Just Say No to Viruses and Worms

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,60391-2,00.html

By Kim Zetter 
Sept. 11, 2003

Members of the computing industry and law enforcement testified before
the technology subcommittee of the House Committee on Government
Reform Wednesday about how to protect the nation's computing systems
from viruses and worms.

Their remarks came as computer security professionals were poised to
tackle a new version of the Sobig worm that may attack computers soon
and as Microsoft announced new vulnerabilities in the Windows
operating system.

The Sobig.F virus disabled itself Wednesday, per instructions coded
into it by its creator. But as each of the prior five versions of the
worm have been followed by a new version after they disabled
themselves, Sobig.H is expected to make its debut Thursday or later in
the week.

Thus, with the goal of deterring future threats, the subcommittee,
chaired by Rep. Adam Putnam (R-Florida), convened three panels of
representatives from law enforcement, security firms and industry,
including Microsoft, Cisco and Symantec.

Among the solutions proposed were better standards for producing
secure software, computing ethics education directed at children,
increased funding and training for computer forensics to catch hackers
and virus writers, and protocols for information sharing that would
aid in capturing perpetrators across borders.

But perhaps the most controversial suggestion came from John Schwarz,
president and COO of antivirus firm Symantec, who called for
legislation to criminalize the sharing of information and tools online
that can be used by malicious hackers and virus writers.

Virus writers and hackers often learn from each other and share
automated tools and code on websites. By making it illegal to post
malicious code and information, Schwarz implied, the number of attacks
would be reduced. He did not say, though, how legislators would
determine the difference between malicious information and that used
for legitimate security research, or whether such a law might
compromise freedom of speech.

Schwarz noted that some 450 new viruses and variations on old ones are
identified each month.

The speed of cyberattacks has also accelerated dramatically, with a
shrinking window of opportunity for patching systems after a
vulnerability is announced.

Gerhard Eschelbeck, CTO and vice president of engineering at Qualys,
said that Slammer came out six months after the vulnerability that it
exploited was announced. Nimda appeared four months after a
vulnerability announcement, Slapper took six weeks to arrive and
Blaster came out just three weeks after news of the vulnerability that
it attacked. It's expected that this rate will soon reduce to days or
hours.

And once an attack launches, the rate that it spreads is likely to
accelerate as well. Code Red and Nimda spread around the world in a
matter of hours, but Slammer took under three minutes to affect
thousands of machines and was able to compromise nearly all vulnerable
systems in about half an hour.

Schwarz also said many of the most threatening attacks are not those
that make the splashy headlines but rather low-profile worms or
Trojans that are placed in strategic points in networks that are
critical to a business or to the national infrastructure. These
invaders can be triggered down the road to cause disruption of service
or to delete data.

Chris Wysopal, director of research and development for security firm
Atstake, said the source of hacking and virus problems is twofold:  
software that is too quickly put to market and is designed for
features and functionality rather than security, and computer users
who don't secure their systems.

Wysopal put the onus on software manufacturers to build more secure
code. "Every virus or worm takes advantage of a security flaw in the
design or the implementation of a software program," he said.

Instead of focusing on lines of defense, he said, we should pressure
software makers to use a secure development process and eliminate old
software that is insecure, rather than re-use insecure code in new
versions of programs.

Wysopal said the number of flaws found in software can be greatly
reduced when security processes are followed during development.

He said no independent or government watchdog group currently monitors
the safety of computer users in the same way, for example, that the
National Highway Traffic Safety Administration looks after the safety
of car owners.

He also said government, as the largest purchaser of software, can
help pressure software makers to improve their products by conducting
security tests on software before purchasing.

"If the federal government were to do that, the benefits would be to
all users of software," Wysopal said.

In fact, the Department of Homeland Security recently awarded a $90
million contract to Microsoft, making it "the primary technology
provider" of desktop and server software to the agency, without
conducting security testing of the software. Microsoft received the
deal just two days after chairman Bill Gates met with Tom Ridge,
secretary of the DHS, in Washington.

Phil Reitinger, Microsoft's senior security strategist, testified at
the hearing that Microsoft is "designing and writing software more
securely, making it more secure out of the box and making it easier to
keep secure."

His testimony came minutes after Microsoft announced new flaws in its
Windows software. The flaws, Microsoft said, would let hackers
remotely control a user's computer. The company urged users to
immediately apply a patch the company was offering from its website.

Reitinger also said his company is working to make patching easier. He
then turned his attention to law enforcement, asking "Have we
criminalized everything we ought to criminalize?"

"The biggest way (to handle cyberattacks) is to ensure that law
enforcement has the resources necessary to attack the problem," he
said. He called for a coordinated effort between industry, government
and law enforcement to track and convict perpetrators.

Wysopal said that until secure software development becomes the norm,
individual users and businesses need to patch their systems in a
timely manner to ensure that attacks won't spread. One speaker even
suggested that it should be considered "nothing short of a patriotic
duty" for users to secure their home computers, since an infected
computer can be used to attack someone else's computer.

But patches themselves can sometimes have security flaws or create
incompatibility problems with other software on a system. And patching
hundreds or thousands of computers inside a company can take days or
weeks.

What's more, the channel for distributing patches, the Internet
itself, is the same channel that distributes infections. If an attack
prevents a user from connecting to the Internet and obtaining a patch,
then cleaning the infection can be difficult.

This was precisely the goal of the Blaster worm, which was designed to
attack the Microsoft Windows Update website where computer users were
to obtain the patch for Blaster. Fortunately, Microsoft averted the
problem by moving the patch to a different address.

Flash threats, the next generation of worms and viruses, that infect
thousands of machines in a matter of seconds, will move too quickly
for reactive remedies like patching to work.

Most worms until now have been disruptive but not particularly
vicious. But several of those who testified warned that the next
generation of attacks will not only move swiftly but be more
destructive.

The technology subcommittee will hold two more hearings next week on
cybersecurity.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.