Get used to that insecure feeling
When feature-laden shrinkwrapped software opens up your organisation to well-documented security breaches, who’s to blame for the potential cataclysm? Auckland developer Zsolt Pardi (see A legacy of neglect) blames the software vendor, while part-time sys admin Juha Saarinen (see below) says responsibility rests with the user.This statement is number one on Microsoft’s Security Response Centre’s essay “The Ten Immutable Laws of Security”: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more.
Setting aside snide remarks about the “bad guy” in question being Bill Gates, the above statement is undeniably true. In fact, it doesn’t even have to be a bad guy’s or girl’s program: any unknown executable or script can land you in a big mess. Don’t trust others to know what the code they want to run does — viz the extensively used FormMail script which seems innocuous enough but it’s easy to abuse it to relay spam.
It’s very simple, really: if you don’t know for sure what something does, don’t use it.
Today’s internet is an incredibly hostile environment. It doesn’t matter which operating system you use, you have to be very careful and keep a watchful eye on it — constantly. Some months ago I set up a Unix server for a client and installed a mail service on it. I was stunned to discover that it took less than 20 minutes after hooking it up to the internet for the first rejected relay attempt to show up in the logs.
The internet has been like this for years now, and it’s not getting better. For web hosting services to be trusting in such an environment is akin to skateboarding over the Auckland Harbour Bridge in rush-hour traffic. Exciting, sure, but don’t expect to last very long.
Furthermore, if your service uses Microsoft’s Internet Information Server (ISS), you must have by now noticed that the internet server application programming interface (ISAPI) is often mentioned in security bulletins. A quick search at the Common Vulnerability and Exposures site for ISAPI popped up 12 hits, the oldest one going back to 1999.
Running ISAPI DLLs, filters, extensions, COM objects and the like means you’re taking a calculated risk; there is a trade-off here, between security and performance. You could argue that ISAPI et al should never be able to compromise system security; that discussion belongs in the operating system design compartment, however. If you’re an extremely talented developer, by all means create an ISAPI replacement that’s as fast yet secure. I believe Microsoft would be extremely interested in it, and you’d be very rich.
IIS is very flexible with its modular design, but it’s unfair to blame it for sys admin sloppiness. You can compromise any platform by being careless, not just Microsoft’s. At Computerworld, we saw a prime example of this recently. After receiving a load of spam addressed to most of the IDG editorial staff, I traced it to a server in Australia. The admin of the box denied responsibility, claiming it was impossible to relay spam through it. That was indeed so, but at the same time he was running an open SOCKS proxy that allowed anyone on the internet to channel anything through his server.
That was bad enough, but the worst part was that despite showing evidence several times, plus a step-by-step explanation, the admin failed to understand what was going on.
That was a month ago. I checked again when I wrote this, and the SOCKS proxy is still open. It’s hard to battle a conspiracy of ignorance.
Saarinen can be reached at firstname.lastname@example.org.