April 18, 2002

CyberSecurity

 

What do we mean by cyber-security?

-         PCCIP report would seem to say we mean everything:  “Security is dependent on electrical energy, communications & computers”

-         A listing of what I&S people thought were nightmares:

-         “Super-virus” worse than LoveBug w/c can turn your computer into useless plastic.

-         European Parliaments “Appraisal of Technologies of Political Control” (camera technologies, surveillance technologies, etc)

-         Cyberstalking/threats

-         Storing & distributing hardcore porn on Lawrence Livermore Lab server

-         Attempts to compromise defense computers, etc

-         AOL security breach

-         From these samples - people don’t seem to be quaking in fear & if we are fearful what should we do about it?

-         Martin Lindner, CERT Coordination Center, w/c = the thin silicon line who’s here to answer our questions.

-         He works for Carnegie Melon & handles responses from all over the world in the emergency response team 24 hours a day.  Monitors threats to individual computers & who’s responsible for thinking about the global integrity of the internet (the bucket brigade w/c has no one overseer of the security w/c has made it flexible has also made it not so secure)

 

Martin Lindner

-         CERT Overview

-         Besides research & operations there’s:

-         Vulnerability group who’s supposed to track them & notify vendors & they give them 45 days to fix the problem.  After 45 days we decide if we let the public know about the problem (they haven’t done this yet)

-         Incident handling group:  when there’s been an incident we say how to defend ourselves.  Now the serious threat is the zero day threat when no one knows what’s causing it.  People can capture the virus but don’t know what its doing.

-         Malicious code group analyzes code to determine 1) if its related to something else or is a zero-day threat.

-         Facts & Figures: 

-         52,658 incidents were handled last year (2x the year before); 24,000 vulnerabilities & issued about 37 CERT Advisories (serious things that have happened w/c we need to let the world know about)

-         Major Event Response Times are declining (noted differences between viruses (needs human intervention to propagate – email attachment that needs to be opened) & worms (code red – doesn’t require any human intervention).  Response to Melissa was 10 days à code red when the response was a matter of minutes.

-         Example of threat with the SNMP which was a big deal because the vulnerability was embedded in the protocol.

-         Changing Threats

-         Complexity of Internet, protocols, etc are increasing along with our reliance on them

-         Internet is a critical infrastructure of the US (major infrastructure issues are dependent upon it – predominantly the financial market)

-         Who are the attackers?

-         Script Kiddies (teenagers) – Internet is their playground but they don’t want to destroy it – just cause havoc for others

-         Industrial spies – trying to get info about other companies

-         Foreign Governments – the nation state is who we worry about wanting to take the Internet down completely

-         Criminals

-         Insiders – disgruntled employee doing bad stuff the day he’s fired

-         The intruders are prepared & organized (share info about vulnerable sites, etc; they unite at conferences like DEF CON & publications like 2600)

-         CERT estimates that if people could pay attention to advisories patches, etc 95% of the intrusions could be prevented.

-         Sophistication of attacks is going up while the knowledge to do it is rapidly decreasing.  Anyone can access that needed tools

-         Recent Attacks & How they Work

-         Find a vulnerability à development of crude tools to take advantage of it à automated scanning/exploit tools developed à widespread use of automated scanning (just before this CERT tries to get their advisory out)

-         Vulnerabilities eventually start overlapping & will sometimes have a resurgence after McCaffee has determined that its ok.

-         Attacks are more sophisticated & are coordinated to take advantage of multiple vulnerabilities

-         The number of people with security knowledge is increasing but not as fast as the number of internet users. 

-         Number of security tools available are increasing but not at the rate of users knowledge & may not be able to keep up w/ increasingly complex software

-         Increasing targeting of home computers

-         CERT is now tracking about 16 bot networks which may have 16,000 computers on it & may even be controlled by more than one person.

-         What do you think about Kazaa – which makes it possible to use computing cycles while you’re downloading music

-         ML – this is a serious scary problem & you need to educate the public

-         CERT hasn’t yet given an advisory about it & there’s debate about it.  Its something they’re concerned with but how to say something so that the average home-user. 

-         Its like if you go buy appliances & put them in the kitchen that’s the end of the maintenance cycle but most people don’t know what the maintenance cycle should be on a home computer. à JZ isnt this all about a fundamental problem about how the internet works & the appliances connected to it

-         We can start building software that has a security component to it will help improve anything à but what else can we do does Congress need to pass some new law, etc

-         It’s a global problem & legislation will only help the machines that live in the United States (suppose MS is required by law to make completely secure SW then MS may incorporate in another country or the price becomes so high, etc.  Fine line between reasonable security & the law).  Companies are learning that its cheaper to build more secure SW from the beginning then to deal with the customer service.

-         Are things basically ok or will be?

-         Internet wont crash tomorrow though its technically possible there are enough people watching for it that they can disconnect the problem areas.  You can take it out of service with very little effort if you know a few things (get a couple of backhoes & dig it up from under the RR tracks!)

-         What’s your worst security nightmare?  Zero-day threat from a nation state which tries to take down the internet à Q of whether we can reboot the Internet.  ½ of ISPs think that after a massive power failure you could reboot it.  We want the Internet to be segmented when things get bad…when 2^nd part of Code Red hit it was an attack on the White House (4MB data coming from 40,000 computers but a list of calls to big ISPs to drop all emails to this address)

 

Did we answer our question of how scared should we be & if we are scared what should we do about it?

-         we didn’t really discuss attacks

-         Taxonomy of threats:  propagation of a virus/worm that trashes data; attacks on specific servers (CD Universe example); DDoS attacks using the network to send traffic that was initially welcomed but en mass annoys à huge slowdown; embedded elements of the Internet itself – attacking routers themselves (telephone companies have discovered that don’t want the channel of control to be the same as the channel of communication but the Internet uses the same channel which creates an opportunity to do bad)

 

MICROSOFT, cont.

1994-1995 Consent decree & allocution w/ Judge Stanley Sporkin which was rejected by DC Circuit and sent to J. Jackson to rubber stamp it.

 

1997-1998 the contempt case (MS violating the consent decree by forcing OEM’s to include IE if they wanted Windows 95 on the computer.  This was deemed to be against the contract in the same way as forcing OEM’s to take DOS was) (this was in front of Jackson)

 

1998 the contempt, contempt case: (MS letter to OEM about the “legal issue” saying they can keep bundling if you want & if you don’t do it you need to delete certain files w/c effectively make the computer not work.  J Jackson hit the roof when he saw the letter & he felt they’d questioned the judicial power of the US)  This all led to an argument of fact about how closely IE was tied to the computer & not.

 

The current case:  J. Jackson was reversed by the DC Circuit which said this may be an integrated product & vacated his holding that they violated the contract which means your order is out too.  The DC Circuit even went so far as to basically say the government may just want to give it up.   After that the government dropped the contract case & filed the current case.  Forget the contract.  Now just filing an action under the Sherman Anti-Trust act of requiring IE w/ Windows is violative of the act?

-         Vertical Leverage:   the original case was about tying to get a monopoly over browsers but now they’re arguing this is monopoly maintenance to keep the Windows monopoly going.  It ends up being all about JAVA

-         J. Jackson agreed with all this & says you lose, break up, etc.  MS appeals & they toss it back but takes Jackson off the case & now its w/ a new DC District Judge.  Govt decides to settle & so do most of the states

 

Why should we care about this at all?

-         Market reasons – monopolists overcharge

-         Ripples in the Architecture of cyberspace – there’s such a benefit to compatibility – the next OS might be better but if no one has it then its really hard to change (QWERTY theory)  Its the rut of path dependence.  Anything that enhances this problem through bullying behavior is especially distrusted because its already so hard to level the playing field