How much damage can someone with "remote control" of somewhere between 2 million and 15 million computers (the estimated number of conficker infected computers worldwide) actually do?
Think about that. Whoever is "running" this worm has the ability to update the worm, in general, within a few days time, effectively issuing new operating instructions to this vast arsenal of internet connected systems.
So what kind of attack can be launched? How much and/or what specific critical areas of world economy or infrastructure can be attacked?
Is it conceivable that a vast amount of the world economy can be brought to its knees?
I honestly don't know. And so far, I can't find anyone who's saying, aside from vague comments such as "in the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."
What not addressed in this kind of comment is the question of degree of impact on the world economy, if attacks could in fact "disrupt the internet itself"? To the degree such a general statement is true...I'd say the world economy could be pretty much brought to a standstill, don't you agree? The world economy is extraordinarily dependent upon the internet, in a way that we haven't really grokked...but we need to, and quickly.
Are we potentially facing one of those comic book moments where Dr. Doom truly causes mass disruption of the world economy, then announces to the world that he'll only re-enable operations if he's sent $100B? Or named world dictator? Or both.
I know it's fantastical...but if there aren't people RIGHT NOW sitting in Pentagon think tanks analyzing the potential level of disruption, I'd be awfully shocked. Unless of course the level of potential disruption is well understood already, in which case they are probably analyzing just what can be done about it.
I've spent some time reading through the detailed descriptions of this nasty little worm, and it's a son of a gun. The problem is that unless people owning/managing the infected computers wipe it out themselves by retaking control of their own computers and running appropriate "disinfectant" software, there's just no darn way to recover control of these 2-15 million computer systems! However, most such people have no clue their machine is infected.
A few key notes if you aren't aware of them:
- this all only started in October of last year, and in that time, this worm has gone through three updates (A=>B=>B++=>C). Of course, not all older version of the worm have successfully evolved to the new versions, so what's out there now is a range of types. These updates have include active measures to counter the "counter-measures" that security researchers has been deploying to block or disable the worm.
- developers are using absolute state of the art technology, literally within days of development (such as MD6; they included first versions only a few weeks after initial development and release to the public, including defects, and then in an update early in '09 included the very new corrections to those defects).
- the worm uses a variety of methods to access updates to itself, the most powerful being a "find a domain on the internet where my master has new code for me to download". A new method for doing this is what "turns on" on April 1 2009. Whether or not April 1 will be a date for a new version of the worm to be downloaded to all the infected machines is rather independent of this "mode switch" date.
- most perniciously, the worm performs sophisticated public/private key based validation of the veracity of the new worm version to be downloaded. The private key is only know by the creators of the worm, and at a key length of 4096 bytes, is quite immune to a brute force attack to derive the private key from the worm code and the public key.
The "easy" way to turn this thing off is to build a "good worm" if you will (some benign code that will terminate itself and stop operating once it has replaced the old version on an infected system), sign this "good worm" with the private key, and put it where all the infected systems will find it and download it. Then all the "bad conficker worms" replace themselves with a new benign version over time, and viola, threat is over. (Remind you of Data sending the "go to sleep" command into the Borg collective in Star Trek TNG? It should...)
Easy right? The core issue is WHAT IS THE PRIVATE KEY? How do we make sure the Borg accept the sleep message as a valid message?
The way to get the private key is "easy", and it's call the rubber hose method. You simply find the criminals responsible for conficker, put them under the rubber hose (if you will), until they share the private key. So the problem becomes one of tracking down the SOB's responsible, which is unfortunately not easy at all. There are some indications that the criminal group of Baka Software (who distributed "anti-virus software for Windows" as a product that was itself a virus, sneaky crooks) MIGHT be responsible. Baka is apparently in Kiev, Ukraine. However, the vague signs pointing their way could also be intentional mis-direction by the real developers.
We can only hope to hear the news reports soon of the attack by a multi-national SWAT team that execute the rubber hose method of private key extraction. I for one will be cheering on the sidelines. I don't want to have to wake up every morning and recite a Pledge of Allegiance to Dr. Doom...
Tuesday, March 31, 2009
Monday, March 30, 2009
Conficker (note: sometimes you'll find this on the web as "conflicker", but apparently the roots of the name are dirtier than that...) is "due" to update itself on April 1 (2009). What's conficker all about and what are the implications?
First, it's on millions of PC's. Second, to date, it hasn't explicitly done anything deeply "wrong", beyond propogating and protecting itself by doing things like blocking virus scans etc.
The question is: what IS it going to do? What's the purpose? Well, it's a tool for the "owners"; they have access to millions of computers, for doing just about whatever they darn well please, when they please. If they wake up on the wrong side of the bed and decide to toast them via disk wipes, they can have the virus download new instructions to do just that. However, that's not likely, because to understand this we have to understand the mindset of the creators.
The creators are, in all likelihood, part of a crime syndicate. Availability of millions of computers is a tool not to be wasted for non-monetary purposes. How exactly they will be used over time will be revealed, one conficker update cycle at a time, starting in two days.
How does such extensive infestation happen in this day and age? Unfortunately it happens because organizations and individuals don't keep their system software current, end of story. Anyone at Windows XP SP2 or anything more recent than that have access to both patches that prevent conficker, and to s/w that will find it and remove it.
The problem is all the computers that run older s/w. MS doesn't support XP SP1 anymore, for example, and have not and will not release a patch to correct the security flaw that enable infestation by conficker. While we can berate MS for this, I don't think that's appropriate, because if an organization (or individual) doesn't bother to upgrade to SP2...then are they really like to bother with a security patch to the SP1 system? I'd guess probably not.
So while we can moan and groan about "insecure software", unfortunately this is as much or even more a human and organizational behavior (and economic) issue than it is a technology issue. Or to put it a different way, folk there's always going to be security issues in s/w. (Well, maybe someday that won't be true but for the next good while it is and will be!) At the same time, there will always be ways to REACT to the security issues that come to light...which requires not just "dumb users" but involved users, caring users, thoughtful users, and perhaps most importantly...users that understand that keeping their computer systems secure through updates is a COST OF OWNERSHIP REQUIREMENT.
Conficker is a fascinating testament to the problem: it's insidious, and it causes, to date, no overt and obvious (to the casual user) harm to the computer. So "all is well", and infected machines work hard to infect others unprotected systems, and so it spreads. It's taking great advantage of our "feel no evil, there is no evil" attitude toward technology. I'd guess than 95% of the people sitting in front of computers infected with conficker have never heard of the worm (it is a "worm", a self-replicating computer program which, unlike a virus, does not need to attach itself to an already existing computer program). Kind of like getting a disease for which there are no clear symptoms for some time until...whoops, something bad happens.
In the case of conficker, the "something bad" may still not be anything overt obvious to the infected systems. For example, they could be harnessed to launch mass denial of service attacks at specific targets, or perform spam mailings, etc. The impact on any particular infected system may be very minor.
I still hear many of you reading this asking "but isn't there a technical solution?". Sure there is! Don't run older MS operating system software that is vulnerable to a RPC buffer overflow attack; keep your system software current and updated with all latest security patches! Don't run your computer in a ADMIN$ share using NetBIOS that doesn't use strong passwords (this is probably the method through which large groups of commercial computers have been infected).
Other steps: go here and download a latest/greatest copy of the microsoft malware scanner, and then run it by navigating to c:\WINDOWS\system32 and running the program mrt.exe:
http://www.microsoft.com/downloads/thankyou.aspx?familyId=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displayLang=en
(Note: if you are unable to access this page with your browser...you are probably infected! Conficker blocks access to most security/virus related sites...)
Can system software or some kind of add on security software be designed to "automatically detect" and report an infestation? Well...yes. And the newest versions of the anti-virus software do exactly this, they find and neutralizes conficker, which is why one of conficker's actions is to disable the updating and execution of virus detection s/w! Okay you might ask, how about "built in" safeguards, built in sentries? Well...yes. And the anti-virus s/w on your computer (assuming you are current w/your updates and not infected) does this. "How about something generic that is always there from the get go that can find and notify or even destroy this and any and all new and different viruses and worms?". Ah yes, the holy grail.
No.
Why not? Because step 1b of every serious virus/worm designer is "counter all the existing defenses". So it becomes a game of "can we develop a non-counter-able defense, which can find and deal with any arbitrary infestation?".
My friends that is seriously difficult, perhaps bordering on impossible, and perhaps even formally "uncomputable" (for you computer scientist types). Perhaps in an extremely well structured operating system environment with extremely formal interfaces and controls...which of course Windows definitely is not.
That said, you CAN enable programs to monitor themselves for changes, you CAN enable programs to validate the "correctness" and "appropriateness" of any attaching modules, and Arxan is in this business. But it takes proactive effort by the owners of all those programs to take such actions. Additionally worms such as confiker don't operate this way, it comes in as a separate body of code, hiding itself. Can all such "inappropriate" s/w be seen/found and root out as it lands in a computing system? That's tough, because again, a Windows (or Linux etc.) environment is one very complicated environment, with a wide range of dynamic content including many different programs being loaded and run.
The analogies with biological viruses and human behaviors here are just too strong to ignore. "Can we protect ourselves from viruses?". Well, yes...to a degree. Wash your hands often particularly after being in public places or having human interactions, take your vitamen C (500 mg 2x/day folks, it's working for me!), get regular aerobic exercise (20+ minutes 3-4x/week), practice safe sex, etc. So...does everyone do this? Hah, not even close. So we are far far more sick than we need to be.
Our computers are too. Between 9 and 14 million of them by last estimate, to confiker infection alone.
That's sad. So check your computer and keep it current.
First, it's on millions of PC's. Second, to date, it hasn't explicitly done anything deeply "wrong", beyond propogating and protecting itself by doing things like blocking virus scans etc.
The question is: what IS it going to do? What's the purpose? Well, it's a tool for the "owners"; they have access to millions of computers, for doing just about whatever they darn well please, when they please. If they wake up on the wrong side of the bed and decide to toast them via disk wipes, they can have the virus download new instructions to do just that. However, that's not likely, because to understand this we have to understand the mindset of the creators.
The creators are, in all likelihood, part of a crime syndicate. Availability of millions of computers is a tool not to be wasted for non-monetary purposes. How exactly they will be used over time will be revealed, one conficker update cycle at a time, starting in two days.
How does such extensive infestation happen in this day and age? Unfortunately it happens because organizations and individuals don't keep their system software current, end of story. Anyone at Windows XP SP2 or anything more recent than that have access to both patches that prevent conficker, and to s/w that will find it and remove it.
The problem is all the computers that run older s/w. MS doesn't support XP SP1 anymore, for example, and have not and will not release a patch to correct the security flaw that enable infestation by conficker. While we can berate MS for this, I don't think that's appropriate, because if an organization (or individual) doesn't bother to upgrade to SP2...then are they really like to bother with a security patch to the SP1 system? I'd guess probably not.
So while we can moan and groan about "insecure software", unfortunately this is as much or even more a human and organizational behavior (and economic) issue than it is a technology issue. Or to put it a different way, folk there's always going to be security issues in s/w. (Well, maybe someday that won't be true but for the next good while it is and will be!) At the same time, there will always be ways to REACT to the security issues that come to light...which requires not just "dumb users" but involved users, caring users, thoughtful users, and perhaps most importantly...users that understand that keeping their computer systems secure through updates is a COST OF OWNERSHIP REQUIREMENT.
Conficker is a fascinating testament to the problem: it's insidious, and it causes, to date, no overt and obvious (to the casual user) harm to the computer. So "all is well", and infected machines work hard to infect others unprotected systems, and so it spreads. It's taking great advantage of our "feel no evil, there is no evil" attitude toward technology. I'd guess than 95% of the people sitting in front of computers infected with conficker have never heard of the worm (it is a "worm", a self-replicating computer program which, unlike a virus, does not need to attach itself to an already existing computer program). Kind of like getting a disease for which there are no clear symptoms for some time until...whoops, something bad happens.
In the case of conficker, the "something bad" may still not be anything overt obvious to the infected systems. For example, they could be harnessed to launch mass denial of service attacks at specific targets, or perform spam mailings, etc. The impact on any particular infected system may be very minor.
I still hear many of you reading this asking "but isn't there a technical solution?". Sure there is! Don't run older MS operating system software that is vulnerable to a RPC buffer overflow attack; keep your system software current and updated with all latest security patches! Don't run your computer in a ADMIN$ share using NetBIOS that doesn't use strong passwords (this is probably the method through which large groups of commercial computers have been infected).
Other steps: go here and download a latest/greatest copy of the microsoft malware scanner, and then run it by navigating to c:\WINDOWS\system32 and running the program mrt.exe:
http://www.microsoft.com/
(Note: if you are unable to access this page with your browser...you are probably infected! Conficker blocks access to most security/virus related sites...)
Can system software or some kind of add on security software be designed to "automatically detect" and report an infestation? Well...yes. And the newest versions of the anti-virus software do exactly this, they find and neutralizes conficker, which is why one of conficker's actions is to disable the updating and execution of virus detection s/w! Okay you might ask, how about "built in" safeguards, built in sentries? Well...yes. And the anti-virus s/w on your computer (assuming you are current w/your updates and not infected) does this. "How about something generic that is always there from the get go that can find and notify or even destroy this and any and all new and different viruses and worms?". Ah yes, the holy grail.
No.
Why not? Because step 1b of every serious virus/worm designer is "counter all the existing defenses". So it becomes a game of "can we develop a non-counter-able defense, which can find and deal with any arbitrary infestation?".
My friends that is seriously difficult, perhaps bordering on impossible, and perhaps even formally "uncomputable" (for you computer scientist types). Perhaps in an extremely well structured operating system environment with extremely formal interfaces and controls...which of course Windows definitely is not.
That said, you CAN enable programs to monitor themselves for changes, you CAN enable programs to validate the "correctness" and "appropriateness" of any attaching modules, and Arxan is in this business. But it takes proactive effort by the owners of all those programs to take such actions. Additionally worms such as confiker don't operate this way, it comes in as a separate body of code, hiding itself. Can all such "inappropriate" s/w be seen/found and root out as it lands in a computing system? That's tough, because again, a Windows (or Linux etc.) environment is one very complicated environment, with a wide range of dynamic content including many different programs being loaded and run.
The analogies with biological viruses and human behaviors here are just too strong to ignore. "Can we protect ourselves from viruses?". Well, yes...to a degree. Wash your hands often particularly after being in public places or having human interactions, take your vitamen C (500 mg 2x/day folks, it's working for me!), get regular aerobic exercise (20+ minutes 3-4x/week), practice safe sex, etc. So...does everyone do this? Hah, not even close. So we are far far more sick than we need to be.
Our computers are too. Between 9 and 14 million of them by last estimate, to confiker infection alone.
That's sad. So check your computer and keep it current.
Wednesday, March 25, 2009
Cerias Security Conference - Purdue
I attended sessions at the Cerias security conference on the Purdue conference today, and participated as a panelist on a discussion around the recent report "Unsecured Economies", performed by Dr. Karthik Kannan, Dr. Jackie Rees and Dr. Eugene Spafford, and funded by McAfee. (The report can be accessed through this request page: http://resources.mcafee.com/content/NAUnsecuredEconomiesReport).
The report is based on a study of 1000 senior IT decision makers across 800 companies, the distribution of their IP and data assets around the world, and the IP and data theft they have experienced in the last year. The numbers are rather staggering: $4.6M in AVERAGE losses per company in a single recent year.
Some interesting questions were asked during the panel, including "how were the values of the losses assessed?". Indeed "how we count" here is a tricky question. At Arxan, while we could look for example at the direct cost of any piracy of our software ("whoops, would/could have been a customer so that's a loss of $x of income/revenue"), the larger costs are in how such pirated s/w could be misused to compromise the value proposition of the company, and the resulting damage over the longer term to the company valuation.
My opening statement, boiled down, amounted to the following: enterprises today utilize vastly distributed computing elements, with no well defined perimeter, and each of which maintains and/or processes company data and/or IP. Perimeters defenses are ineffective, and even when in place around concentrations of computing elements, are too easily compromised through direct and indirect attack. Therefore, our security model must directly address the security of the fundamental data, the enterprise applications that process that data, and the keys that enable the legitimate usage of the data and applications.
This is where Arxan plays and represents Arxan core vision. And the reality is that's it's a journey and quest, by both us and our customers, because it's an ongoing battle with the criminals who are always seeking to overcome our latest and greatest solutions and defenses.
A few other notes on the conference. Dr. Ron Ritchey of Booz Allen (and also an adjunct professor at George Mason teaching a course in secure software development) gave the keynote this morning, and focused on the questions of how security flaws do or do not scale with the size and/or complexity of the code base. He had some fascinating data from the operating system world show the find rate of security issues in OS, particularly various Microsoft OS's, over time.
At one level (to me anyway) it's "obvious" that security issues scale with size and complexity. The questions are a bit more subtle than that: can security issues be taken out of a given code base over time, and can complexity management be applied to the continued development of or addition to that code base to keep aggregate security issues "constant" (or even on a downward sloping trend line)? The most obvious driver it seems to me are the s/w lifecycle practices utilized in the enhancement/maintenance process itself. Additionally, usage levels are a critical factor re: the resulting metrics. For example, Dr. Ritchey shared data showing nicely downtrending security find rates for NT starting around year 5 or 6 of deployment...but mightn't this be primarily a function of constently decreasing usage vs. newer Windows versions vs. any indication that NT was better or is being maintained "better"?
The other interesting data was on Vista as it compared with XP and other olders MS OS's. The find rate curve for Vista for the first two years is dramatically sharper that it was for XP (which in turn was higher than for the previous version), in fact the increase in slope was to me rather alarming. There were only two data points, but the trend is clearly in the wrong direction by a long shot, and this for an OS where increased security was a primary business objective (or so I understood). Of course the code size and complexity level of Vista vs. XP is much larger/higher, so..."to be expected", but that's not a good answer for us the users nor for the software industry in general, is it?
Ciao for now,
-Kevin
The report is based on a study of 1000 senior IT decision makers across 800 companies, the distribution of their IP and data assets around the world, and the IP and data theft they have experienced in the last year. The numbers are rather staggering: $4.6M in AVERAGE losses per company in a single recent year.
Some interesting questions were asked during the panel, including "how were the values of the losses assessed?". Indeed "how we count" here is a tricky question. At Arxan, while we could look for example at the direct cost of any piracy of our software ("whoops, would/could have been a customer so that's a loss of $x of income/revenue"), the larger costs are in how such pirated s/w could be misused to compromise the value proposition of the company, and the resulting damage over the longer term to the company valuation.
My opening statement, boiled down, amounted to the following: enterprises today utilize vastly distributed computing elements, with no well defined perimeter, and each of which maintains and/or processes company data and/or IP. Perimeters defenses are ineffective, and even when in place around concentrations of computing elements, are too easily compromised through direct and indirect attack. Therefore, our security model must directly address the security of the fundamental data, the enterprise applications that process that data, and the keys that enable the legitimate usage of the data and applications.
This is where Arxan plays and represents Arxan core vision. And the reality is that's it's a journey and quest, by both us and our customers, because it's an ongoing battle with the criminals who are always seeking to overcome our latest and greatest solutions and defenses.
A few other notes on the conference. Dr. Ron Ritchey of Booz Allen (and also an adjunct professor at George Mason teaching a course in secure software development) gave the keynote this morning, and focused on the questions of how security flaws do or do not scale with the size and/or complexity of the code base. He had some fascinating data from the operating system world show the find rate of security issues in OS, particularly various Microsoft OS's, over time.
At one level (to me anyway) it's "obvious" that security issues scale with size and complexity. The questions are a bit more subtle than that: can security issues be taken out of a given code base over time, and can complexity management be applied to the continued development of or addition to that code base to keep aggregate security issues "constant" (or even on a downward sloping trend line)? The most obvious driver it seems to me are the s/w lifecycle practices utilized in the enhancement/maintenance process itself. Additionally, usage levels are a critical factor re: the resulting metrics. For example, Dr. Ritchey shared data showing nicely downtrending security find rates for NT starting around year 5 or 6 of deployment...but mightn't this be primarily a function of constently decreasing usage vs. newer Windows versions vs. any indication that NT was better or is being maintained "better"?
The other interesting data was on Vista as it compared with XP and other olders MS OS's. The find rate curve for Vista for the first two years is dramatically sharper that it was for XP (which in turn was higher than for the previous version), in fact the increase in slope was to me rather alarming. There were only two data points, but the trend is clearly in the wrong direction by a long shot, and this for an OS where increased security was a primary business objective (or so I understood). Of course the code size and complexity level of Vista vs. XP is much larger/higher, so..."to be expected", but that's not a good answer for us the users nor for the software industry in general, is it?
Ciao for now,
-Kevin
Thursday, March 19, 2009
Software Security from the Arxan CTO
Hello world!
Yes, very puny for you computer scientists (for you others, a program that prints "Hello world!" is the first program in the original book by Kernihan and Ritchie on the C programming language...).
I'm Kevin Morgan and for over two years I've been managing product R&D (and support and training development and now professional services) here at Arxan Technologies. We specialize in application software protection; protection from what you ask? Protection from reverse engineering to steal your intellectual property; protection from tampering to unlock features that customers haven't paid for or are not allowed to access; protection from tampering to break license management or activation so they can run the software without paying for it; protection from tampering so they can steal unencrypted digital content. Protection from tampering so they can access your company internal business data or intellectual property, or worse yet, to perform illicit financial transactions. The list is literally infinite.
Now they pinned a CTO title on my chest, and among other things, asked me to blog about what's up in the world of software security in general. So here's my first post just to get started, with I'm sure many more (with real content!) to come...
Be blogging at you soon.
-Kevin Morgan
kmorgan@arxan.com
VP of Engineering
Chief Technology Officer (Commercial)
Yes, very puny for you computer scientists (for you others, a program that prints "Hello world!" is the first program in the original book by Kernihan and Ritchie on the C programming language...).
I'm Kevin Morgan and for over two years I've been managing product R&D (and support and training development and now professional services) here at Arxan Technologies. We specialize in application software protection; protection from what you ask? Protection from reverse engineering to steal your intellectual property; protection from tampering to unlock features that customers haven't paid for or are not allowed to access; protection from tampering to break license management or activation so they can run the software without paying for it; protection from tampering so they can steal unencrypted digital content. Protection from tampering so they can access your company internal business data or intellectual property, or worse yet, to perform illicit financial transactions. The list is literally infinite.
Now they pinned a CTO title on my chest, and among other things, asked me to blog about what's up in the world of software security in general. So here's my first post just to get started, with I'm sure many more (with real content!) to come...
Be blogging at you soon.
-Kevin Morgan
kmorgan@arxan.com
VP of Engineering
Chief Technology Officer (Commercial)
Subscribe to:
Posts (Atom)
