why the smb is most at risk from ms12-010

There’s a lot of hubbub going around about the recent vulnerability from Microsoft. It’s called MS12-020 and it affects the Remote Desktop Protocol (a.k.a. RDP or Terminal Services if you are old school).

The hubbub is warranted… Once researchers get code working to exploit this vulnerability they will have full system level remote access across a network, with no password, no user interaction and no user knowledge.

![RDP worm](http://caseyjohnellis.com/wp-content/uploads/2012/03/hacker.jpg “RDPCheck” =284x243)This will trigger a spike in hacking from the Internet and, a few days or weeks, a self propagating worm will be written and released into the wild.

How successful these RDP hacking and the RDP worm are will depend largely on how much attention is paid to posts like this one.

I believe this vulnerability poses the greatest risk to Small/Medium Businesses – So much so that I roped a mate of mine into a few sleepless night over the weekend to build RDPCheck.

RDPCheck is a tool to helps individuals and businesses check their PC’s and networks for exposure to attacks on the RDP vulnerability.

While this tool can (and does) help any person or business assess their exposure in increase their awareness of MS12-020, I built it with SMB in mind. This post explains the why in that thinking…

TL:DR – Small/Medium businesses are the most likely NOT TO KNOW if RDP is enabled, patched, or exposed to the Internet (or even that there’s a vulnerability floating around at the moment) which means they are DOING NOTHING about it. This, combined with a viable exploit, is a perfect recipe for a threat event.

When it comes to getting pwned by MS12-020 there are 3 main risk factors to consider:

Secondly, in the terms we’re using here there are 3 categories to consider:

Small point: Risk is probability times impact. For enterprise the impact of a breach is obvious, for home/SOHO it’s financial fraud and ID theft, and for SMB it’s loss of or impact to livelihood. Let’s accept impact as high across the board and focus on the probability of something bad going down.

Home/SOHO

Home users are at a lower risk of this bug. They don’t have much use for RDP and Microsoft has gone to considerable efforts in dumbing the whole patching/firewalling requirement (coincidentally the bulk of this improvement was made straight after the BLASTER worm of 2003, which exploited a vulnerability very similar to this one).

Enterprise

In short, enterprise KNOW that there is a problem and are DOING SOMETHING ABOUT IT. More importantly the risks around something like this are on their radar.

Small/Medium Business

In short, Small/Medium businesses are the most likely NOT TO KNOW if RDP is enabled, patched, or exposed to the Internet (or even that there’s a vulnerability floating around at the moment) which means they are DOING NOTHING about it. This, combined with a viable exploit, is a perfect recipe for a threat event.

What can we do about it?

Make lots of noise.

In general the information security community frowns on FUD (fear, uncertainty and doubt) as a tactic for education or marketing, but when you have limited time to get someone’s attention a good dose of the scary’s is the most effective method. The alternative is that they hear a half-assed story (or no story at all), remain unconvinced and apathetic, and get pwned. It happens. Often.

RDPCheck is designed to make lots of noise. It provides valuable information around the Internet exposure threat vector, but more importantly it educates users what they need to do next, and it’s getting people talking. Your support in spreading the word about the tool is greatly appreciated.

I’d really appreciate comments on any or all of this… The start-up and Small/Medium Business space is my passion. I love seeing people do cool things in business, and I hate the thought of these guys getting pwned simply because no-one told them. Comment away!

NOTE: Don’t flame me about the exceptions to comments I made about Home and Enterprise. I am talking in general terms about a general and comparative risk. If you think any of it is horribly wrong I’ll happily hear you out, but I want it to be clear that what I am NOT saying here is that “all’s well for Home and Enterprise”. That’s clearly not the case.

Casey John Ellis

Casey John Ellis

founder bugcrowd and disclose.io, keynote speaker, security strategist

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora