[ISN] In Computer Security, a Bigger Reason to Squirm

From: InfoSec News (isnat_private)
Date: Sun Sep 07 2003 - 22:22:01 PDT

  • Next message: InfoSec News: "[ISN] First of perhaps many 9/11 viruses emerges"

    September 7, 2003 
    LIKE prison wardens marveling at an escapee's spoon-dug tunnel, 
    computer-security professionals acknowledge grudging admiration for 
    the author of SoBig.F, the virus that deluged e-mail In boxes last 
    month. At the epidemic's peak in mid-August, according to the 
    antivirus company Central Command, SoBig.F-related messages accounted 
    for 73 percent of e-mail traffic worldwide, making it history's most 
    aggressive online contagion.
    "You have to think the person who did this has some awareness of the 
    Internet's infrastructure," said Mark Carey, an independent computer 
    security consultant in Columbus, Ohio, who has analyzed SoBig's code. 
    "It's a little more sophisticated than what we've previously seen."
    On Wednesday, SoBig's self-destruct mechanism is supposed to kick in, 
    spelling an end to the pesky e-mail messages it generated with subject 
    lines like "Wicked Screensaver." But as SoBig  in colloquial 
    parlance, a self-contained type of virus called a worm  has faded, 
    concern has grown that computer networks, and the power grids and 
    nuclear plants they control, are no better equipped to ward off 
    infections than they were three and a half years ago, when the 
    infamous I Love You worm ravaged cyberspace.
    IDC, a research firm, estimates that $2.2 billion was spent on 
    antivirus products last year, but scofflaws always seem to be a step 
    ahead. Antivirus vendors can do little but shrug and point out that 
    even their fanciest software isn't perfect.
    "The whole problem here is not just having antiviral products and 
    using antiviral updates, but a lack of computer knowledge among 
    users," says Steven Sundermeier, a vice president of Central Command, 
    which is based in Medina, Ohio, and makes and sells antivirus 
    products. "Users need to start developing safe computing practices." 
    That means being more vigilant about not opening suspicious 
    attachments and updating virus scanners every few days.
    Despite the brochures and educational Web sites that the antivirus 
    industry churns out, some experts fear that many users will never 
    alter their surfing habits. Security experts like William Knowles, 
    senior analyst at c4i.org, a security news Web site, say SoBig was 
    probably disguised as a pornographic picture and first spread by 
    pornography newsgroups. "Are you really going to go down to users and 
    say, `You can't surf Usenet for porn,' `You can't download pictures of 
    Britney Spears'?" he said.
    Even people who have worked with computer technology for years can be 
    careless, despite the warnings. In July, Roelof Temmingh, technical 
    director at SensePost Information Security, a South African company 
    that advises corporations, presented a paper at a Las Vegas security 
    conference describing an experiment in which a test virus was sent 
    anonymously via e-mail to 13 members of a bank's computer security 
    team. Five recipients ran the infected attachment. "Five members of an 
    I.T.-security-savvy team in the financial sector executed an 
    in-your-face" virus, Mr. Temmingh pointed out, adding, "How many 
    marketing, sales or management type people would do the same?"
    In the past, if someone clicked on infected attachments, the damage 
    was limited to certain computers, like the ones running Microsoft 
    Windows. But omnivorous viruses that chew through a variety of 
    operating systems are surfacing. Last summer, for example, a benign 
    virus, Simile.D, infected Linux-based and Windows machines.
    "What if you had a virus that had all these different types of code: 
    one for Windows, one for Solaris, one for Unix?" Mr. Carey said. "And 
    say it was smart enough to know what kind of platform it was 
    attacking? We've suddenly gone from a single-platform impact to 
    something that affects everything from your desktops all the way back 
    to the data core"  the lockboxes where companies store their most 
    precious digital assets.
    In theory, such a problem should not affect utilities, transportation 
    and other essential services because vital systems should never be 
    linked to the Internet. But an incident in January at the Davis-Besse 
    Nuclear Power Station, run by the FirstEnergy Corporation outside 
    Toledo, Ohio, showed that this was not always the case. The nuclear 
    plant has not been generating power since early 2002, but a computer 
    system there that was not supposed to be linked to the Internet was 
    invaded by a worm known as Slammer, causing the system to shut down 
    for five hours. The event was not made public until Kevin Poulsen 
    reported it on Aug. 20 on SecurityFocus .com, an information-security 
    news site.
    Richard Wilkins, a FirstEnergy spokesman, said the company realized 
    after the worm struck that it did not have a firewall isolating its 
    corporate computers from the computers controlling the reactors, but 
    that it now had such a safety precaution in place.
    SIX months after the Davis-Besse problem, the North American Electric 
    Reliability Council, the industry group overseeing the electrical 
    grid, announced that there were "documented cases in which bulk 
    electric system control was impaired" by the same worm. It recommended 
    that utility companies separate the computers running their power 
    grids from their corporate networks.
    It is important to keep vital systems isolated, said Stuart Staniford, 
    president of Silicon Defense, a security company based in Eureka, 
    Calif. But experts in running nuclear plants "aren't necessarily going 
    to be experts in security," he said, adding: "They connect up all 
    their machines so they can easily control and administer their 
    infrastructure. And now all of a sudden, all their machines are 
    vulnerable to the same inherent security risks."
    One of the biggest risks comes from remote users, whose personal 
    laptops may transmit viruses when linking with networks  the mode of 
    transmission in the Davis-Besse case, according to the company and an 
    April report filed with the federal Nuclear Regulatory Commission. A 
    1997 report for President Bill Clinton by the National Security 
    Telecommunications Advisory Committee, a group of experts that makes 
    recommendations to the president, warned against allowing such outside 
    access to plants' computer systems. 
    The system architects who have the expertise to eliminate such flaws 
    are increasingly hampered by tight technology budgets. According to 
    Forrester Research, spending on information technology in North 
    America this year will grow by just 1.3 percent, compared with the 
    2002 total; Goldman Sachs is predicting a 1 percent decrease this 
    year. Greg Shipley, chief technology officer of Neohapsis, a security 
    consulting company based in Chicago, said the shrinking budgets meant 
    that network holes were seldom being fixed, or "patched."
    Even companies with ample resources and information-technology staffs 
    are having trouble keeping networks patched. A study in August by Eric 
    Rescorla, founder of RTFM Inc., a network security firm based in Palo 
    Alto, Calif., looked at how quickly system administrators at many 
    companies responded to a security alert in July 2002 concerning a 
    problem with OpenSSL, a security "tool kit" commonly installed on 
    Apache Web servers. By mid-September, only a third of the vulnerable 
    servers had been patched. Then a worm called Slapper appeared, which 
    exploited the security hole in question. But Mr. Rescorla has found 
    that more than 30 percent of those servers have yet to be fixed. 
    Digital pathogens spread so quickly, however, that even the most 
    diligent patchers could be at risk. At a security symposium last 
    August, Mr. Staniford and two co-authors presented "How to Own the 
    Internet in Your Spare Time," which described a computer simulation of 
    a worm attack. The worm in the simulation attacked machines that had 
    been selected earlier as ripe targets, instead of randomly probing the 
    Internet. The simulation found that within 15 minutes, the worm would 
    have infected more than nine million machines. Mr. Staniford called it 
    the Warhol worm, a nod to Andy Warhol's famous line about fame.
    Mr. Staniford, like many of his peers, offers few easy remedies for 
    heading off such an attack, aside from calling for more federal 
    research funds. The SoBig outbreak, as well as last month's Blaster 
    worm, have inspired new interest in "trusted computing," a 
    much-discussed concept to prevent computers from running any software 
    without a specific cryptographic signature. This solution would 
    require agreement between hardware and software makers. It is being 
    advanced by the Trusted Computing Group, founded by Microsoft, 
    Advanced Micro Devices, Intel, Hewlett-Packard and I.B.M.
    UT trusted computing will have a tough public relations fight. 
    Microsoft's Trustworthy Computing initiative, which began before the 
    group was formed, has been criticized for giving Microsoft too much 
    control over users' access to documents. 
    Even if the privacy problems can be worked out, the details of how 
    trusted computing will ward off viruses are still hazy. 
    Similarly murky is the prospect for legislation. Russ Cooper, who 
    holds the title of surgeon general at TruSecure, a security company 
    based in Herndon, Va., says he would like to see legislation making 
    Internet service providers liable for negligently allowing viruses to 
    spread, but no member of Congress has signed on to the idea.
    Other prominent experts, like Bruce Schneier, the chief technical 
    officer at Counterpane Internet Security, based in Cupertino, Calif., 
    favor holding software vendors accountable for easily exploitable 
    code, but that does not seem legally feasible, given recent court 
    decisions that uphold "end user" license agreements that let software 
    companies sell their products "as is."
    "The software industry is the only industry I can think of that has 
    its own `get out of jail free' card, and that's the end-user license 
    agreement," said Richard Forno, co-author of "The Art of Information 
    People worried about computer security agree, however, that the 
    situation demands immediate attention because of the threat of viruses 
    more lethal than SoBig. "If something big were to happen in the next 
    12 months," Mr. Carey said, "there would effectively be nothing we 
    could do." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 08 2003 - 01:05:53 PDT