StratVantage – the News 12/19/01
Software Quality and Cyberterror Threats, Part 3
In the last two SNS issues, I discussed the huge task confronting Richard Clarke, the counter terrorism expert in charge of the president’s Critical Infrastructure Protection Board, made the assertion that security problems are really software quality problems, and examined some of the reasons why the software industry pays so little attention to these problems. I also mentioned a couple of legal reasons why companies need to be more interested in security threats, due to increased liability. In this issue, I’ll further examine the industry’s response to the rising epidemic of worms and viruses and some of the impediments, legal and otherwise, to solving software security problems, which have become a national security threat.
The Digital Millennium Copyright Act (DMCA) of 1998 was intended to amend US copyright law to strengthen protections for authors and other content creators in the digital age. Certainly the ability to make unlimited perfect copies of a work has changed the environment for copyrighted work. And perhaps changing the copyright laws could somehow restore the balance between the consumer’s rights to fair use and the producers’ rights to fair compensation.
Rather than restoring balance, however, the DMCA hands a sledgehammer to content creators and invites them to bludgeon not only content consumers, but researchers and academics as well. The DMCA effectively criminalizes the reverse engineering of digital protection schemes and the building of tools to circumvent that protection, no matter what the intent.
Certainly there are parallels elsewhere in the law – making burglary tools illegal, for example. But it is only illegal to possess burglary tools if the court can prove intent to break the law. The makers of the tools are not prosecuted. Law enforcement agents that pick a lock to plant a bug pursuant to a court order are not prosecuted precisely because the intent is not there.
Yet an academic researcher in cryptography can be arrested for trying to determine if the latest “bulletproof” Digital Rights Management (DRM) scheme is secure or not. And Linux buffs who want to watch DVDs on their systems, having failed to interest the big media companies in creating a software DVD player for Linux, are criminals for figuring out how to decode DVD disks.
Organizations as diverse in their viewpoints as the Association of Computing Machinery (ACM) and the Electronic Frontier Foundation (EFF) have spoken out against the DMCA. The ACM said, in part:
Research in analysis (i.e., the evaluation of the strengths and weaknesses of computer systems) is essential to the development of effective security, both for works protected by copyright law and for information in general. Such research can progress only through the open publication and exchange of complete scientific results. ACM is concerned that Sections 1201 to 1204 of the Digital Millennium Copyright Act [. . .] will have a chilling effect on analysis, research, and publication, as the result of litigation itself or of the threat of or concern about potential litigation. ACM is also concerned that application of the DMCA to the presentation and publication of scientific papers could result in the departure from the U.S. of the information security community for conferences and publications. If conference organizers cannot afford to take the risk of publishing papers [. . . ] those conferences may be held in other countries where the risk of liability is lower. Such a result would have a negative impact on this country’s leadership in research in that area.
The EFF said:
The DMCA is very bad news because it destroys the delicate balance between copyright and First Amendment too heavily toward the copyright holders. This is because circumvention of technical protection measures is necessary in order to make fair use, do scientific research, and make many kinds of ordinary, legal uses of DVDs, such as playing them on Linux machines. More recently the congress led by Senator Fritz Hollings in the Senate has been trying to strengthen the DMCA to give even more power to copyright holders and further weaken the public right to the intellectual commons. This newest attempt is known as the “Security Systems Standards and Certification Act” (SSSCA).
The result of this bad law and others, in addition to possible jail terms for researchers as well as criminals, is worse computer security, according to security expert Bruce Schneier:
You can see the problems with bug secrecy in the digital-rights-management industry. The DMCA has enshrined the bug secrecy paradigm into law; in most cases it is illegal to publish vulnerabilities or automatic hacking tools against copy-protection schemes. Researchers are harassed, and pressured against distributing their work. Security vulnerabilities are kept secret. And the result is a plethora of insecure systems, their owners blustering behind the law hoping that no one finds out how bad they really are.
What we’ve learned during the past eight or so years is that full disclosure helps much more than it hurts. Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible. A few companies are even going further, and taking security seriously enough to attempt to build quality software from the beginning: to fix vulnerabilities before the product is released. And far fewer problems are showing up first in the hacker underground, attacking people with absolutely no warning. It used to be that vulnerability information was only available to a select few: security researchers and hackers who were connected enough in their respective communities. Now it is available to everyone.
That the DMCA turned up just as the major players in the software industry showed signs of getting their act together on software quality and security is an especially cruel irony. Recently, Microsoft, along with five security companies (Guardent, @Stake, Bindview, Foundstone and Internet Security Systems), announced that they would create an organization to promote the responsible publishing of information about software flaws.
Russ Cooper, a software security expert and editor of security mailing list “NTBugTraq,” has tried to start his own Responsible Disclosure Forum. Cooper believes the time has come to stop the public release of security vulnerabilities to punish a vendor or enhance one’s reputation. “You either participate in the Responsible Disclosure Forum, or you’re a Black Hat bent on being malicious, end of story. Too much money, too many individuals, and too much of the world’s communication rely on Responsible Disclosure for it to be continued to be seen as a discussion worth debating.”
The Microsoft-led group has proposed guidelines that give software makers 30 days to patch their products after being informed of a flaw and require vendors to respond promptly to a report of a security hole and keep the original author advised of their progress. It remains to be seen whether this is just an attempt to conceal security problems to avoid embarrassment or a real change in Microsoft’s approach to security bugs. GartnerGroup analyst John Pescatoresaid:
While the vast majority of attackers are unskilled “script kiddies” who take advantage of published vulnerabilities to craft their attacks, most attacks occur after the vendor releases the patch, not because someone released vulnerability information before the vendor developed the patch. Software vendors’ attempts to restrict information on software vulnerabilities may reduce their embarrassment, but will also aid attackers and reduce security.
Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks. However, in the Internet Age, companies need rapid information about vulnerabilities in the software they are exposing to the Internet – to a large extent – to drive software vendors to produce software with fewer vulnerabilities. Companies also require this information to make informed decisions about immediate actions to take to protect their business and customer data.
Companies require information about vulnerabilities, it’s true. But they need lots more help. A recent study conducted by UK-based managed security service provider Activis found that the number of security patches and updates to security products during the past year has overwhelmed IT managers to the point that network security is at greater risk. As an example, security managers at a company with only eight firewalls and nine servers would have had to make 1,315 updates in the past nine months alone, or five updates per working day.
So even if we get quicker patches, more compliance from vendors, and better communication, we’re still doomed unless software quality increases. Bruce Scheier puts it this way:
If there were no security vulnerabilities, there would be no problem. It’s poor software quality that causes this mess in the first place. While this is true – software vendors uniformly produce shoddy software – the sheer complexity of modern software and networks means that vulnerabilities, lots of vulnerabilities, are inevitable. They’re in every major software package. Each time Microsoft releases an operating system it crows about how extensive the testing was and how secure it is, and every time it contains more security vulnerabilities than the previous operating system. I don’t believe this trend will reverse itself anytime soon.
Vendors don’t take security seriously because there is no market incentive for them to, and no adverse effects when they don’t. I have long argued that software vendors should not be exempt from the product liability laws that govern the rest of commerce. When this happens, vendors will do more than pay lip service to security vulnerabilities: they will fix them as quickly as possible. But until then, full disclosure is the only way we have to motivate vendors to act responsibly.
Well, perhaps we could write laws to force responsibility on the vendors. Wouldn’t they clean up their acts if they were suddenly liable for, let’s say, the estimated $5 million worldwide that the Goner worm has caused? If you think that will happen, I’d like to know what color the sky is in your world? In this world, there’s a proposed uniform code that absolves software makers from pretty much any responsibility for bad things. I’ll talk more about that in the next SNS in the final installment of this series.
- Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to sweep the newspapers, magazines, and newsletters clogging their inboxes into the trash. CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Burn Your Inbox™.
- Script Kiddies Behind Goner: You may have heard of the latest Internet worm, Goner. Even if you haven’t, you probably have been affected by the Internet slowdown caused by its effects. Turns out it was a childish turf war in Israel that caused the whole thing.Alert SNS Reader Roger Hamm sent along a news item stating that four 15- to 16-year-old Israeli youths have been arrested for writing the worm. All appear to be script kiddies, malicious but untalented perps who use pre-written exploits to do their damage and get their kicks. Goner is a mass-mailing Internet worm, written in Visual Basic Script (VBS) (from our favorite software monopoly), and compressed into the UPX (Ultimate Packer for eXecutables) format. This compression makes it harder for antivirus software to detect.Goner arrives as an email with the subject line “Hi”, and disguises itself as a screensaver. When received in Microsoft Outlook, Goner tries to terminate and delete any antivirus products installed on the infected computer. The worm uses the Internet Relay Chat (IRC) application called mIRC to install a backdoor on the computer, which can be used to launch a Denial of Service (DoS) attack against a rival gang of script kiddies. Goner, at its peak, spread at the rate of 1 in every 30 e-mails.
While users dependent on the major antivirus vendors for protection had to wait hours for an update to handle the virus, users of Minnesota companyMessageLabs were unaffected. This is because MessageLabs’ SkyScan service, which prescreens email before sending on to the user, is based on heuristics, or information about dangerous behavior, rather than virus signatures.
The funniest part of this incident (OK, maybe the only funny part) is investigators suspected the authors weren’t native English speakers due to a misspelling (“I am in a harry . . .”) in the email. First of all, they’re teenagers, for crying out loud, part of a post-literate generation. You don’t expect them to know how to spell. Second, have you ever seen the way programmers spell?
- NIPC Warns of Microsoft IE Vulnerabilities: The National Infrastructure Protection Center (NIPC) has issued a warning about two security vulnerabilities within Microsoft Internet Explorer (IE) that are primary means through which several generations of recent mass-mailer computer worms (for example, LoveLetter, Nimda, Klez, Badtrans.B) propagate.First, when Microsoft Windows 95/98/NT/2000 scripting is turned on, which, IMHO, it never should be, IE is vulnerable to an ActiveX and HTML exploit. Receiving and viewing e-mail or browsing a Web page with a script that includes the command “GetObject()” as well as an ActiveX HTML file can allow a miscreant to view any file on the user’s hard drive that the cracker can guess the name of. This includes password files, cookie files, and/or other files containing personal or sensitive information.A second IE vulnerability allows a malicious Web site to spoof file extensions in the download dialog box to disguise a malware file as a text, image, audio, or other file type. In this scenario, the user sees a dialog window open, asking if the user wants to “Open” or “Save.” If the user opens the file, the malware executes without further prompting, and has full access to the user’s system. This does not require any scripting to be turned on. So be careful when downloading seemingly innocuous files.
NIPC recommends turning off Active Scripting in Outlook Express (OE) by setting OE to use the “Restricted Sites Zone”. Users of Outlook should install the Outlook E-mail Security Update (OESU) which sets Outlook to use “Restricted Sites” by default and blocks access to potentially harmful attachments. This update is part of Outlook 2000 Service Pack 2, which you should be using anyway, and Outlook XP. NIPC also lists many common sense recommendations:
- Consider deleting unexpected e-mails that contain file attachments without opening them.
- Exercise particular caution with respect to e-mails that contain attachments that end in .exe, .vbs, .bat, .scr, and .pif.
- Consider turning off all script and scripting within the e-mail client security settings.
- Consider upgrading your e-mail client. Outlook 2002 has many security features enabled by default that would block propagation of Goner and certain other mass e-mailing worms.