[ISN] Just Say No to Viruses and Worms

From: InfoSec News (isnat_private)
Date: Fri Sep 12 2003 - 00:15:32 PDT

  • Next message: InfoSec News: "[ISN] Sex Sites Sick of Getting Screwed"
  • Next message: InfoSec News: "[ISN] Wi-Fi whistle blower faces criminal charges"

    By Kim Zetter 
    Sept. 11, 2003
    Members of the computing industry and law enforcement testified before
    the technology subcommittee of the House Committee on Government
    Reform Wednesday about how to protect the nation's computing systems
    from viruses and worms.
    Their remarks came as computer security professionals were poised to
    tackle a new version of the Sobig worm that may attack computers soon
    and as Microsoft announced new vulnerabilities in the Windows
    operating system.
    The Sobig.F virus disabled itself Wednesday, per instructions coded
    into it by its creator. But as each of the prior five versions of the
    worm have been followed by a new version after they disabled
    themselves, Sobig.H is expected to make its debut Thursday or later in
    the week.
    Thus, with the goal of deterring future threats, the subcommittee,
    chaired by Rep. Adam Putnam (R-Florida), convened three panels of
    representatives from law enforcement, security firms and industry,
    including Microsoft, Cisco and Symantec.
    Among the solutions proposed were better standards for producing
    secure software, computing ethics education directed at children,
    increased funding and training for computer forensics to catch hackers
    and virus writers, and protocols for information sharing that would
    aid in capturing perpetrators across borders.
    But perhaps the most controversial suggestion came from John Schwarz,
    president and COO of antivirus firm Symantec, who called for
    legislation to criminalize the sharing of information and tools online
    that can be used by malicious hackers and virus writers.
    Virus writers and hackers often learn from each other and share
    automated tools and code on websites. By making it illegal to post
    malicious code and information, Schwarz implied, the number of attacks
    would be reduced. He did not say, though, how legislators would
    determine the difference between malicious information and that used
    for legitimate security research, or whether such a law might
    compromise freedom of speech.
    Schwarz noted that some 450 new viruses and variations on old ones are
    identified each month.
    The speed of cyberattacks has also accelerated dramatically, with a
    shrinking window of opportunity for patching systems after a
    vulnerability is announced.
    Gerhard Eschelbeck, CTO and vice president of engineering at Qualys,
    said that Slammer came out six months after the vulnerability that it
    exploited was announced. Nimda appeared four months after a
    vulnerability announcement, Slapper took six weeks to arrive and
    Blaster came out just three weeks after news of the vulnerability that
    it attacked. It's expected that this rate will soon reduce to days or
    And once an attack launches, the rate that it spreads is likely to
    accelerate as well. Code Red and Nimda spread around the world in a
    matter of hours, but Slammer took under three minutes to affect
    thousands of machines and was able to compromise nearly all vulnerable
    systems in about half an hour.
    Schwarz also said many of the most threatening attacks are not those
    that make the splashy headlines but rather low-profile worms or
    Trojans that are placed in strategic points in networks that are
    critical to a business or to the national infrastructure. These
    invaders can be triggered down the road to cause disruption of service
    or to delete data.
    Chris Wysopal, director of research and development for security firm
    Atstake, said the source of hacking and virus problems is twofold:  
    software that is too quickly put to market and is designed for
    features and functionality rather than security, and computer users
    who don't secure their systems.
    Wysopal put the onus on software manufacturers to build more secure
    code. "Every virus or worm takes advantage of a security flaw in the
    design or the implementation of a software program," he said.
    Instead of focusing on lines of defense, he said, we should pressure
    software makers to use a secure development process and eliminate old
    software that is insecure, rather than re-use insecure code in new
    versions of programs.
    Wysopal said the number of flaws found in software can be greatly
    reduced when security processes are followed during development.
    He said no independent or government watchdog group currently monitors
    the safety of computer users in the same way, for example, that the
    National Highway Traffic Safety Administration looks after the safety
    of car owners.
    He also said government, as the largest purchaser of software, can
    help pressure software makers to improve their products by conducting
    security tests on software before purchasing.
    "If the federal government were to do that, the benefits would be to
    all users of software," Wysopal said.
    In fact, the Department of Homeland Security recently awarded a $90
    million contract to Microsoft, making it "the primary technology
    provider" of desktop and server software to the agency, without
    conducting security testing of the software. Microsoft received the
    deal just two days after chairman Bill Gates met with Tom Ridge,
    secretary of the DHS, in Washington.
    Phil Reitinger, Microsoft's senior security strategist, testified at
    the hearing that Microsoft is "designing and writing software more
    securely, making it more secure out of the box and making it easier to
    keep secure."
    His testimony came minutes after Microsoft announced new flaws in its
    Windows software. The flaws, Microsoft said, would let hackers
    remotely control a user's computer. The company urged users to
    immediately apply a patch the company was offering from its website.
    Reitinger also said his company is working to make patching easier. He
    then turned his attention to law enforcement, asking "Have we
    criminalized everything we ought to criminalize?"
    "The biggest way (to handle cyberattacks) is to ensure that law
    enforcement has the resources necessary to attack the problem," he
    said. He called for a coordinated effort between industry, government
    and law enforcement to track and convict perpetrators.
    Wysopal said that until secure software development becomes the norm,
    individual users and businesses need to patch their systems in a
    timely manner to ensure that attacks won't spread. One speaker even
    suggested that it should be considered "nothing short of a patriotic
    duty" for users to secure their home computers, since an infected
    computer can be used to attack someone else's computer.
    But patches themselves can sometimes have security flaws or create
    incompatibility problems with other software on a system. And patching
    hundreds or thousands of computers inside a company can take days or
    What's more, the channel for distributing patches, the Internet
    itself, is the same channel that distributes infections. If an attack
    prevents a user from connecting to the Internet and obtaining a patch,
    then cleaning the infection can be difficult.
    This was precisely the goal of the Blaster worm, which was designed to
    attack the Microsoft Windows Update website where computer users were
    to obtain the patch for Blaster. Fortunately, Microsoft averted the
    problem by moving the patch to a different address.
    Flash threats, the next generation of worms and viruses, that infect
    thousands of machines in a matter of seconds, will move too quickly
    for reactive remedies like patching to work.
    Most worms until now have been disruptive but not particularly
    vicious. But several of those who testified warned that the next
    generation of attacks will not only move swiftly but be more
    The technology subcommittee will hold two more hearings next week on
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 03:10:21 PDT