|
Friday, February 13, 2004 |
|
Here is an article I wrote on "antiworm" technology that I prefer to call "worm containment." More thoughts on this below: In 1988, Robert Morris, Jr unleashed his Internet Worm that ran rampant over the then-nascent Internet. Now, a decade and a half later, we have begun to actively address the problem. Of course, the primary reason for negligence (or perhaps just ambivalence) is that the virus problem has been so prevalent. Blaster’s August 2003 “scorched earth” campaign made the pain of worm proliferation apparent to everyone. It took advantage of the ubiquitous connectivity brought about by broadband connections to homes to propagate without human intervention around the world. And it highlighted the weaknesses in our perimeter defenses – sure, Blaster was stopped by most organization’s firewalls at the perimeter, but the modem pools, dual-homed VPNs, and foreign-device endpoints within the sanitized network all smuggled the worm in anyway. The differences between viruses and worms are often confusing because today’s threats combine the two capabilities. In a general way, worms and viruses differ in the methods of propagation. Viruses are not generally network-aware; they need an infected file to be transmitted to other targets. Worms, on the other hand, are self-actuated attacks that are network-aware and can communicate using open channels (see the Worm FAQ at www.networm.org for more information). Removing the manual intervention required ensures that the speed of NASCAR viruses is easily surpassed by Formula One worms. Because of the speed of today’s worms, and the possibility that they won’t have a payload that is noticeable to a user, new techniques of prevention and detection are in order. Enter worm containment. Containment is the active word here because these solutions are looking for the behaviors associated with worms, which means that some device must already be infected to exhibit this behavior. With the introduction of fast-acting “suicide packets” like Slammer’s single UDP packet, containment becomes even more important. Think of a basic exploit having three vectors – attack, payload, and propagation. The attack vector is the initial approach into a “protected” environment, from an untrusted or uncontrolled source to a destination that falls within local control. This has always been the domain of firewalls and intrusion detection solutions on a perimeter, and personal firewalls and antivirus solutions on a client PC. The payload vector does the damage – installing rogue software, deleting files, or any other malicious activity. Host intrusion prevention and vulnerability scanners generally work here. Finally, the propagation vector is the activity performed to acquire and attack new targets. In essence, this is the same as the attack vector but with a different perspective – the source is now within the controlled environment and analysis occurs on outbound activity. This is where worm containment works. The goal of worm containment is to reduce or eliminate a worm’s ability to propagate. Certainly, the usual security solutions provide some capabilities here, but there are a handful of new approaches worth evaluating. Contain the pain. Compartmentalization has been around ever since ships needed to stay afloat after their hulls were penetrated. With networks, we compartmentalize based on segments. Worm propagation often revolves around random scanning, which leaves tell-tale signs like known attack signatures, anomalies in network traffic, and unfulfilled arp requests. A containment strategy would use various methods to identify the worms and then contain them through network device settings. Both Silicon Defense and Mirage Networks employ these methods. Distract, attract, react. One approach is to distract, attract, and react. That is, a honeypot-like responder is used to distract a source by providing false information about a network. The false information distracts the attacker and attracts it to the security solution where an attack begins. Finally, the responder reacts by either taking action itself or communicating with a local device to block the source activity. Because the source attacked a target that is known to have no functional business purpose, it is safe to assume that any probing or communications with that device is malicious, or at least inappropriate. ForeScout and Mirage both use techniques like these to contain worms. The previous two approaches are network-based, which usually leave out the remote user who is connecting to the Internet but not the enterprise network. There is another approach that works on the client PC. Throttle to bottle. The throttle to bottle approach works on an existing system but monitors outbound activity – specifically, connection attempts to other devices. It applies a queue and wait throttle that has a significant impact on large numbers of connections (a worm trait) while having unnoticeable impact on legitimate activity (because the number and type of connections are completely different). To date, this method is not used in any commercial products, but it would integrate well with personal firewalls. Fast networks with always-on connectivity provide the communications fuel that worms feed on. With their value proposition also intact, it makes sense for us to understand the nature of worms. There are a number of solutions that provide worm containment capabilities so that enterprise computing is not impaired by worms, the Internet’s equivalent of the blizzard.
8:34:55 PM  comment []
|
|
Microsoft chases major leak of source code Here is a New Scientist article that incorporates some quotes from me. Some excerpts, with follow-up: ""How much do Microsoft want to protect their intellectual property now that the source is out there in the bad guys' hands?" asks Lindstrom. He suggests they could develop a system where registered programmers could examine the code and would be paid for any glitches they find." The real questions is one of needing to protect intellectual property, where typically one must show that they are trying to protect it by shutting anyone down who they find using it, and security. If they "need" to restrict people (like the courts would probably require) to retain IP, then that limits the ability of good guys to find vulnerabilities. "Some security experts have said the code does not include sensitive network protocols but does contain command lines for the drawing program Microsoft Paint. But the specific programs controlled by the code are irrelevant when it comes to hackers, Lindstrom told New Scientist. Finding a flaw in "any executable can lead to a fully compromised system", he says." I am curious about undocumented variables, switches, and apis that may be available to play with. "The source code is also said to be peppered with profanity, which could embarrass Microsoft even further, says Lindstrom." Not sure why this matters. 4:18:03 PM comment []
|
|
Is Microsoft Source Code a Security Threat? My initial thought is that it certainly increases the risk that people will find more holes, just like any new piece of strong information about a product would. The question of security is a function of how many bugs actually exist. Given the amount of work in the industry in vulnerability discovery, we should all expect that the number of vulnerabilities are minimal (in fact, if that is not true, then we've been fooling ourselves for quite some time... hint, hint). So this will tell us not only what the level of security is of Win2k, at least up until service pack 2 (assuming that available information is accurate that the source code was Win2k SP1). Would also be interesting to see if somebody measures the cyclomatic complexity of the software. Michael Howard from Microsoft has done some work on the Windows OS distributions, but I think the source code is still very relevant. UPDATE: Somebody was quick to point out on a message board that just a few years ago, Microsoft was talking about the national security risk associated with releasing their software source code. This during their antitrust trial. 1:44:52 PM comment []
|
|
Geeks Put the Unsavvy on Alert: Learn or Logoff This New York Times article reports how some computer-savvy individuals are feeling put out by their friends always asking for computer advice. Well, gee - I ask my doctor friends about health issues, my construction friends for advice on my house, my priest for advice about God, my sales friends for free samples, my financial advisor friends for financial advice.... and we're going to have a prima-donna hissy-fit because people ask us about computers? Get over it and appreciate the fact that you still have friends! [and who knows, maybe the caveat is that you don't want me for a friend ;-) of course, I will at least try to help.] 9:51:09 AM comment []
|
Last update: 3/1/2004; 2:18:43 AM .
