http://www.wired.com/news/infostructure/0,1377,60391-2,00.html By Kim Zetter Sept. 11, 2003 Members of the computing industry and law enforcement testified before the technology subcommittee of the House Committee on Government Reform Wednesday about how to protect the nation's computing systems from viruses and worms. Their remarks came as computer security professionals were poised to tackle a new version of the Sobig worm that may attack computers soon and as Microsoft announced new vulnerabilities in the Windows operating system. The Sobig.F virus disabled itself Wednesday, per instructions coded into it by its creator. But as each of the prior five versions of the worm have been followed by a new version after they disabled themselves, Sobig.H is expected to make its debut Thursday or later in the week. Thus, with the goal of deterring future threats, the subcommittee, chaired by Rep. Adam Putnam (R-Florida), convened three panels of representatives from law enforcement, security firms and industry, including Microsoft, Cisco and Symantec. Among the solutions proposed were better standards for producing secure software, computing ethics education directed at children, increased funding and training for computer forensics to catch hackers and virus writers, and protocols for information sharing that would aid in capturing perpetrators across borders. But perhaps the most controversial suggestion came from John Schwarz, president and COO of antivirus firm Symantec, who called for legislation to criminalize the sharing of information and tools online that can be used by malicious hackers and virus writers. Virus writers and hackers often learn from each other and share automated tools and code on websites. By making it illegal to post malicious code and information, Schwarz implied, the number of attacks would be reduced. He did not say, though, how legislators would determine the difference between malicious information and that used for legitimate security research, or whether such a law might compromise freedom of speech. Schwarz noted that some 450 new viruses and variations on old ones are identified each month. The speed of cyberattacks has also accelerated dramatically, with a shrinking window of opportunity for patching systems after a vulnerability is announced. Gerhard Eschelbeck, CTO and vice president of engineering at Qualys, said that Slammer came out six months after the vulnerability that it exploited was announced. Nimda appeared four months after a vulnerability announcement, Slapper took six weeks to arrive and Blaster came out just three weeks after news of the vulnerability that it attacked. It's expected that this rate will soon reduce to days or hours. And once an attack launches, the rate that it spreads is likely to accelerate as well. Code Red and Nimda spread around the world in a matter of hours, but Slammer took under three minutes to affect thousands of machines and was able to compromise nearly all vulnerable systems in about half an hour. Schwarz also said many of the most threatening attacks are not those that make the splashy headlines but rather low-profile worms or Trojans that are placed in strategic points in networks that are critical to a business or to the national infrastructure. These invaders can be triggered down the road to cause disruption of service or to delete data. Chris Wysopal, director of research and development for security firm Atstake, said the source of hacking and virus problems is twofold: software that is too quickly put to market and is designed for features and functionality rather than security, and computer users who don't secure their systems. Wysopal put the onus on software manufacturers to build more secure code. "Every virus or worm takes advantage of a security flaw in the design or the implementation of a software program," he said. Instead of focusing on lines of defense, he said, we should pressure software makers to use a secure development process and eliminate old software that is insecure, rather than re-use insecure code in new versions of programs. Wysopal said the number of flaws found in software can be greatly reduced when security processes are followed during development. He said no independent or government watchdog group currently monitors the safety of computer users in the same way, for example, that the National Highway Traffic Safety Administration looks after the safety of car owners. He also said government, as the largest purchaser of software, can help pressure software makers to improve their products by conducting security tests on software before purchasing. "If the federal government were to do that, the benefits would be to all users of software," Wysopal said. In fact, the Department of Homeland Security recently awarded a $90 million contract to Microsoft, making it "the primary technology provider" of desktop and server software to the agency, without conducting security testing of the software. Microsoft received the deal just two days after chairman Bill Gates met with Tom Ridge, secretary of the DHS, in Washington. Phil Reitinger, Microsoft's senior security strategist, testified at the hearing that Microsoft is "designing and writing software more securely, making it more secure out of the box and making it easier to keep secure." His testimony came minutes after Microsoft announced new flaws in its Windows software. The flaws, Microsoft said, would let hackers remotely control a user's computer. The company urged users to immediately apply a patch the company was offering from its website. Reitinger also said his company is working to make patching easier. He then turned his attention to law enforcement, asking "Have we criminalized everything we ought to criminalize?" "The biggest way (to handle cyberattacks) is to ensure that law enforcement has the resources necessary to attack the problem," he said. He called for a coordinated effort between industry, government and law enforcement to track and convict perpetrators. Wysopal said that until secure software development becomes the norm, individual users and businesses need to patch their systems in a timely manner to ensure that attacks won't spread. One speaker even suggested that it should be considered "nothing short of a patriotic duty" for users to secure their home computers, since an infected computer can be used to attack someone else's computer. But patches themselves can sometimes have security flaws or create incompatibility problems with other software on a system. And patching hundreds or thousands of computers inside a company can take days or weeks. What's more, the channel for distributing patches, the Internet itself, is the same channel that distributes infections. If an attack prevents a user from connecting to the Internet and obtaining a patch, then cleaning the infection can be difficult. This was precisely the goal of the Blaster worm, which was designed to attack the Microsoft Windows Update website where computer users were to obtain the patch for Blaster. Fortunately, Microsoft averted the problem by moving the patch to a different address. Flash threats, the next generation of worms and viruses, that infect thousands of machines in a matter of seconds, will move too quickly for reactive remedies like patching to work. Most worms until now have been disruptive but not particularly vicious. But several of those who testified warned that the next generation of attacks will not only move swiftly but be more destructive. The technology subcommittee will hold two more hearings next week on cybersecurity. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 03:10:21 PDT