Newsmaker: Gadfly zeroes in on Oracle bugs

(continued from previous page)

And Microsoft doesn't pay you to say SQL Server 2005 is secure.
Litchfield: I'm not being paid by Microsoft to say they're secure, and if anyone is going find a bug in SQL Server 2005, it better be me. It would undermine my ability to be able to say in the future that a product is secure if bugs are found by anyone else. So, if there are bugs in SQL Server 2005, I hope I'm the one who finds them, and I'm looking.

Is Microsoft, or was it ever, a customer of NGS Software?
Litchfield: Whilst NGS does do a lot of work for Microsoft, we're not paid to say they're secure--we're paid to help secure their products. It's important for both Microsoft and NGS that we are, and are seen to be, independent. Otherwise it would call into question the legitimacy of the work we do and Microsoft's efforts to secure their products. This is why NGS still continues to generate (security) advisories on Microsoft products.

I've heard that you did a security audit on SQL Server 2005. Is that correct?
Litchfield: I can't speak about specifics of the projects we do. That said, if anyone is questioning whether SQL Server is more secure than Oracle, all one needs to do is consider that there are many people, top researchers included, looking at both products for security flaws. It has been a very long time since SQL Server has "fallen." Reiterating, if there are serious bugs to be found in SQL Server 2005, then I hope it's me that finds them given my stance on this.

Is Oracle, or was it ever, an NGS Software customer?
Litchfield: Yes--we worked on a couple of projects for Oracle in the past.

What's the business of NGS Software?
Litchfield: There are three sides to the business. We sell tools to help assess your state of vulnerability and whether you're compliant with Sarbanes-Oxley, etc. We consult to a number of organizations, and we also do vulnerability research and sell that research.

What types of organizations are your typical research customers?
Litchfield: Government organizations, those who are responsible for critical national infrastructure and the protection thereof. We try to give them advance warning of security problems. We can tell them that there's a flaw in a particular product, along with a risk mitigation strategy. Even in the absence of a vendor-supplied patch, these systems will be protected.

Security through ignorance really doesn't work because one person's ignorance is someone else's revenue stream.

NGS has been growing over the past years. Where is the demand?
Litchfield: It's mostly in consultancy, which is a bit of a shame because I set out to build a software company and we're more of a consultancy. That's one of my personal failures though and I've not given up. We will be a software company at some stage.

What does a typical consultant do?
Litchfield: He might do penetration tests, code reviews or threat modeling. It is not installing firewalls; our consultants do the high-end stuff.

What is it that drives you to get up and do your job every day?
Litchfield: Well, I'm good at it, and if you're good at something, you've got more drive to do. If I was a good painter, I would paint more, you know. But since I am crap, I don't bother doing that. I enjoy the work.

Particularly the bug hunting part of it?
Litchfield: Yes, it's just a question of analysis. If I were trying to subvert the system, how would I do it? The other reason is that it has an effect on everyone's lives. Now, it's not like I'm curing cancer, but I know that one database server tomorrow is going to be more secure because of something I did, and that means that, for example, more credit card numbers are safe that day.

If people at Oracle say that you actually hurt security because of the disclosure of vulnerabilities, what do you say?
Litchfield: They have a case. In certain cases it does raise the risk level, OK, and that's one of the major problems with this kind of work. However, in raising the risk level, people are more inclined to protect their systems.

Now, as an example of this, I just put out that new attack method that allows an attacker without any special privileges to exploit flaws that were thought to be only exploitable by people with higher privileges. Now we know that that's not true, people have no reason to say they are not going to patch.

Someone has, within day zero of me posting my new method, modified their exploits and posted them publicly to use my new methods. Those exploits now can be run by anyone. So, yes it has increased the risk.

Back in August 2002, I presented some code that was then taken to form the basis of SQL Slammer. There was that initial raising of risk, but after that short-term pain, there are now more patched SQL Servers out there than there ever were before. The short-term risk has been raised for the long-term benefit, that's the way I look at it.

If people like you weren't around, some might say we wouldn't know of any security risks and nobody would be exploiting them either. You don't think that's true?
Litchfield: I don't think that's true. There are always going to be bad guys out there. If there aren't good guys working with the vendors to close these holes, then we'll be walking around with our head in the clouds thinking we're all secure when we're not. Security through ignorance really doesn't work because one person's ignorance is someone else's revenue stream.

What makes you pull your hair out?
Litchfield: When people say things like I'm increasing risk or doing it for selfish reasons. I'm not like that. But I can't always be the popular guy. I just wish there were fewer detractors.

You published The Oracle Hacker's Handbook recently. What do you hope to achieve with the book?
Litchfield: The Oracle security world is smug basically, and I'm trying to take that security blanket away from them. There are too many people out there who think that the Oracle product is secure and that they don't need to be doing anything. That's irresponsible, as far as I'm concerned.

What would you like people to know you for?
Litchfield: I would like to be the person who helped convince people that database security is important to look at. I would like to think that it's through my work, and obviously that of some of my peers in the industry, that we've helped shape the way security is dealt with at places like Oracle and Microsoft.

More Newsmakers