The News – 12/19/01
Software Quality and
Cyberterror Threats, Part 3
In the last two SNS issues, I discussed the huge task
confronting Richard Clarke, the counter terrorism expert in charge of the
president's Critical
Infrastructure Protection Board, made the assertion that security problems
are really software quality problems, and examined some of the reasons why the
software industry pays so little attention to these problems. I also mentioned
a couple of legal reasons why companies need to be more interested in security
threats, due to increased liability. In this issue, I’ll further examine the
industry’s response to the rising epidemic of worms and viruses and some of the
impediments, legal and otherwise, to solving software security problems, which
have become a national security threat.
The Digital Millennium Copyright Act (DMCA) of 1998 was
intended to amend US copyright law to strengthen protections for authors and
other content creators in the digital age. Certainly the ability to make unlimited
perfect copies of a work has changed the environment for copyrighted work. And
perhaps changing the copyright laws could somehow restore the balance between
the consumer’s rights to fair use and the producers’ rights to fair
compensation.
Rather than restoring balance, however, the DMCA hands a
sledgehammer to content creators and invites them to bludgeon not only content
consumers, but researchers and academics as well. The DMCA effectively
criminalizes the reverse engineering of digital protection schemes and the
building of tools to circumvent that protection, no matter what the intent.
Certainly there are parallels elsewhere in the law – making
burglary tools illegal, for example. But it is only illegal to possess burglary
tools if the court can prove intent to break the law. The makers of the tools
are not prosecuted. Law enforcement agents that pick a lock to plant a bug
pursuant to a court order are not prosecuted precisely because the intent is
not there.
Yet an academic researcher in cryptography can be arrested
for trying to determine if the latest “bulletproof” Digital Rights Management
(DRM) scheme is secure or not. And Linux buffs who want to watch DVDs on their
systems, having failed to interest the big media companies in creating a software
DVD player for Linux, are criminals for figuring out how to decode DVD disks.
As I discussed in the last SNS, it’s now even
become illegal
to link to a Web site that makes protection-breaking software, at least unless
you are CNN or Time magazine.
Organizations as diverse in their viewpoints as the
Association of Computing Machinery (ACM) and the Electronic Frontier Foundation
(EFF) have spoken out against the DMCA. The ACM said,
in part:
Research in analysis (i.e., the evaluation of the
strengths and weaknesses of computer systems) is essential to the development
of effective security, both for works protected by copyright law and for
information in general. Such research can progress only through the open
publication and exchange of complete scientific results. ACM is concerned that
Sections 1201 to 1204 of the Digital Millennium Copyright Act [. . .] will have
a chilling effect on analysis, research, and publication, as the result of
litigation itself or of the threat of or concern about potential litigation.
ACM is also concerned that application of the DMCA to the presentation and
publication of scientific papers could result in the departure from the U.S. of
the information security community for conferences and publications. If
conference organizers cannot afford to take the risk of publishing papers [. .
. ] those conferences may be held in other countries where the risk of
liability is lower. Such a result would have a negative impact on this
country’s leadership in research in that area.
The EFF said:
The DMCA is very bad news because it destroys the
delicate balance between copyright and First Amendment too heavily toward the
copyright holders. This is because circumvention of technical protection
measures is necessary in order to make fair use, do scientific research, and
make many kinds of ordinary, legal uses of DVDs, such as playing them on Linux
machines. More recently the congress led by Senator Fritz Hollings in the
Senate has been trying to strengthen the DMCA to give even more power to
copyright holders and further weaken the public right to the intellectual
commons. This newest attempt is known as the "Security
Systems Standards and Certification Act" (SSSCA).
The result of this bad law and others, in addition to
possible jail terms for researchers as well as criminals, is worse computer
security, according to security expert Bruce Schneier:
You can see the problems with bug secrecy in the
digital-rights-management industry. The DMCA has enshrined the bug
secrecy paradigm into law; in most cases it is illegal to publish
vulnerabilities or automatic hacking tools against copy-protection
schemes. Researchers are harassed, and pressured against distributing
their work. Security vulnerabilities are kept secret. And the result
is a plethora of insecure systems, their owners blustering behind the law
hoping that no one finds out how bad they really are.
What we've learned during the past eight or so
years is that full disclosure helps much more than it hurts. Since full disclosure
has become the norm, the computer industry has transformed itself from a group
of companies that ignores security and belittles vulnerabilities into one that
fixes vulnerabilities as quickly as possible. A few companies are even going
further, and taking security seriously enough to attempt to build quality
software from the beginning: to fix vulnerabilities before the product is
released. And far fewer problems are showing up first in the hacker
underground, attacking people with absolutely no warning. It used to be that
vulnerability information was only available to a select few: security
researchers and hackers who were connected enough in their respective
communities. Now it is available to everyone.
That the DMCA turned up just as the major players in the
software industry showed signs of getting their act together on software
quality and security is an especially cruel irony. Recently,
Microsoft, along with five security companies (Guardent, @Stake, Bindview,
Foundstone and Internet Security Systems), announced that they would create an
organization to promote the responsible publishing of information about
software flaws.
Russ Cooper, a software security expert and editor of
security mailing list “NTBugTraq,” has tried to start his own Responsible
Disclosure Forum. Cooper believes the time has come to stop the public
release of security vulnerabilities to punish a vendor or enhance one’s
reputation. “You either participate in the Responsible Disclosure Forum, or
you're a Black Hat bent on being malicious, end of story. Too much money, too
many individuals, and too much of the world's communication rely on Responsible
Disclosure for it to be continued to be seen as a discussion worth debating.”
The Microsoft-led group has proposed guidelines that give
software makers 30 days to patch their products after being informed of a flaw
and require vendors to respond promptly to a report of a security hole and keep
the original author advised of their progress. It remains to be seen whether
this is just an attempt to conceal security problems to avoid embarrassment or
a real change in Microsoft’s approach to security bugs. GartnerGroup analyst John
Pescatore said:
While the vast majority of attackers are unskilled “script
kiddies” who take advantage of published vulnerabilities to craft their
attacks, most attacks occur after the vendor releases the patch, not because
someone released vulnerability information before the vendor developed the
patch. Software vendors' attempts to restrict information on software
vulnerabilities may reduce their embarrassment, but will also aid attackers and
reduce security.
Gartner believes there is almost never a need for
any responsible entity to release attack scripts that provide the tools to
launch attacks. However, in the Internet Age, companies need rapid information
about vulnerabilities in the software they are exposing to the Internet – to a
large extent – to drive software vendors to produce software with fewer
vulnerabilities. Companies also require this information to make informed
decisions about immediate actions to take to protect their business and
customer data.
Companies require information about vulnerabilities, it’s
true. But they need lots more help. A recent study conducted by
UK-based managed security service provider Activis found that the number of
security patches and updates to security products during the past year has
overwhelmed IT managers to the point that network security is at greater risk.
As an example, security managers at a company with only eight firewalls and
nine servers would have had to make 1,315 updates in the past nine months
alone, or five updates per working day.
So even if we get quicker patches, more compliance from
vendors, and better communication, we’re still doomed unless software quality
increases. Bruce Scheier puts it this way:
If there were no security vulnerabilities, there
would be no problem. It's poor software quality that causes this mess in
the first place. While this is true – software vendors uniformly produce shoddy
software – the sheer complexity of modern software and networks means that
vulnerabilities, lots of vulnerabilities, are inevitable. They're in
every major software package. Each time Microsoft releases an operating system
it crows about how extensive the testing was and how secure it is, and every
time it contains more security vulnerabilities than the previous operating
system. I don't believe this trend will reverse itself anytime soon.
Vendors don't take security seriously because there
is no market incentive for them to, and no adverse effects when they
don't. I have long argued that software vendors should not be exempt from
the product liability laws that govern the rest of commerce. When this
happens, vendors will do more than pay lip service to security vulnerabilities:
they will fix them as quickly as possible. But until then, full
disclosure is the only way we have to motivate vendors to act responsibly.
Well, perhaps we could write laws to force responsibility on
the vendors. Wouldn’t they clean up their acts if they were suddenly liable
for, let’s say, the estimated $5 million worldwide that the Goner worm has
caused? If you think that will happen, I’d like to know what color the sky is
in your world? In this world, there’s a proposed uniform code that absolves
software makers from pretty much any responsibility for bad things. I’ll talk
more about that in the next SNS in the final installment of this series.
Briefly Noted
- Shameless Self-Promotion Dept.:
StratVantage has launched a new service, CTOMentor™, designed to allow Chief
Technology Officers and other technical leaders to sweep the newspapers,
magazines, and newsletters clogging their inboxes into the trash. CTOMentor is
a subscription advisory service tailored to customers’ industry and personal
information needs. Four times a year CTOMentor provides a four-hour briefing
for subscribers and their staffs on the most important emerging technology
trends that could affect their businesses. As part of the service, subscribers
also get a weekly email newsletter containing links to the Top 10 Must Read
articles needed to stay current. These and other CTOMentor services will let
you Burn Your Inbox™.
CTOMentor
- Script Kiddies
Behind Goner: You may have heard of the latest Internet worm, Goner. Even
if you haven’t, you probably have been affected by the Internet slowdown caused
by its effects. Turns out it was a childish turf war in Israel that caused the
whole thing.
Alert SNS Reader Roger Hamm sent along a news item stating that four 15- to
16-year-old Israeli youths have been arrested for writing the worm. All appear
to be script kiddies, malicious but untalented perps who use pre-written
exploits to do their damage and get their kicks. Goner is a mass-mailing
Internet worm, written in Visual Basic Script (VBS) (from our favorite software
monopoly), and compressed into the UPX (Ultimate Packer for eXecutables)
format. This compression makes it harder for antivirus software to detect.
Goner arrives as an email with the subject line "Hi", and disguises
itself as a screensaver. When received in Microsoft Outlook, Goner tries to
terminate and delete any antivirus products installed on the infected computer.
The worm uses the Internet Relay Chat (IRC) application called mIRC to install
a backdoor on the computer, which can be used to launch a Denial of Service
(DoS) attack against a rival gang of script kiddies. Goner, at its peak, spread
at the rate of 1 in every 30 e-mails.
While users dependent on the major antivirus vendors for protection had to wait
hours for an update to handle the virus, users of Minnesota company MessageLabs were
unaffected. This is because MessageLabs’ SkyScan service, which prescreens
email before sending on to the user, is based on heuristics, or information
about dangerous behavior, rather than virus signatures.
The funniest part of this incident (OK, maybe the only funny part) is
investigators suspected the authors weren’t native English speakers due to a
misspelling (“I am in a harry . . .”) in the email. First of all, they’re
teenagers, for crying out loud, part of a post-literate generation. You don’t
expect them to know how to spell. Second, have you ever seen the way programmers
spell?
ZDNet
- NIPC Warns of Microsoft IE Vulnerabilities: The National
Infrastructure Protection Center (NIPC) has issued a warning about two security
vulnerabilities within Microsoft Internet Explorer (IE) that are primary means
through which several generations of recent mass-mailer computer worms (for
example, LoveLetter, Nimda, Klez, Badtrans.B) propagate.
First, when Microsoft Windows 95/98/NT/2000 scripting is turned on, which,
IMHO, it never should be, IE is vulnerable to an ActiveX and HTML exploit.
Receiving and viewing e-mail or browsing a Web page with a script that includes
the command "GetObject()" as well as an ActiveX HTML file can allow a
miscreant to view any file on the user's hard drive that the cracker can guess
the name of. This includes password files, cookie files, and/or other files
containing personal or sensitive information.
A second IE vulnerability allows a malicious Web site to spoof file extensions
in the download dialog box to disguise a malware file as a text, image, audio,
or other file type. In this scenario, the user sees a dialog window open,
asking if the user wants to “Open” or “Save.” If the user opens the file,
the malware executes without further prompting, and has full access to the
user's system. This does not require any scripting to be turned on. So be
careful when downloading seemingly innocuous files.
NIPC recommends turning off Active Scripting in Outlook Express (OE) by setting
OE to use the “Restricted Sites Zone”. Users of Outlook should install the
Outlook E-mail Security Update (OESU) which sets Outlook to use “Restricted
Sites” by default and blocks access to potentially harmful attachments. This
update is part of Outlook 2000 Service Pack 2, which you should be using
anyway, and Outlook XP. NIPC also lists many common sense recommendations:
- Consider deleting unexpected e-mails that contain file attachments
without opening them.
- Exercise particular caution with respect to e-mails that contain
attachments that end in .exe, .vbs, .bat, .scr, and .pif.
- Consider turning off all script and scripting within the e-mail client
security settings.
- Consider upgrading your e-mail client. Outlook 2002 has many security
features enabled by default that would block propagation of Goner and certain
other mass e-mailing worms.
NIPC
.