http://www.nytimes.com/2003/09/07/technology/07WORM.html By BRENDAN I. KOERNER September 7, 2003 LIKE prison wardens marveling at an escapee's spoon-dug tunnel, computer-security professionals acknowledge grudging admiration for the author of SoBig.F, the virus that deluged e-mail In boxes last month. At the epidemic's peak in mid-August, according to the antivirus company Central Command, SoBig.F-related messages accounted for 73 percent of e-mail traffic worldwide, making it history's most aggressive online contagion. "You have to think the person who did this has some awareness of the Internet's infrastructure," said Mark Carey, an independent computer security consultant in Columbus, Ohio, who has analyzed SoBig's code. "It's a little more sophisticated than what we've previously seen." On Wednesday, SoBig's self-destruct mechanism is supposed to kick in, spelling an end to the pesky e-mail messages it generated with subject lines like "Wicked Screensaver." But as SoBig — in colloquial parlance, a self-contained type of virus called a worm — has faded, concern has grown that computer networks, and the power grids and nuclear plants they control, are no better equipped to ward off infections than they were three and a half years ago, when the infamous I Love You worm ravaged cyberspace. IDC, a research firm, estimates that $2.2 billion was spent on antivirus products last year, but scofflaws always seem to be a step ahead. Antivirus vendors can do little but shrug and point out that even their fanciest software isn't perfect. "The whole problem here is not just having antiviral products and using antiviral updates, but a lack of computer knowledge among users," says Steven Sundermeier, a vice president of Central Command, which is based in Medina, Ohio, and makes and sells antivirus products. "Users need to start developing safe computing practices." That means being more vigilant about not opening suspicious attachments and updating virus scanners every few days. Despite the brochures and educational Web sites that the antivirus industry churns out, some experts fear that many users will never alter their surfing habits. Security experts like William Knowles, senior analyst at c4i.org, a security news Web site, say SoBig was probably disguised as a pornographic picture and first spread by pornography newsgroups. "Are you really going to go down to users and say, `You can't surf Usenet for porn,' `You can't download pictures of Britney Spears'?" he said. Even people who have worked with computer technology for years can be careless, despite the warnings. In July, Roelof Temmingh, technical director at SensePost Information Security, a South African company that advises corporations, presented a paper at a Las Vegas security conference describing an experiment in which a test virus was sent anonymously via e-mail to 13 members of a bank's computer security team. Five recipients ran the infected attachment. "Five members of an I.T.-security-savvy team in the financial sector executed an in-your-face" virus, Mr. Temmingh pointed out, adding, "How many marketing, sales or management type people would do the same?" In the past, if someone clicked on infected attachments, the damage was limited to certain computers, like the ones running Microsoft Windows. But omnivorous viruses that chew through a variety of operating systems are surfacing. Last summer, for example, a benign virus, Simile.D, infected Linux-based and Windows machines. "What if you had a virus that had all these different types of code: one for Windows, one for Solaris, one for Unix?" Mr. Carey said. "And say it was smart enough to know what kind of platform it was attacking? We've suddenly gone from a single-platform impact to something that affects everything from your desktops all the way back to the data core" — the lockboxes where companies store their most precious digital assets. In theory, such a problem should not affect utilities, transportation and other essential services because vital systems should never be linked to the Internet. But an incident in January at the Davis-Besse Nuclear Power Station, run by the FirstEnergy Corporation outside Toledo, Ohio, showed that this was not always the case. The nuclear plant has not been generating power since early 2002, but a computer system there that was not supposed to be linked to the Internet was invaded by a worm known as Slammer, causing the system to shut down for five hours. The event was not made public until Kevin Poulsen reported it on Aug. 20 on SecurityFocus .com, an information-security news site. Richard Wilkins, a FirstEnergy spokesman, said the company realized after the worm struck that it did not have a firewall isolating its corporate computers from the computers controlling the reactors, but that it now had such a safety precaution in place. SIX months after the Davis-Besse problem, the North American Electric Reliability Council, the industry group overseeing the electrical grid, announced that there were "documented cases in which bulk electric system control was impaired" by the same worm. It recommended that utility companies separate the computers running their power grids from their corporate networks. It is important to keep vital systems isolated, said Stuart Staniford, president of Silicon Defense, a security company based in Eureka, Calif. But experts in running nuclear plants "aren't necessarily going to be experts in security," he said, adding: "They connect up all their machines so they can easily control and administer their infrastructure. And now all of a sudden, all their machines are vulnerable to the same inherent security risks." One of the biggest risks comes from remote users, whose personal laptops may transmit viruses when linking with networks — the mode of transmission in the Davis-Besse case, according to the company and an April report filed with the federal Nuclear Regulatory Commission. A 1997 report for President Bill Clinton by the National Security Telecommunications Advisory Committee, a group of experts that makes recommendations to the president, warned against allowing such outside access to plants' computer systems. The system architects who have the expertise to eliminate such flaws are increasingly hampered by tight technology budgets. According to Forrester Research, spending on information technology in North America this year will grow by just 1.3 percent, compared with the 2002 total; Goldman Sachs is predicting a 1 percent decrease this year. Greg Shipley, chief technology officer of Neohapsis, a security consulting company based in Chicago, said the shrinking budgets meant that network holes were seldom being fixed, or "patched." Even companies with ample resources and information-technology staffs are having trouble keeping networks patched. A study in August by Eric Rescorla, founder of RTFM Inc., a network security firm based in Palo Alto, Calif., looked at how quickly system administrators at many companies responded to a security alert in July 2002 concerning a problem with OpenSSL, a security "tool kit" commonly installed on Apache Web servers. By mid-September, only a third of the vulnerable servers had been patched. Then a worm called Slapper appeared, which exploited the security hole in question. But Mr. Rescorla has found that more than 30 percent of those servers have yet to be fixed. Digital pathogens spread so quickly, however, that even the most diligent patchers could be at risk. At a security symposium last August, Mr. Staniford and two co-authors presented "How to Own the Internet in Your Spare Time," which described a computer simulation of a worm attack. The worm in the simulation attacked machines that had been selected earlier as ripe targets, instead of randomly probing the Internet. The simulation found that within 15 minutes, the worm would have infected more than nine million machines. Mr. Staniford called it the Warhol worm, a nod to Andy Warhol's famous line about fame. Mr. Staniford, like many of his peers, offers few easy remedies for heading off such an attack, aside from calling for more federal research funds. The SoBig outbreak, as well as last month's Blaster worm, have inspired new interest in "trusted computing," a much-discussed concept to prevent computers from running any software without a specific cryptographic signature. This solution would require agreement between hardware and software makers. It is being advanced by the Trusted Computing Group, founded by Microsoft, Advanced Micro Devices, Intel, Hewlett-Packard and I.B.M. UT trusted computing will have a tough public relations fight. Microsoft's Trustworthy Computing initiative, which began before the group was formed, has been criticized for giving Microsoft too much control over users' access to documents. Even if the privacy problems can be worked out, the details of how trusted computing will ward off viruses are still hazy. Similarly murky is the prospect for legislation. Russ Cooper, who holds the title of surgeon general at TruSecure, a security company based in Herndon, Va., says he would like to see legislation making Internet service providers liable for negligently allowing viruses to spread, but no member of Congress has signed on to the idea. Other prominent experts, like Bruce Schneier, the chief technical officer at Counterpane Internet Security, based in Cupertino, Calif., favor holding software vendors accountable for easily exploitable code, but that does not seem legally feasible, given recent court decisions that uphold "end user" license agreements that let software companies sell their products "as is." "The software industry is the only industry I can think of that has its own `get out of jail free' card, and that's the end-user license agreement," said Richard Forno, co-author of "The Art of Information Warfare." People worried about computer security agree, however, that the situation demands immediate attention because of the threat of viruses more lethal than SoBig. "If something big were to happen in the next 12 months," Mr. Carey said, "there would effectively be nothing we could do." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 08 2003 - 01:05:53 PDT