memory Disclosure Vulnerability.

SQL

SQL

Structured Query Language (SQL) was a major topic of discussion. In January there was a huge exchange of messages related to the rapid spread of the SQL Slammer Worm that propogated using known vulnerabilities in SQL Server 2000 and the Microsoft Desktop Engine (MSDE) 2000.

During February the security community focused on post event analysis from the SQL Slammer worm, as well as a rise in the occurrence of SQL injection attacks.

In mid-April databases were still all the rage, and discussions related to: a Microsoft SQL vulnerability announcement, an EnGarde Secure Linux advisory related to a MySQL root exploit, and problems and issues with using MySQL and ACID for data analysis.

During September there was a false remote exploit for MySQL released and Secunia presented information on apassword privilege escalation vulnerability.

virus

virus

Quite predictably, computer viruses were discussed quite a bit throughout the year. The time period of most interest was from mid-August to late September following the SoBig worm.

In November the Voltan virus rose to prominence after providing a mechanism for a criminal to steal over $100,000, furthering the trend that viruses are being written for financial profit rather than ego inflation.

webDAV

webDAV

The webDAV (distributed authoring and versioning) protocol jumped to the forefront of INFOSEC discussions following announcements from CERT and Microsoft that IIS was vulnerable to a buffer overflow through its webDAV implementation.

worm

worm

Issues related to worms (the nastiest form of malicious code) rapidly became the dominant concept of the month of August with the spread of the Blaster worm. Blaster cast a dark cloud over the security community, as it was the first ever widespread malicious code outbreak that hit the public Internet less than a month from the identification of the vulnerability that it used to spread.

Conclusion

This report does not attempt to cover every element of INFOSEC in 2003. Instead, it focuses on events and trends that surpassed the threshold of "average number of messages" for a given topic within the INFOSEC community. The graphs present the emergence and disappearance of dominant topics over time. They are interesting in their own right, but doubly interesting when combined to show the relationship between associated topics (see the combination of webDAV and IIS, or the overlay of RPC, worm, and blast below). If you are interested in my research and want more information send me an e-mail. If you'd like to receive future releases of INFOSEC Zeitgeist information be sure to sign up on my mailing list.

How to interpret the graphs

The graphs depict message volume by topic, by week, from January to December 2003. This volume is an aggregate of messages from Bugtraq, Full-disclosure, and similar security lists. The red lines depict the actual message volume. Green lines show the average number of messages per week for a given topic. Blue lines show the average number of messages plus one standard deviation. If there is an anomaly in traffic related to a concept or topic (it breaks the blue line threshold) it almost always means something interesting happened. The excellent tool gnuplot was used to create each of the graphs.

About the author
Abraham Usher received a B.S. in Modern Standard Arabic and German language studies from West Point, and an M.S. in Information Systems from George Mason University. He is a thought leader in open source intelligence collection and analysis, and has substantial experience in designing and implementing information architectures. Mr. Usher is a Certified Information System Security Professional (CISSP) and a proponent of Open Source software.