In Computer Security, a Bigger Reason to Squirm

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2003/09/07/technology/07WORM.html

By BRENDAN I. KOERNER
September 7, 2003 

LIKE prison wardens marveling at an escapee's spoon-dug tunnel, 
computer-security professionals acknowledge grudging admiration for 
the author of SoBig.F, the virus that deluged e-mail In boxes last 
month. At the epidemic's peak in mid-August, according to the 
antivirus company Central Command, SoBig.F-related messages accounted 
for 73 percent of e-mail traffic worldwide, making it history's most 
aggressive online contagion.

"You have to think the person who did this has some awareness of the 
Internet's infrastructure," said Mark Carey, an independent computer 
security consultant in Columbus, Ohio, who has analyzed SoBig's code. 
"It's a little more sophisticated than what we've previously seen."

On Wednesday, SoBig's self-destruct mechanism is supposed to kick in, 
spelling an end to the pesky e-mail messages it generated with subject 
lines like "Wicked Screensaver." But as SoBig — in colloquial 
parlance, a self-contained type of virus called a worm — has faded, 
concern has grown that computer networks, and the power grids and 
nuclear plants they control, are no better equipped to ward off 
infections than they were three and a half years ago, when the 
infamous I Love You worm ravaged cyberspace.

IDC, a research firm, estimates that $2.2 billion was spent on 
antivirus products last year, but scofflaws always seem to be a step 
ahead. Antivirus vendors can do little but shrug and point out that 
even their fanciest software isn't perfect.

"The whole problem here is not just having antiviral products and 
using antiviral updates, but a lack of computer knowledge among 
users," says Steven Sundermeier, a vice president of Central Command, 
which is based in Medina, Ohio, and makes and sells antivirus 
products. "Users need to start developing safe computing practices." 
That means being more vigilant about not opening suspicious 
attachments and updating virus scanners every few days.

Despite the brochures and educational Web sites that the antivirus 
industry churns out, some experts fear that many users will never 
alter their surfing habits. Security experts like William Knowles, 
senior analyst at c4i.org, a security news Web site, say SoBig was 
probably disguised as a pornographic picture and first spread by 
pornography newsgroups. "Are you really going to go down to users and 
say, `You can't surf Usenet for porn,' `You can't download pictures of 
Britney Spears'?" he said.

Even people who have worked with computer technology for years can be 
careless, despite the warnings. In July, Roelof Temmingh, technical 
director at SensePost Information Security, a South African company 
that advises corporations, presented a paper at a Las Vegas security 
conference describing an experiment in which a test virus was sent 
anonymously via e-mail to 13 members of a bank's computer security 
team. Five recipients ran the infected attachment. "Five members of an 
I.T.-security-savvy team in the financial sector executed an 
in-your-face" virus, Mr. Temmingh pointed out, adding, "How many 
marketing, sales or management type people would do the same?"

In the past, if someone clicked on infected attachments, the damage 
was limited to certain computers, like the ones running Microsoft 
Windows. But omnivorous viruses that chew through a variety of 
operating systems are surfacing. Last summer, for example, a benign 
virus, Simile.D, infected Linux-based and Windows machines.

"What if you had a virus that had all these different types of code: 
one for Windows, one for Solaris, one for Unix?" Mr. Carey said. "And 
say it was smart enough to know what kind of platform it was 
attacking? We've suddenly gone from a single-platform impact to 
something that affects everything from your desktops all the way back 
to the data core" — the lockboxes where companies store their most 
precious digital assets.

In theory, such a problem should not affect utilities, transportation 
and other essential services because vital systems should never be 
linked to the Internet. But an incident in January at the Davis-Besse 
Nuclear Power Station, run by the FirstEnergy Corporation outside 
Toledo, Ohio, showed that this was not always the case. The nuclear 
plant has not been generating power since early 2002, but a computer 
system there that was not supposed to be linked to the Internet was 
invaded by a worm known as Slammer, causing the system to shut down 
for five hours. The event was not made public until Kevin Poulsen 
reported it on Aug. 20 on SecurityFocus .com, an information-security 
news site.

Richard Wilkins, a FirstEnergy spokesman, said the company realized 
after the worm struck that it did not have a firewall isolating its 
corporate computers from the computers controlling the reactors, but 
that it now had such a safety precaution in place.

SIX months after the Davis-Besse problem, the North American Electric 
Reliability Council, the industry group overseeing the electrical 
grid, announced that there were "documented cases in which bulk 
electric system control was impaired" by the same worm. It recommended 
that utility companies separate the computers running their power 
grids from their corporate networks.

It is important to keep vital systems isolated, said Stuart Staniford, 
president of Silicon Defense, a security company based in Eureka, 
Calif. But experts in running nuclear plants "aren't necessarily going 
to be experts in security," he said, adding: "They connect up all 
their machines so they can easily control and administer their 
infrastructure. And now all of a sudden, all their machines are 
vulnerable to the same inherent security risks."

One of the biggest risks comes from remote users, whose personal 
laptops may transmit viruses when linking with networks — the mode of 
transmission in the Davis-Besse case, according to the company and an 
April report filed with the federal Nuclear Regulatory Commission. A 
1997 report for President Bill Clinton by the National Security 
Telecommunications Advisory Committee, a group of experts that makes 
recommendations to the president, warned against allowing such outside 
access to plants' computer systems. 

The system architects who have the expertise to eliminate such flaws 
are increasingly hampered by tight technology budgets. According to 
Forrester Research, spending on information technology in North 
America this year will grow by just 1.3 percent, compared with the 
2002 total; Goldman Sachs is predicting a 1 percent decrease this 
year. Greg Shipley, chief technology officer of Neohapsis, a security 
consulting company based in Chicago, said the shrinking budgets meant 
that network holes were seldom being fixed, or "patched."

Even companies with ample resources and information-technology staffs 
are having trouble keeping networks patched. A study in August by Eric 
Rescorla, founder of RTFM Inc., a network security firm based in Palo 
Alto, Calif., looked at how quickly system administrators at many 
companies responded to a security alert in July 2002 concerning a 
problem with OpenSSL, a security "tool kit" commonly installed on 
Apache Web servers. By mid-September, only a third of the vulnerable 
servers had been patched. Then a worm called Slapper appeared, which 
exploited the security hole in question. But Mr. Rescorla has found 
that more than 30 percent of those servers have yet to be fixed. 

Digital pathogens spread so quickly, however, that even the most 
diligent patchers could be at risk. At a security symposium last 
August, Mr. Staniford and two co-authors presented "How to Own the 
Internet in Your Spare Time," which described a computer simulation of 
a worm attack. The worm in the simulation attacked machines that had 
been selected earlier as ripe targets, instead of randomly probing the 
Internet. The simulation found that within 15 minutes, the worm would 
have infected more than nine million machines. Mr. Staniford called it 
the Warhol worm, a nod to Andy Warhol's famous line about fame.

Mr. Staniford, like many of his peers, offers few easy remedies for 
heading off such an attack, aside from calling for more federal 
research funds. The SoBig outbreak, as well as last month's Blaster 
worm, have inspired new interest in "trusted computing," a 
much-discussed concept to prevent computers from running any software 
without a specific cryptographic signature. This solution would 
require agreement between hardware and software makers. It is being 
advanced by the Trusted Computing Group, founded by Microsoft, 
Advanced Micro Devices, Intel, Hewlett-Packard and I.B.M.

UT trusted computing will have a tough public relations fight. 
Microsoft's Trustworthy Computing initiative, which began before the 
group was formed, has been criticized for giving Microsoft too much 
control over users' access to documents. 

Even if the privacy problems can be worked out, the details of how 
trusted computing will ward off viruses are still hazy. 

Similarly murky is the prospect for legislation. Russ Cooper, who 
holds the title of surgeon general at TruSecure, a security company 
based in Herndon, Va., says he would like to see legislation making 
Internet service providers liable for negligently allowing viruses to 
spread, but no member of Congress has signed on to the idea.

Other prominent experts, like Bruce Schneier, the chief technical 
officer at Counterpane Internet Security, based in Cupertino, Calif., 
favor holding software vendors accountable for easily exploitable 
code, but that does not seem legally feasible, given recent court 
decisions that uphold "end user" license agreements that let software 
companies sell their products "as is."

"The software industry is the only industry I can think of that has 
its own `get out of jail free' card, and that's the end-user license 
agreement," said Richard Forno, co-author of "The Art of Information 
Warfare."

People worried about computer security agree, however, that the 
situation demands immediate attention because of the threat of viruses 
more lethal than SoBig. "If something big were to happen in the next 
12 months," Mr. Carey said, "there would effectively be nothing we 
could do." 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.