why the smb is most at risk from ms12-010

caseyjohnellis -

There’s a lot of hubbub going around about the recent vulnerability from Microsoft. It’s called MS12-020 and it affects the Remote Desktop Protocol (a.k.a. RDP or Terminal Services if you are old school).

The hubbub is warranted… Once researchers get code working to exploit this vulnerability they will have full system level remote access across a network, with no password, no user interaction and no user knowledge.

![RDP worm](http://caseyjohnellis.com/wp-content/uploads/2012/03/hacker.jpg “RDPCheck” =284×243)This will trigger a spike in hacking from the Internet and, a few days or weeks, a self propagating worm will be written and released into the wild.

How successful these RDP hacking and the RDP worm are will depend largely on how much attention is paid to posts like this one.

I believe this vulnerability poses the greatest risk to Small/Medium Businesses – So much so that I roped a mate of mine into a few sleepless night over the weekend to build RDPCheck.

RDPCheck is a tool to helps individuals and businesses check their PC’s and networks for exposure to attacks on the RDP vulnerability.

While this tool can (and does) help any person or business assess their exposure in increase their awareness of MS12-020, I built it with SMB in mind. This post explains the why in that thinking…

TL:DR – Small/Medium businesses are the most likely NOT TO KNOW if RDP is enabled, patched, or exposed to the Internet (or even that there’s a vulnerability floating around at the moment) which means they are DOING NOTHING about it. This, combined with a viable exploit, is a perfect recipe for a threat event.

When it comes to getting pwned by MS12-020 there are 3 main risk factors to consider:

  • Is RDP enabled? No RDP means nothing to exploit. Interesting to note here is that the Business-As-Usual usage of RDP has gone up significantly since Symantec suffered a breach and pulled PCAnywhere. RDP is included in Windows, it is (…was) relatively secure, and it works well.
  • Is MS12-020 patch installed? MS12-020 patch installed means the vulnerability is closed. No dice Mr Hacker.
  • Is RDP exposed to the Internet? It’s true that MS12-020 presents a huge internal risk to organizations but it can be almost guaranteed that the bulk of the early damage done by a working exploit will come in straight from the big bad Internet.

Secondly, in the terms we’re using here there are 3 categories to consider:

  • Home/SOHO – Your home setup, your mum, your grandma, etc and freelancers, one-person-shows, etc.
  • Enterprise – Large established organizations with dedicated I.T. staff.
  • Small/Medium Business – Businesses ranging from a few to a couple of hundred people with a client/server setup but no full time I.T. staff.

Small point: Risk is probability times impact. For enterprise the impact of a breach is obvious, for home/SOHO it’s financial fraud and ID theft, and for SMB it’s loss of or impact to livelihood. Let’s accept impact as high across the board and focus on the probability of something bad going down.

Home/SOHO

  • Is RDP enabled? Probably not. That is, unless the friendly phone phishers from “Microsoft Department of teh Internetz” have convinced them to turn it on, in which case MS12-020 is the least of their problems.
  • Is MS12-020 patch installed? Probably. Most OEM installs of Windows either have auto-updates enabled by default. Auto-update does a pretty good job of patches like this.
  • Is RDP exposed to the Internet? If it’s enabled then probably yes. But it’s probably not enabled.

Home users are at a lower risk of this bug. They don’t have much use for RDP and Microsoft has gone to considerable efforts in dumbing the whole patching/firewalling requirement (coincidentally the bulk of this improvement was made straight after the BLASTER worm of 2003, which exploited a vulnerability very similar to this one).

Enterprise

  • Is RDP enabled? Almost always. Servers and workstations have RDP enabled to allow remote administration and BAU functions.
  • Is MS12-020 patch installed? Probably. While many organizations still suck at patching almost all have some sort of process/tool/methodology in place to do it, and pretty much all will have at least one guy/girl running around doing a song-and-dance about MS12-020 right now. If for whatever reason patches can’t be deployed RDP will most likely be hardened or disabled. n.b. I know that there are lots of exceptions to this – I am generalizing here.
  • Is RDP exposed to the Internet? Rarely. Generally, enterprises know better than to do this. If they do, the song-and-dance guy/girl will be onto it. n.b. Again with the generalization disclaimer.

In short, enterprise KNOW that there is a problem and are DOING SOMETHING ABOUT IT. More importantly the risks around something like this are on their radar.

Small/Medium Business

  • Is RDP enabled? Very often. RDP is usually enabled by I.T. contractors as a “cheaper way to provide I.T. support”. Another very common scenario is for 3rd party accountants to be given RDP access to a workstation or server running an accounting package. So on, so forth… Key point: Lots of active use cases.
  • Is MS12-020 patch installed? Hit and miss. In Small/Medium Business patching is often left to chance. Workstations may have auto-update enabled but servers may not. Key point: No-body knows for sure.
  • Is RDP exposed to the Internet? All. The. Freaking. Time. The I.T. contractor and 3rd party accountant scenarios almost always involve directly exposing RDP to the Internet, for ease of access and to save cost/complexity/set up of a VPN. Add to this Microsoft’s “RDP is teh awesomesauce” approach to Remote Web Workplace in Small Business Server which recommends RDP be exposed to the web.

In short, Small/Medium businesses are the most likely NOT TO KNOW if RDP is enabled, patched, or exposed to the Internet (or even that there’s a vulnerability floating around at the moment) which means they are DOING NOTHING about it. This, combined with a viable exploit, is a perfect recipe for a threat event.

What can we do about it?

Make lots of noise.

In general the information security community frowns on FUD (fear, uncertainty and doubt) as a tactic for education or marketing, but when you have limited time to get someone’s attention a good dose of the scary’s is the most effective method. The alternative is that they hear a half-assed story (or no story at all), remain unconvinced and apathetic, and get pwned. It happens. Often.

RDPCheck is designed to make lots of noise. It provides valuable information around the Internet exposure threat vector, but more importantly it educates users what they need to do next, and it’s getting people talking. Your support in spreading the word about the tool is greatly appreciated.

I’d really appreciate comments on any or all of this… The start-up and Small/Medium Business space is my passion. I love seeing people do cool things in business, and I hate the thought of these guys getting pwned simply because no-one told them. Comment away!

NOTE: Don’t flame me about the exceptions to comments I made about Home and Enterprise. I am talking in general terms about a general and comparative risk. If you think any of it is horribly wrong I’ll happily hear you out, but I want it to be clear that what I am NOT saying here is that “all’s well for Home and Enterprise”. That’s clearly not the case.