How exposing more digital flaws could actually be harming security
Jeff Schmidt, whose firm discovered a widespread Microsoft bug, worries that businesses are suffering from vulnerability fatigue. As a result, he says, they aren't doing enough to protect themselves from digital assaults.
The National Vulnerability Database, a repository for network threats, received more than 7,000 new entries last year – a 50 percent increase over 2013. As new vulnerabilities are discovered at record rates, they are also receiving more attention than ever from the national media.
That might be too much exposure, worries Jeff Schmidt, founder of JAS Global Advisors, a technology consulting firm. With the flood of attention generated by new vulnerabilities, many organizations are so overwhelmed that they aren't sure what to do – and wonder if they need to do anything at all. Still, says Schmidt, the danger from the steady stream of digital flaws is still very real.
JAS Global gained notoriety for uncovering one of the most widespread vulnerabilities in history – a bug that allowed remote code execution on more than a decade worth of Microsoft Windows operating systems. It was so baked in to the operating system that it took more than a year to patch.
Passcode recently spoke with Schmidt. Edited excerpts follow.
Passcode: Beyond the obvious – the more vulnerabilities, the more ways you could be attacked – why is the sheer number of new vulnerabilities dangerous to businesses?
Schmidt: There’s a vulnerability fatigue. If you look back 18 months, there have been a number of designer-named – cutely named – but very real vulnerabilities, like Heartbleed, POODLE, Shellshock, FREAK, and JASBUG. When Heartbleed came up everyone paid attention. But that response starts to fade. Unfortunately, they all need real, immediate attention. It’s a classic security issue where complacency grows over time – people see that one vulnerability didn’t harm them and become complacent that newly discovered ones won’t either.
Passcode: With the amount of bugs being reported, is that complacency a solvable problem?
Schmidt: When you need to treat something like a crisis, make sure it’s a worthy crisis. Part of it is having a good triage process. But a big part of it is reducing the attack surface – reducing the open points in the network and locking down what needs to be locked down.
The people that are worst prepared are the people who have lots of different technology built up through growth or acquisitions. If you didn’t use UNIX, you didn’t have to treat Shellshock as a crisis.
Passcode: There have been an unprecedented number of bugs recently. If a business has made it this far without getting complacent, is there a rest period coming up when it regresses back to the normal rate? Does this ever die down, or is this the new normal?
Schmidt: More people are looking than ever, and the tools have never been better. It’s reasonable we’ll find more bugs. It’s interesting to note how many are old. Shellshock was in UNIX for 30 years before it was found last year.
Crisis response is taxing, but it’s also very expensive if you’re dealing with numerous threats. For small to medium sized businesses, it might mean hiring a consultant each time. Think of it like living in Boston: You’ve had a bad winter, you can use up all the salt.
Passcode: When you say more people are looking, there’s also more incentive to be looking than ever, even if you aren’t planning to use the vulnerability you find.
Schmidt: It used to be all you’d get for finding vulnerability is your name in a newsletter. Now there are well publicized markets to sell vulnerabilities. The space is full of researchers – many not American – driven purely by money. And there are many state actors who obviously will never publicly reveal what they discover. I’ll pat myself on the back; we received no compensation for what we did. There are still people who aren’t in it just for the money.
Passcode: Plus you get to name it.
Schmidt: Honestly I’m terrible with naming things. I didn’t think the name JASBUG would stick. I thought we’d be screaming from the rooftops into the wind. Microsoft only refers to bugs by ID number. When I named my first company Secure Interiors, I was thinking that we’d secure the inside of your network. People thought it was an interior design company for prisons. We thought about calling it Windowpain.
Passcode: JASBUG is sort of the prototypical example of everything going right: You disclosed the bug out of the goodness of your heart, Microsoft was willing to take on a massive undertaking to fix it, and you were patient enough to let them do it even though it would take more than a year.
Schmidt: We are lucky this was Microsoft. They took it seriously. And they are the only vendors equipped and sophisticated enough to handle a problem like this as well as they did. Once we realized it was something serious, literally 24-hours later we were at their offices writing on whiteboards. They realized right away that this would take them a lot of work.
Passcode: Bugs don’t usually take a year to fix. The deadline most researchers give companies to come up with patches is closer to 90 days before they release the bug to the public to force vendors’ hands – while Microsoft was patching your bug, Google was being so firm about a deadline, they made a vulnerability they found public despite Microsoft announcing the patch was slated for release two days later. How do you balance patience with responsible public disclosure?
Schmidt: A lot of vendors don’t take people seriously. You have to be able to say you’ll go public to force them to act. But there’s a real danger with saying, “Whoops, 90 days is up, we have to disclose.” Or “Whoops, [the security conference] Black Hat is coming up.” The best thing we could do was to keep quiet.
It’s hard to keep something like this under wraps for a year. Not only were we keeping the bug secret, we had to tell people we had discovered it. We found JASBUG doing unrelated research for [the Internet Corporation for Assigned Names and Numbers], and we couldn’t hold back letting ICANN release the report. So the paper said we had found this vulnerability we couldn’t really talk about. That’s when people started calling us up to buy the zero day [vulnerability]. We turned them down, obviously.
Passcode: But even your doing the honest thing isn't a reason for people to get complacent about updates. You reporting the bug gets a patch made, but doesn't keep the bug off the streets for long.
Schmidt: There is a saying, “Patch Tuesday, exploit Wednesday.” Once there’s a patch, someone will reverse engineer it to figure out how to use it.
The only thing I regret is that they didn’t patch [Windows] Server 2003. It’s still supported software, and the people running it aren’t doing anything wrong. They made a fiscal decision not to patch it. And I understand that. But it isn’t like XP being left vulnerable forever, where everyone with XP knows they’ve stopped supporting it.
I believe this is the first perpetual zero day. A lot of stuff out there is still running XP: ATMs, cash registers, a lot of kiosks.