StratVantage Consulting, LLC — Mike’s Take on the News 08/24/01
Clipped from: http://www.stratvantage.com/news/082401.htm
The News – 08/24/01
The Ethics of Defense
Alert SNS Reader Andy Stevko raises some very good questions about a technique some server administrators use to deal with the Code Red and Code Red II worms .
First of all, the Code Red worm, in the news a lot recently, is basically a type of computer virus. Code Red exploits a security hole in Microsoft’s Internet Information Server, which is their Web server that runs on Windows NT or 2000 machines. (A variant also infects Microsoft’s Personal Web Server, which runs on Windows 95, 98, and ME.) The worm has infected hundreds of thousands of Windows servers, and even has attacked DSL routers . If you’ve been experiencing a slowdown in response time on your Internet connection recently, it could be because of this worm and its variants.
Code Red uses a technique, called an exploit, in which it overwhelms a part of the computer’s memory called a buffer. Once in, it copies a program to an area of the Web site and thus allows anyone to execute any command on the computer. This is called installing a backdoor, and this is a bad thing.
Another thing Code Red does is to flood the local network with traffic, looking for other vulnerable IIS installations. Once one is found, it repeats its dastardly deed, and so on and so on. The infected computer becomes a drone, with the aim of recruiting more drones to use in its ultimate goal of attacking the White House’s Web servers. Because of the techniques used in this attack, which are similar to a Denial of Service (DoS) attack, even if a target computer has been patched to resist the buffer overrun exploit, it still can end up spending all its time replying to bogus Web page requests with “Page Not Found” messages. So even if you’ve been smart, and you’ve protected yourself against Code Red, it can still affect your computer and your network.
Andy reports that an enterprising bunch of server administrators have decided to fight fire with fire. They’ve created a program called a FightBack script that takes advantage of the backdoor installed on infected computers. According to Andy, “The FightBack script reads the IP [network] addresses off the request and triggers another request sent back to the infected server.” This request uses the backdoor to reboot the infected server, without the knowledge or consent of that server’s administrator, who probably doesn’t know he or she is infected. Since the Code Red worm only installs itself in an infected computer’s memory and not on the hard disk, this clears the infection. But it doesn’t remove the backdoor.
In essence, the FightBack script acts as a “good virus.” Andy questions whether there is such a thing:
Worms and Viruses live mainly by exploiting software cracks to ‘own’ someone else’s computer. The most evil ones deliver a nasty payload.
Are there ‘good’ worms and viruses? A good virus could contain a neutral payload or perhaps fix/patch the expoit it used. Would you want one to touch your systems? Nearly every sysadmin says NO!
But DoS attacks provide little defense. They leach CPU and soak up bandwidth. It is very hard to even reset a remote drone.
FightBack servers can be built to control offending hosts. Is the cure any better than the curse? Would you ever admit to owning one?
Good questions, and ones that will be faced more and more often as the antisocial microcephalic morons who write viruses and worms proliferate. Because many exploits and viruses can be built using tools requiring little technical knowledge, more and more bored adolescents are likely to turn from low tech annoyances like T.P.ing your house or ringing the bell and running away to becoming script kiddies and a major threat to the Internet. System administrators may well become more and more desperate and more likely to use questionable defenses in order to keep their networks and servers operational.
In answer to Andy’s question regarding the ethics of FightBack scripts: I am uncomfortable with this approach, but unfortunately, taking the completely ethical approach could yield a disastrous outcome. Your network could crash. Your servers could crash. Your business could go out of business. So, yes, fighting back is an option. However, I think the more ethical way to fight back is to use a script to try to find the email address of the administrators of the offending computer. Then, email them and give them some period of time to rectify the situation. This at least gives them a fighting chance to take care of the problem themselves. If there is no response, and there might not be one in the middle of the night or on holidays, for example, do what you need to do and follow up with an email. And if at all possible, remove the backdoor. I assume this isn’t done in the Code Red case because it is not possible.
What do you think? Is it ever right to make changes on another person’s server? In the absence of other effective defenses, is a FightBack script ethical? Would you want your business’ Web server “repaired” without your consent? Send in your responses, even (especially!) if you’re technologically-challenged, and I’ll print the most interesting ones in future SNSes.
National Infrastructure Protection Center
- Shameless Self-Promotion Dept.: My speech at the Minnesota Entrepreneurs Club pre-meeting workshop on Tuesday, “Will You Have to Have It? What You Need to Know About Future Tech and Your Business,” is now available .
Also, my white paper, Taking Control of the B2B Exchange: What’s Next in the Supply Chain Evolution, is now available on Manyworlds and is rated four stars. I am honored to share the page with eCommerce expert Mohanbir Sawhney .
Take Two Cameras and Call Me In the Morning: Alert SNS Reader Roger Hamm sends along a pointer to this innovation that many of us superannuated geezers will appreciate. Instead of having to swallow a pole for an upper-GI series, you soon may be able to swallow a wireless camera-in-a-capsule to check things out. The FDA has given Given Imaging its approval for use of the camera in upper-GI series. Each pill costs $450, so you’ll want to be real careful where you go, if you know what I mean. The company even has cool videos of the camera in action on its Web site. My first thought was, it’s pretty dark in there, how can it see? Turns out the camera has its own light source. The system comprises the camera, a set of wireless sensors worn around the waist, and a workstation to analyze the results. Now if they can just develop one for the lower-GI . . .
- Passport Correction and Response: Alert SNS Reader Larry Kuhn corrected a couple of inaccuracies in the previous SNS regarding Microsoft’s Passport online credentialing system. He points out that not all cookies are cleartext, a fact I knew but forgot. The cookie used in the Passport scheme to hold your authentication credential is binary, and thus not human-readable. Larry agrees that cookies are easily retrieved from a user’s PC, but points out that “since the Passport service expires authentication keys on a regular interval (not sure what that interval is though... ), a stolen cookie is very soon useless.” This isn’t good enough for me to know that someone can steal my identity, but only for a little while. One bad transaction could ruin a person. In addition, Microsoft leaves it up to the Web site owner to ensure that the authentication cookie is deleted at sign out : “For security reasons, you must delete all Passport-related persistent and session cookies from a member’s computer when the member signs out by clicking the sign-out link or by closing their browser.” Sorry, that makes me nervous.
Larry also takes issue with the assertion that your Windows XP password and your Passport password will be the same. I have to bow to his superior knowledge on this one, and note that I didn’t make any of this stuff up, but got it from noted security expert Avi Rubin , a researcher at AT&T Labs. Perhaps his information was dated. It is clear that Microsoft requires signing up for a Passport to use many of XP’s services.
Larry offers some comments on the whole single sign-on and online authentication problem:
Larry Kuhn: “This whole issue is a catch 22 for consumers – from a convenience standpoint, I’d really like to only ever have to identify myself once all day long as I use various computers... (or better yet, have each computer just recognize me, the way my friends do when they meet me on the street) – but in order for that to happen – all these systems need to know me – and if they know me, well – they know me.”
SNS: "So you’re saying, basically, Passport is cool, you’re OK with the level of detail Microsoft will be privy to, and the single point of failure problems don’t bother you, yes?"
LK: “Yes, I have the same type of problems with the multiple front door keys for my home that are floating around among my neighbors and relatives. They know all about my new TV when they see the delivery truck, they know all about my vacation when I ask them to let the dog out for a week while I’m gone. It’s a chance I take in exchange for having some options when I get locked out of the house.
“Also, one other point on "who ya going to trust?" – I figure MS has a lot more to lose than some no-name guy (or even the government!) in terms of brand equity if they let my info get stolen or if they use it for illegal or unsavory purposes. Plus, I might eventually need to sue someone for damages; it may as well be someone who can pay. So, there’s actually some value to me in enlisting them in protecting my personal data.”
Leaving aside the existential question, “Can we ever truly know anyone?” Larry points out the fundamental difference between online life and offline life: On the Internet, nobody knows you’re a dog. To establish trust offline, you don’t need to know a person’s Social Security Number, mother’s maiden name, address, credit card number, and three references. You meet them, recognize them the next time you meet, work with them, and build trust.
Online is a completely different story. You don’t necessarily recognize a person the second time you meet, and you lack a lot of the information and cues you use to establish trust. Thus, there’s a need for schemes like Passport, or like biometric methods of determining identity via fingerprints or iris scans. But there’s something fundamentally more intrusive about requiring intimate information about my life or my body in order to identify and trust me. I feel it is much easier to abuse our relationship if you have this information than it is if we work together or bank together or worship together in the real world.
As I said last issue, this is obviously a complex issue and one that businesses need to come to grips with if the Internet is going to evolve into the kind of marketplace many eCommerce pundits envision.
- New Wireless SIG: Geneer has created the Midwest Wireless Application Developers Special Interest Group (SIG) a non-commercial group designed to promote discussion of wireless developer tips and tools. The first meeting is Tuesday, Sept. 18, 2001, and features Guest Presenter Rod Massie of Motient Corp., provider of eLinkSM and BlackBerry™ by Motient wireless email services. Rod’s topic is Developers’ Tips & Secrets for Motient’s Terrestrial Network and Motorola’s DataTAC Technology. The free meeting runs from 6:00 PM to 8:30 PM at the Marriott Suites, 8535 W. Higgins Road, Chicago, Illinois.
Can’t Get Enough of ME?
In the unlikely event that you want more of my opinions, I’ve started a Weblog. It’s the fashionable thing for pundits to do, and I’m doing it too. A Weblog is a datestamped collection of somewhat random thoughts and ideas assembled on a Web page. If you’d like to subject the world to your thoughts, as I do, you can create your own Weblog. You need to have a Web site that allows you FTP access, and the free software from www.blogger.com . This allows you to right click on a Web page and append your pithy thoughts to your Weblog.
I’ve dubbed my Weblog entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/ . Let me know what you think. Also check out the TrendSpot for ranking of the latest emerging trends.
Return to Mike’s Take