Vendor liability & User Responsibility

We always hear this words "It is your responsibility" in case some one stolen money from your credited card or your password of your email.

Why we don't say the same words to software vendors if they have security vulnerability in their software make us lose a lot of money.

When we install any software, have to sign off EULA for software's vendor. But, we have to accept this license to install the software.
So, I think most of use tried to read this EULA agreement before sign it off. You could find a lot of EULA analyzer tools on the Internet could highlight the important points to you, such as Privacy, Vendor rights, your responsibility.

The point here, as long as we don't have any other options to install the software, the vendor must be liable of his software. By the end of last month, Symantec Web Security Response Webblog wrote about "Privilege Escalation Exploit In the Wild", one week later they wrote a follow-up on this vulnerability. This vulnerability as written in "SECDRV.SYS Driver". Microsoft posted Microsoft Security Advisory (944653) about this vulnerability. Lets analysis the FAQ as posted in Microsoft Security Advisory (944653).

What is the scope of the advisory?

Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section.

What is secdrv.sys?
The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows.

The question which raises here, If this vulnerability exploited and Microsoft customers lost millions of money, would Microsoft/Macrovision liable for this?. The answer is NO.

Lets have a look on "Windows Server 2003 End-User License Agreements", by using EULA Analyzer or read this EULA you could find

23. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to

• anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if

• repair, replacement or a refund for the software does not fully compensate you for any losses; or
• Microsoft knew or should have known about the possibility of the damages.

It is unfair if the customers lost millions of dollar and they can claim only the amount they paid for the software. Ira Winkler ;The author of Spies Among Us; wrote a wonderful article on this point with a title "Vendor liability: A pointless argument?". Also, Art Coviello , RSA's president, in last RAS Conference 2007 which held in London made this interview with ZDnet.

At the end I see the software vendor should be liable for their software as users responsible of their mistakes.

Security Assessment Roadmap

In my last role with my ex-employer when my manager asked me to develop security assessment service. I made some Google search and I found the best way is to establish a framework, also because working under a formal process model make the task easy and development after that efficient,. I found the NSA developed INFOSEC Assessment Methodology (IAM). I started to read more about it and I found a brilliant book which helped me a lot from Syngress which is “Security Assessment: Case Studies for Implementing the NSA IAM”.

After that I started to use these resources to start to build our Security Assessment framework and I have just decided to share this information with my peers who interested in IT Security. Here is what I got.

Let’s assume we are going to make security assessment for company called “XYZ”

Introduction

XYZ company network may expose vulnerabilities to attackers in many ways. A key area is information exposure. Many details about XYZ Company that an attacker can gather can be used to assist in an attack. This includes technical data, such as what public services XYZ company offer, as well as Non-technical items, such as who your business partners are. The next area of importance is connectivity. Can attackers send and receive information to the systems within XYZ company network? This is dominated by the impact XYZ company s’ firewalls (and filtering routers) have on connectivity into XYZ company network, but it can also be affected by the controls XYZ company have in place to allow workstations and notebook computers to connect to XYZ company internal network. The last major area that needs to be examined is whether the services XYZ company network relies on contain exploitable vulnerabilities.

The roadmap for making security assessment consists of the following core phases with corresponding deliverables:

1. Planning

Determine the scope of our assessment at XYZ Company. Decide how we will conduct it. Develop written rules of engagement to control the assessment and, most important, gain proper written approval to perform it. Assemble our toolkit to perform the assessment.

2. Reconnaissance

Obtain technical and non-technical information on the XYZ Company and known public hosts, such as mail, web, and DNS servers…etc.

3. Network service discovery

Determine which hosts and network devices at XYZ Company can be accessed from the outside. For each of these systems, determine what services are running on them.

4. Vulnerability discovery

Probe externally accessible systems and remote services to determine whether they expose known vulnerabilities to the outside. Analyze initial results to eliminate false positives.

5. Verification of perimeter devices

Evaluate firewall and router configurations at XYZ Company to ensure that they are well configured. Verify that firewalls at XYZ Company do not pass traffic that should be blocked. Verify that anti-discovery and anti-DoS controls are in place and work as expected at XYZ Company. Test intrusion detection/prevention sensors to ensure that they detect, log, and alert on suspicious activity.

6. Remote access

Verify security controls of known remote access systems, including remote access servers, wireless access points, and VPNs. Search for unauthorized (rogue) modems and wireless access points at XYZ Company.

7. Exploitation (optional)

Attempt to use exploitation techniques against the discovered vulnerabilities. Based on the goals of the test, this may be an iterative activity. Successful exploitation may lead to additional access on the network, which may open the opportunity up for further exploitation.

8. Results analysis and documentation

Analyze discovered vulnerabilities to determine their overall effect on the level of risk to the network's security at XYZ Company. This is normally based on the vulnerabilities' impact to the affected system, the criticality of the system, the likelihood that the vulnerabilities will be exploited, and the effort required to remediate the vulnerabilities. Produce an assessment report that provides a list of prioritized vulnerabilities by level of risk and provides recommended steps to resolve the individual and root causes for the vulnerabilities.

9. Recommendations

A final report will be compiled with recommendations and possible solution to be implemented at XYZ Company to leverage security and/or defend against breaches.

Reference: NSA & Syngress