IP: A MUST READ -- a comment on viruses etc from Gene Spafford - a real security expert

[Dave Farber <farber () cis upenn edu>]

> Date: Sat, 20 May 2000 12:11:05 -0500
> To: farber () cis upenn edu
> From: Gene Spafford <spaf () cerias purdue edu>
> Subject: For IP
>
> Jim Warren's post prompts me to send this out.   I wrote this last week 
> for our campus security mailing list (I am the campus ISSO, among other 
> things).
>
>  (This has been edited somewhat from the original.)
>
> > Several of you have taken me to task for my comments about Microsoft 
> > software quality.  I don't say these things to bash MS -- I say them 
> > based on over a dozen years of experience and research in infosec 
> > issues.  Quite simply, Microsoft is the vendor that is putting arbitrary 
> > scripting commands into their email clients and servers, Microsoft 
> > products are ones that continue to exhibit security flaws and problems 
> > known to researchers for decades, and it is Microsoft's design decisions 
> > and products that result in problems such as Melissa, the "love bug," and 
> > a myriad of computer viruses. Couple this with the nearly total Windows 
> > population in some environments, and we have an extremely volatile situation.
> >
> > Ask any biologist, doctor, historian, or agricultural specialist: what 
> > happens when you introduce a severe contagion into a monoculture 
> > population with little natural resistance? You get pandemic -- widespread 
> > infection and damage. Whether it is measles and smallpox killing 
> > something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay 
> > of the American forest, or ILOVEYOU in Outlook damaging files on machines 
> > worldwide, the result is a massive and quick-spreading epidemic.
> >
> > Analyze statistics from anti-virus researchers, companies, and on-line 
> > documents.  You will find that there are currently about 60,000 
> > recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but 
> > traditional viruses).  Of these (as of this week):
> >   * slightly less than 52,000 are viruses for DOS/Window/NT platforms
> >      - about 6000 of these are Word macro viruses
> >      - about 150-200 of these are known to be widespread "in the wild"
> >      - in 1999, approximately 650 new viruses were reported each month 
> > (more than 20 a day)
> >   * 680 are for the Amiga
> >   * A few hundred are for Javascript, Hypercard, Perl, and other 
> > scripting languages.  Few of these can spread beyond a few machines 
> > without active support of the users
> >   * 150 are for the Atari
> >   * 31 are native to the Macintosh, and only two of them are known to 
> > exist anymore
> >   * 2 or 3 are viruses native to OS/2
> >   * About 5 are for Linux/Unix/etc, but none have been found in quantity 
> > "in the wild", nor would they be likely to spread very far if they were "loose"
> >   * None are for BeOS, ErOS, or other small-population systems.
> >
> > So, over 85% of all the known viruses are for Microsoft platforms (nearly 
> > all the self-propagating worms are as well). The rate of new reports -- 
> > especially for macro viruses -- means that pattern-based virus detectors 
> > can never be up-to-date and provide 100% protection. (Note: I'm not 
> > trying to draw grand conclusions here about the reasons for this skew, 
> > but simply point out where the overwhelming threat is.)  Fast-spreading, 
> > self-propagating worms using Outlook move so quickly that they are likely 
> > to be upon us before an anti-virus vendor can even get a copy to analyze.
> >
> > The situation is made worse by Microsoft trying to minimize the scope of 
> > the problem and claim that they aren't responsible in any way. The MS 
> > spin doctors are even attempting to blame the users! (One MS executive 
> > even claimed that we should beat our users to prevent problems such as 
> > the "love bug": <http://www.digitalmass.com/columns/software/0508.html>). 
> > Microsoft employees and apologists are attempting to claim that these are 
> > problems that every software platform has, as if this somehow makes the 
> > gaping vulnerabilities less of a problem. This is simply not true -- you 
> > can't construct a "Melissa" or "love bug" worm without Outlook and MS 
> > Windows scripting host.
> >
> > So, we need to do what we can ourselves to help our situation. What 
> > should you, as Purdue system and security administrators, consider doing?
> >
> > #1 is to make sure your anti-malware software is up-to-date to detect 
> > older, known viruses. We have site licenses for various NAI products if 
> > you don't have something installed yet. Also, install Tripwire if you are 
> > using NT or Unix boxes (we have this site-licensed, too). The use of 
> > Tripwire will help detect new, as-yet undetected viruses (after the fact, 
> > unfortunately) and also help in clean-up of damage by giving a snapshot 
> > of altered files and registry settings. (It also provides intrusion 
> > detection in addition to the change detection involved in detecting viruses.)
> >
> > #2 is to ensure that your users understand good anti-malware practices. 
> > This can't stop all future problems, but it may help limit their spread. 
> > In particular, get users to cut and paste text in email rather than 
> > attach Word documents. If they need to send a file of some kind, then 
> > have them use ftp rather than embed the files in email. On the receiving 
> > side, users should simply reject any executable content rather than 
> > depend on virus screening.
> >
> > #3, perform regular, comprehensive backups of all systems. If you do not 
> > perform regular, full backups of any systems, notify those users and 
> > ensure that they understand the procedures (and importance) to do it 
> > themselves. Files deleted by buggy software, viruses, worms, crashes or 
> > simple mistakes cannot always be recreated. Backups are critical for 
> > recovery. (Be sure to test your backups periodically to ensure they work!)
> >
> > #4, be certain your systems are up-to-date on patches and security fixes, 
> > no matter what kind of platform you may be using.
> >
> > #5 If you use Outlook, disable the Windows scripting host feature (see 
> > article at the URL given above). Alternatively, think about switching 
> > your users from Outlook to some other email client (e.g., Eudora). For 
> > this to work, however, you need to de-install Outlook rather than simply 
> > install something alongside it. (There was at least one case on campus 
> > where someone using Eudora on Windows saved the ILOVEYOU code to disk and 
> > started it, and it then activated Outlook to use the global address book 
> > to mail copies to other users.)
> >
> > #6, if your users are using Internet Explore, be certain they have their 
> > security settings on the highest level for all zones unless you *know* it 
> > is safe to use a lower setting. Also, in the security settings, disable 
> > ActiveX if at all possible -- ActiveX supports threats that cannot be 
> > defended against. In all WWW browsers users should be careful about 
> > enabling Javascript and Java, with Java being safer than Javascript in 
> > up-to-date browsers.
> >
> > #7, When acquiring new systems, think carefully if you really need 
> > Windows/Word, or whether an alternative is available that is more 
> > resistant to attack. This is especially a concern if you don't have staff 
> > or expertise to be constantly dealing with security concerns. For 
> > instance, if you are only seeking a machine to run a WWW server, then a 
> > Mac makes a robust server with an almost non-existent history of security 
> > problems. In fact, last year the US Army replaced their NT-based WWW 
> > servers after repeated security problems and they have not had a single 
> > security incident since! Similarly, you can run Excel and Word on a Mac, 
> > and using StarOffice on a Unix box you can deal with the same files. 
> > There are also other word processing programs (e.g., Framemaker, 
> > AppleWorks, others) and spreadsheet systems. Windows and Office are not 
> > the only choices.
> >
> > The key here is to think about total cost of operation and the needed 
> > core functionality. When you put a machine in service there may be the 
> > up-front cost of the box and the software, and in this regard a Wintel 
> > box seems the best choice. But add in the time spent applying security 
> > patches, strengthening the default installation, responding to (and 
> > cleaning up after) break-ins and malware incidents, and the time spent 
> > staring at blue screens -- time for you and your staff is valuable, as is 
> > the loss of productive work time by your users. Yes, Windows runs 
> > thousands more programs than does Unix or a Mac -- but do you ever need 
> > those in a work or lab environment? Most are games, or are versions of 
> > software you don't need or already have in another form.  Consider 
> > carefully what you want: buying a system because it runs programs you 
> > will never use and that may cost more over its lifetime to operate is not 
> > a bargain.
> >
> > This is not intended to suggest that Microsoft is the source of all evil, 
> > or that you should run out and replace all your Windows boxes with 
> > something else.   There are good people working for MS -- and several of 
> > them are former students and colleagues. The university (and the world 
> > around us) would come to a very abrupt halt if we didn't have MS products 
> > for everyday use.  Furthermore, other vendor products are hardly bug-free 
> > -- we continue to see security advisories for Solaris, HP-UX, Linux, and 
> > others. But the number of security problems for MS products and the near 
> > ubiquity of MS platforms in many environments means that we need to be 
> > especially concerned about this as a potential problem area.  (See 
> > <http://www.securityfocus.com/frames/?content=/vdb/stats.html> for some 
> > interesting numbers supporting this.)
> >
> > Several security experts, myself included, are convinced that we have 
> > seen only the tip of the iceberg as far as new worm/virus code is 
> > concerned. Being aware of alternatives and threats is the first step in 
> > protecting ourselves. Trying to reduce the "monoculture" environment and 
> > replace the most vulnerable members of the population is simply one step 
> > towards protecting our environment against future threats.
> >
> > You *do* have choices, and if only enough people exercised their choices 
> > we might find *all* the vendors paying a little more attention to security.