DoD Security? Is that like pretty ugly?

I can’t take you seriously…

I have to say it because it bugs the crap out of me! How can I take the DoD seriously for security matters when I type this into Netscape 7.02? My other option of course was IE 6.0sp1. If I wanted to use a modern, standards based, and secure browser I would need to go home. Let me list below the number of vulnerabilities my approved browser has:

Netscape 7.02 (3 Vulnerabilities):

http://secunia.com/product/85/#advisories

  • A weakness has been discovered in Netscape, which can be exploited by malicious people to bypass certain security restrictions.
    • A weakness has been discovered in Netscape, which can be exploited by malicious people to disclose system information.
      • J. Courcoul has discovered a vulnerability in Netscape, which can be exploited by malicious people to conduct phishing attacks. </ul> To be totally honest this isn’t a bad list. My issue with this list is these are all fixed in the latest builds of Netscape I.E. Firefox and could easily be fixed. At this point the security is simply through obscurity. The browser is so old and outdated that the only people using it are well, some dude named Bob and me. Luckily Bob is a nice guy. If someone offers you a bunker in battle do you stay in your fox hole?

        IE 6.0sp1 (31 Vulnerabilities):

        Scroll quickly it is a long list :)

        http://secunia.com/product/11/#advisories

        • HD Moore has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to compromise a user’s system.
          • Plebo Aesdi Nael has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information and potentially compromise a user’s system.
            • A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to trick users into disclosing sensitive information.
              • A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to trick users into disclosing sensitive information.
                • cyber flash has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into performing certain actions on local resources.
                  • Matthew Murphy has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.
                    • Claudio “Sverx” has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar.
                      • Amit Klein has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks.
                        • Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious web sites to spoof dialog boxes.
                          • bitlance winter has discovered a weakness in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.
                            • bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs.
                              • Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.
                                • Albert Puigsech Galicia has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to conduct FTP command injection attacks.
                                  • Gregory R. Panakkal has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.
                                    • Secunia Research has reported a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to spoof the content of websites.
                                      • cyber flash has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into downloading malicious files.
                                        • Keigo Yamazaki has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks.
                                          • cyber flash has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to bypass a security feature in Microsoft Windows XP SP2 and trick users into downloading malicious files.
                                            • Roozbeh Afrasiabi has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar.
                                              • Benjamin Tobias Franz has discovered a vulnerability in Internet Explorer, which can be exploited by malicious sites to detect the presence of local files.
                                                • Benjamin Tobias Franz has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs.
                                                  • WESTPOINT has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks.
                                                    • Liu Die Yu has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct phishing attacks against a user.
                                                      • Paul has reported a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to bypass certain security restrictions and potentially compromise a user’s system.
                                                        • http-equiv has discovered an issue in Microsoft Internet Explorer, Outlook and Outlook Express, allowing malicious people to obfuscate URLs.
                                                          • http-equiv has discovered a weakness in Internet Explorer, which potentially can be exploited by malicious people to trick users into visiting a malicious website.
                                                            • iDEFENSE has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to bypass certain frame scripting restrictions.
                                                              • Jelmer has discovered a vulnerability in Internet Explorer, allowing malicious sites to detect the presence of local files.
                                                                • A vulnerability has been identified in Internet Explorer allowing malicious HTML documents such as web sites to see which components are installed.
                                                                  • A vulnerability has been identified in Internet Explorer (IE), which can be exploited by malicious people to execute arbitrary script code on a user’s system.
                                                                    • A vulnerability has been identified in Internet Explorer, which exposes sensitive information to “msn.com” and “alexa.com”. </ul> What is very important about this list is that the last item is from June 2003. 3 years without a patch and yet here I am still told to use this at work. Actually if I login to a new computer this is the default browser.

                                                                      Having been through the USAF BIP Security training, I know how seriously firewalls and boundary reef are taken. What a joke to lock the door but leave all the windows WIDE OPEN. I can accept that things move slowly on government networks. The question I pose is how long is too long? Upgrading to Vista to fix these things is not what I consider a fix action. The PC I am sitting on right now isn’t Vista capable and will require upgrades, along with the rest of my building. Let us punch some figures:

                                                                      ~ # of PCs = 500

                                                                      Cost of Vista PC = 650 Dollars

                                                                      TOTAL: $325,000

                                                                      This of course doesn’t take into account the server infrastructure required to admin the new systems. Let us go ahead and break down the Firefox solution:

                                                                      ~ # of PCs = 500

                                                                      Cost of firefox = 0 Dollars

                                                                      TOTAL: 0

                                                                      Hmmm…tough choice. You see my dilemma. As I sit on the mailing lists and idle away on IRC, watching the DoD get beat up is much our own fault. The Firefox/IE is just a blatant example of problems facing the DoD. I will say that this is the LARGEST network the world has ever seen. The transformation of software requires many many people. I know there are many great minds working for the DoD that undoubtedly will read this heads nodding in agreement. Well ladies and gentlemen; I am off to perform work on a system so vulnerable a fleet of semis could park in it. I hope next week I can take the DoD seriously.

Updated: