Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

How to Own the Internet In Your Spare Time 217

xenofile writes "A chilling paper has recently been posted analyzing the various threats worms pose to the Internet, and the relative ease of exploiting say the 30,000,000 Kazaa hosts to completely cripple large portions of the net." Lots of good stuff in this paper. It sorta combines many things you've probably read, and demonstrates how the net could be seriously taken by someone who wants it.
This discussion has been archived. No new comments can be posted.

How to Own the Internet In Your Spare Time

Comments Filter:
  • the net, like business or anything else in society is based on trust.
    • by Anonymous Coward
      wrong - the net is based on pr0n. As long as this does not stop the pr0n from flowing, most of the net users will not care. Also, will this affect AOL chat groups? Because those are very important too.
    • by RatOmeter ( 468015 ) on Sunday May 26, 2002 @09:41AM (#3586940)
      Yes. And in business, we aren't all that trusting, so we have laws to regulate business behavior in order to improve or, at least, enforce the trustworthiness between business players. Do we need/want the same practices applied to the Internet? I say no, but I have this awful feeling of gloom. I think that, within 10 or 15 years (maybe even less) the business interests in the net will have convinced the lawmakers that we need to boost the trustworthiness of the net... by regulating the hell out of it.

      I think we, as the techical force behind the net, can and must resolve the major issues that make the businesses nervous. If they can trundle blithely forward, enjoying the net without too many major hitches, they'll continue to pay our salaries and let us run it. One or two major exploits or outages with mega/giga dollar associated losses, and the lawmakers will clamp right down. Bye bye net, as we know (and love) it.

  • Well (Score:2, Insightful)

    by shayera ( 518168 )
    With the speed the RIAA gets these sharing networks to hunker down, perhaps the problem will go away on it's own...
    On the other hand, perhaps pigs will fly, and a certain redmond company will once and for all wisen up and ensure their OS'es not by default make the world a happy place for worm writers..
  • Why, oh Why does this remind me of something that I would see as a scheme on Pinky and the Brain?

    another tool for budding mad scientists around the world. arghhhhh.

    • Why does this remind me of something that I would see as a scheme on Pinky and the Brain?

      Pinky. Are you pondering what I'm pondering?

      I think so Brain, but if we take over the net, how will the big boats catch any fish?

      *bonk*

      Not that kind of net, Pinky. The Internet: A global network of millions of computers; a network where music and pr0n are yours for the taking; a network where powerful tools like email and hypertext are used promote penis enlargement, pyramid schemes, and cheap drugs from the third world; a network where millions are left totally vulnerable by software given to them freely by the richest company in the world.

      Ooooo, sounds nice, Brain. But Brain?

      Yes, Pinky?

      If you take it over, who's gonna share their pr0n with you?
  • Abstract (Score:2, Interesting)

    by Anonymous Coward
    To Appear in the Proceedings of the 11th USENIX Security Symposium (Security '02)

    The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.

    We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internet-sized hit-lists (which creates a flash worm).

    We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect "contagion" fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms.

    In conclusion, we argue for the pressing need to develop a "Center for Disease Control" analog for virus- and worm-based threats to national cybersecurity, and sketch some of the components that would go into such a Center.

    Also in PDF optimized for reading online [icir.org], PDF optimized for printing [icir.org]
  • I got scared for a second, then did a google search for identified linux worms, thought about how many times I've never caught one, and promptly became glad my OS isn't mainstream.
  • by wackybrit ( 321117 ) on Sunday May 26, 2002 @09:19AM (#3586889) Homepage Journal
    Wow, this paper really breaks new ground. Let's see:

    If you can control a million hosts on the Internet, you can do enormous damage.

    [..] you can access any sensitive information present on any of those million machines [..]

    But for those who are truly thick and can't get the point:

    In short, if you could control a million Internet hosts, the potential damage is truly immense [..]

    It's good to see they're really targeting the 'brains' of the nation with these statements.

    Luckily, things get a little more scientific as we move into the next section, but they actually say they're 'ignoring' certain important variables. Almost any mathetmatical theory works if you 'ignore' certain variables.

    Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code. Since when did Eudora or Pegasus start spreading viruses? It's all Outlook Express.

    But what about system level DOS attacks, you say? Firewalls were invented to solve these problems. Of course, firewalls were only invented because the original net code in Linux/Windows/etc hadn't anticipated DOS attacks, and couldn't fend them off themselves. I mean.. in 1994, who was flooding servers with 64kB ping packets?

    It's time to rewrite the netcode. DOS attacks aren't really any different to memory leaks in programs. They can be controlled and confined and cleaned up, if the code is good. How often do you get a 'Protection Error' in Linux these days? Hardly ever. It's time to apply all of the safeguards we use in regular programming to net code too!

    And if you're scared of reinventing the wheel and writing new net code from scratch, then you have only yourself to blame.
    • Perhaps papers like these should actually focus on the real reason that DOS attacks are so easy. Crappy code.

      According to Sophos [sophos.com] (and I'd like to hope they know what they're talking about) the majority of the top ten viruses [sophos.com] of April 2002 are e-mail based social engineering worms.

      The problem is crappy users.
      • The problem is crappy users.

        I'm not so sure. The 'e-mail based social engineering worms' you talk of aren't actually triggered by users, but by flaws in Outlook Express. It's not like these 'Pass this onto 20 of your friends' mails, which are viral, but not viruses.

        Microsoft allows OE to access too many API functions. I mean, look at how these viruses work. You download them from the POP3 server, and when you preview them in OE, a box comes up saying 'Open' or 'Save As'. Many users just click OK, and end up getting infected. However, this isn't the user's fault, as such.

        OE should not automatically open attachments! It's Microsoft's crappy code that has allowed it to be hacked in this way. So.. I think the blame rests with the programmers, not the users. The programmers are meant to create an environment that's safe for users.

        Blaming the users is like blaming voters for getting GWB into office. It wasn't their fault, it was the system's fault for allowing it to happen.
        • Well, I disagree. It IS the users fault they clicked on okay. It is the user who is in control of the machine, and the user who is responsible for what they do. When you click on something, you are allowing something to happen.

          Yes, some worms spread automatically, wihtout user intervention, via holes in OE. I daresay these same holes could have been exploited by a slightly modified worm for Eudora. Eudora uses the MS viewer by default.. exactly the same thing OE uses.

          The number of worms that spread because morons click on an attachment to open it even though they have been told DIRECTLY, a HALF DOZEN TIMES, NOT TO OPEN ATTACHMENTS IF YOU DONT KNOW WHAT THEY ARE is staggering. This, by far, is where the vast majority of worms come from.

          Now.. I don't want to believe all these people are that stupid.. it's just a fundamental lack of understanding about how a computer works.
          • Re:Worms, etc. (Score:3, Insightful)

            by Jeremi ( 14640 )
            Now.. I don't want to believe all these people are that stupid.. it's just a fundamental lack of understanding about how a computer works


            The whole point behind Windows is to make a computer usable and useful to someone who doesn't understand how a computer works. If the user needs to understand how the computer works just to read his email, he might as well learn to use the command line for everything. Such a requirement is simply too much to ask of the average user.


            Also, keep in mind that it isn't enough for the user to understand how a computer works. The user could know everything about the computer, and it wouldn't help him, because he still wouldn't know which of his helper/viewer apps contain security holes which can be exploited by email attachments -- he can't know, because he doesn't have the source code to them.


            The only conclusion is: if attachments cannot be made safe, then they should not be made easy to open. The best solution would be to run attachments in some sort of 'sandbox' (Java style) so that they literally cannot do any damage to the machine. The next best (and still not very good) solution would be to put a big fat "WARNING -- VIRUS HAZARD" notice up whenever the user tries to open an attachment; one that is very hard to get past without reading it.

            • I think we are reinventing the weel. Windows was based not only on the idea that a computer should be usable by Joe and Jane but also on the premise that it should be admninistered by those Joe and Jane's.

              It think that was a wrong choice. To make the choice worst, they decided that it should allow you to do everything easily (no learing neeeded) and if something was a bit complicated, then it should be stripped off.

              The day they realize things should be "owned" and "permisioned" we'd be ok. I don't fear executing whatever in my linux, as long as i use a non important account to execute it (you also need to have all the permisions right or...).

              Everyone should be able to use computers, administering is another thing. They can provide a default install that is ok and secure. Of course, there will be some things Joe will not be able to do. And that's a good thing (he can learn a bit if he really wants to change them).
      • Crappy users are never going to go away. A company with some insight, and a desire to write decent Apps would realize this and program around it as much as possible!

        Instead, we have Micro$oft, driven by marketing and Bill's hunger for power. Sure, it's easy to use, but it's easy to 0wn too. The we have Apple, hard to 0wn, easy to use, but nowhere near the installed base. And then there is Linux, much the same.

        I lay the blame for these worms where it belongs, at the feet of Micros~1. They could disable a lot of their "features" and stop most of this nonsense.
    • Almost any mathetmatical theory works if you 'ignore' certain variables.


      Physicists have been doing this for a long time.
      • Yeah, but knowing *which* variables you "may" ignore is a very delicate art.

        Anyway, this is offtopic...

        Own "the internet" ? there is not "an internet". I could just set up my own network with friends and name it "foobarnet". Then others interested could come join us.

        There isn't "an internet". The whole deal about "owning the internet" is in-existent.

        Of course what i say sounds pretty naive, but i am sure you understand the main idea...

        duh.
        • There isn't "an internet". The whole deal about "owning the internet" is in-existent.

          The story submitter did properly capitalize "Internet" when he says "the Internet".

          An internet is any network that connects two or more networks.

          The Internet is this goofy thing, started by DARPA, over which you have received this HTML page.

          internet == concept
          Internet == one instance of the concept, paradoxically loved and hated equally by those who know it best.

          Your foobarnet, presuming it would interconnect networks, and not just hosts, would be an internet. This is the Internet.
      • by matrix29 ( 259235 ) on Sunday May 26, 2002 @11:10AM (#3587192) Homepage
        Almost any mathematical theory works if you 'ignore' certain variables.

        Physicists have been doing this for a long time.


        I'm a theoretical physicist, at least I think I am. I cannot be certain. It is just a theory I have.
    • It's called the normal distribution. The worst programmers can't write networking code at all. Normal programmers write crappy code and the best coders get all frothy about all the crappy code out there.

      Sad but true. Quality takes time, money, and good people. All scarce resources.
      • Quality takes time, money, and good people. All scarce resources.

        Or put another way:

        a) Cheap
        b) Fast
        c) Good

        Pick any two.

        It was already pretty bad, and it isn't going to get better soon. Now that the bubble has burst for finding capital, try this:

        Cheap [selected]
        b) Fast
        c) Good

        Pick one.

        Since everyone want to be the first to market, try this:

        Cheap [selected]
        Fast [selected]
        c) Good

        ERROR: Sorry, your choices are up.
    • Firewalls were invented to solve these problems

      So you're gonna stop a DOS attack with a firewall? If they're "Masters of the Obvious" I guess that makes you "Masters of the Impossible". A firewall is not going to save you from a saturated link, aka DOS attack.

      It's time to rewrite the netcode. DOS attacks aren't really any different to memory leaks in programs. They can be controlled and confined and cleaned up, if the code is good.

      uh huh. Don't do much of this "netcode" stuff do you. Why do I think I just fed a troll?

    • Very insightful post. One problem:

      • http://www.wackybrit.com

      • Server Error
        The following error occurred:
        Could not connect to the server
        Please contact the administrator.

      I'd be more inclined to listen to exhortations to write robust code from someone who can actually keep his web server up. Perhaps you could clean your own house first.

  • Alot of these virus authors do it for exposure. The more the issue is pushed to the fore the more rewarding it is to do it.... Why not focus on "how to secure the internet in your spare time"?
    • I'd bet that the writer(s) of the Kazaa killer got big bucks, though how and/or from whom we may never know. I'd also bet that the makers of anti-virus software probably write many of the viruses just to keep sales up ..
  • by Navius Eurisko ( 322438 ) on Sunday May 26, 2002 @09:21AM (#3586897)
    Want to be a Supervillian?

    Don't have the body to fit in a costume?

    Too out of shape to battle Superheros all over Champion City?

    Think being a Supervillian is out of your reach?

    Not anymore! Just like millions of other americans, the Internet has changed lives. Let it do the same...for YOU! With the "Rule the Internet like an Evil Overlord" plan, you can learn how to take advantage of this exciting new medium to spread choas and terror into the people the world around! Now you can work to inspire fear from the comfort of your own home!
    • The really scary thing is that somebody may try this. If you're objective is just to cause disruption and panic, why go through all of the trouble of sneaking past the INS, paying for flight school, buying expensive GPS receivers and losing 19 believers in your cause? Why not just hire some 31337 geeks, preferably young teenagers who want to show off their skillz without caring about what happens, to shut down the e-mail and telephone systems in your favorite target country. You can be at home drinking at MaiTai instead of getting your hands dirty.

      Are we scared now? We should be.
      • > You can be at home drinking at MaiTai
        > instead of getting your hands dirty

        Bin Laden didn't get his hands dirty.

        What you describe is already what is happening.
      • Hey,

        Why not just hire some 31337 geeks, preferably young teenagers who want to show off their skillz without caring about what happens, to shut down the e-mail and telephone systems in your favorite target country.

        Because it wouldn't really do anything other than annoying people. Every so often, I'll dial up my ISP and they won't answer. I'll wait a few hours, try again, and things will have cleared themselves up. There are no deaths. There is no permanant damage that will take months to clear up. There are no massive fires, or explosions. It's just a little bit annoying for the country involved.

        I don't seee why people are always going on about 'cyber-terrorism'. A physical attack on a major data center would be far more damaging, and would be much harder to rectify.

        Michael
        • What if it wasn't a local ISP and what if it wasn't just a short attack. What about five people working together to destroy (read as rm -rf /) the e-mails servers of the Department of Justice and the Internal Revenue Service. Maybe trash a personnel computer too. People might not die, but it could cause some serious problems. If the tax refund checks of 50,000 people never got sent...

          Just because nobody has done it before doesn't mean it's not a threat.
          • One would hope that any data so critical or irreplaceable that its loss would be catastrophic is backed up on-site and off-site, and has a well-designed disaster-recovery plan associated with it. No one's done it because it wouldn't have any long-term effect.
            • One would hope that any data so critical or irreplaceable that its loss would be catastrophic is backed up on-site and off-sit

              You're right that critical data should be backed-up, but here's the problem. If I were a smart guy and wanted to wreak havoc on the economy, I wouldn't destroy any files. Destroying files is a dead giveaway that something's wrong and the back data should be used. Nope. What I'd want to do is corrupt the data in those files. Imagine the scandal that would ensue if some of the accounts in a particular bank were reduced by $1 and that money was donated anonymously to the republican presidential campaign. What would happen if the IRS database were hacked and the SSNs were scrambled.

              These aren't the greatest examples, but they illustrate the problems that could arise from data corruption rather than data destruction.

          • > What about five people working together to destroy (read as rm -rf /) the e-mails servers of the Department of Justice and the Internal Revenue Service. Maybe trash a personnel computer too. People might not die, but it could cause some serious problems. If the tax refund checks of 50,000 people never got sent...

            ...then somewhere on the Hill, a politician gets his wings? :-)

            Sen. "Watch me block another tax cut bill" Daschle probably has wet dreams about your scenario.

          • Just because nobody has done it before doesn't mean it's not a threat.

            Don't look now, but narrowly targeted cracks are going down all the time. A few days ago it was reported that complete credit files on 13,000 wealthy Experian (TRW) customers were hijacked with stolen Ford Motors Credit authorization keys. Just yesterday it was news that over 200,000 State employees in California had their personal data lifted, right out from under the noses of the Teale Data Center (big place, several large mainframes, lots of smaller Unix and Wintel systems too). Major potential for mischief there.

            Now use your imagination and ratchet it up a notch above merely criminal activity (identity theft and ordinary credit fraud). The paper doesn't go into it (excellent though it is), but what part of the modern first-world economy is most critical and yet most vulnerable? It's the financial system, which moves billions of dollars in the markets each and every business day - from Singapore, Taiwan, Hong Kong, Tokyo, and Seoul, through Vancouver, San Francisco, Los Angeles, Mexico City, Dallas, Chicago, Toronto, New York, to London, Paris, Berlin, and Geneva, etc. What happens when someone figures out how to game and disrupt that?

            How many large banks, brokerages, companies, and/or big investors would one need to control in order to melt down the international financial markets? What if someone could unleash an orchestrated attack on the first world financial structure, meanwhile confusing and frustrating all efforts to reverse the damage by individuals and institutions with massive DDoS activity? What if someone was able to compromise lots of DNS servers and routers to enable attack traffic while denying all other requests? This is the sort of scary stuff the paper at hand lets glimmer without any explicit discussion.

            We've already seen massive Puts on airlines just prior to 9/11 as well as high volumes of trading through WTC firms that morning. (Though those may have been US government insiders (CIA, etc.) just picking up some pocket change on the coat-tails of what Bush was going to play dumb about in order to justify his dynastic authoritarian imperial superpower agenda.) But the potential for some real harm caused by seriously hostile intentions for the international financial structure is huge. This is major scary stuff.


    • But Navius -- isn't being a Supervillain expensive and time-consuming? I sure wish there was a way to become one quickly, inexpensively and from my own home.
  • by oever ( 233119 ) on Sunday May 26, 2002 @09:22AM (#3586898) Homepage
    It's illegal to distribute virusses. People can go to jail for spreading them. So, why worry. We're safe.
  • 30,000,000 Kazaa hosts

    Jippity! That's a lotta users... more than 25 times the entire population of the state I live in!
  • by Subcarrier ( 262294 ) on Sunday May 26, 2002 @09:26AM (#3586905)
    Very nice paper from Paxson.

    On angle he neglects to mention is that the worm could only be the first wave of attack. The machines rapidly infected by a flash virus could easily be transformed into a massively parallel computing platform, into which a seconday attack program could be distributed in a matter of seconds. Such programs could then be used, for instance, to crack entry into strategically important machines that do not exhibit vulnerabilities directly exploitable by the first stage virus.

    Scary. I've been wondering why someone hasn't done it yet.
  • Personally, I think that Darwinism will rear its head in this case. Those that don't appreciate what it is or what it takes to run a computer safely and successfully will be subject to the bugs and malware of others that they blindly accept.

    Caveat emptor, and this is no exception.
    • You are neglecting the spin that will be applied by governments and corporations. And the "lobbying" efforts that will ensure that the form of the prescribed remedies is of benefit to the "appropriate parties".

      The corner cop may be my friend, as the sheep dog is to the sheep, but the U.S. government has been acting more similar to a meat packing plant.
  • and hasn't it always been this way? Zillions of insecure routers, servers and hosts out there for the taking? Only difference is that now there's less diversity than ever before. In ye olden days there were so many different architectures/os-en/programs that causing serious damage to the 'net by subverting one or two was pretty impossible. Now we have massive networks of nodes running on identical code ('doze, kazaa, even redhat in the linux world) - enough identical nodes for worms to do serious damage.

    So whats the way forward? Having software thats popular with the unwashed masses *and* secure just isn't going to happen (unclued users, no incentive for authors, etc etc)...

    Perhaps the only solution is liability - lets hold commercial entities responsible when their buggy code wreaks havoc on the net.

    Hah. yeahright, like thats ever going to happen.

    • If I shoot a person and she dies. Should people sue God because of his buggy code? If the terrorists hit a plane in a building and the building collapses, should I sue the architects? If some cracker, uses a Trojan on my OS, should I blame my OS?
      • So your saying haxx0rs should be responsible for their actions. I agree entirely, but what about the people who create beasts so huge and vulnerable for them to control? At least some of the buck should stop with kazza, MS et al for shipping insecure code when they know what it could cause.

        Trouble is this won't stop until someone forces them to be responsible for the things they create. Or until 30 million kazaa users become clueful.

        • I'd rather be using right now a somewhat insecure Windows XP instead of an extremely secure Windows 3.1.

          Look at Israel, due to the environment they live in, they most probably have the best security yet they're unable to stop many of the terrorist attacks.

          Which reminds me, I noticed a few days ago that some guy is using my email address to send viruses via Sendmail's SMTP. I don't think he's even using a password. I notified my hosting company. But according to you, I should be suing Sendmail?
          • > But according to you, I should be suing Sendmail?

            not at all:

            (a) sendmail is free, hardly fair for them to be liable when they give the thing away. On the other hand MS, kazaa et al profit from the software they ship.

            (b) config issue - who's responsible for this copy of sendmail, your hosting company? Their server is setup wrongly if its letting some kiddie impersonate you. Sendmail is not a mass-market product - its fair expect its users to be people who understand computer security issues. XP is - userbase of millons of people who don't even know what a buffer overflow is. Result is that sendmail users are usually responsible about the software they run and the effects it could have on others and kazaa users don't have the faintest idea.

            Tangent to this: sendmail is open source, so the person running it has every opportunity to fix problems. You don't see people doing that with XP).

      • If I shoot a person and she dies. Should people sue God because of his buggy code?

        No, but the people might sue the gun manufacturer and demand tighter gun control laws.

        In fact, if computers were declared weapons, a bunch of trigger happy Americans would probably rise to the barricades, Microsoft executives in the lead, and vehemently defedt their God given constitutional right to bear computers.
        • 99% of Slashdot readers would be fighting MS execs to be the lead frothers and bitching because MS doesn't know how to froth properly.

          There would be an RFC about proper frothing etiquette, and another about frothing efficiently.

          30 minutes after the riot started, there'd be at least four schisms within the Slashdot frothing community, each claiming that their froth was better than all the others.

          Somebody would start %. so that other frothers could get in the action.

          MS would find that the one thing no one really wants is a frother, so they would refuse to embrace and extend frothers.

          Frothdotters would get really upset about that and froth even more.

          Yadda yadda yadda ...
  • I am curious..

    What year, level, or course is the technique of avoiding buffer voerflows in C, C++, Java, or C# taught?

    How many times is MS going to get caught on buffer overflow erros on its production servers before admitting that its programmers are fragged?

    Would you trust a new P2P applicaiton from MS? Search on theri research lab site..its there but has not been released as a commercial product.


  • ...and demonstrates how the net could be seriously taken by someone who wants it.

    So, would owning the net mean that my ISP would be obliged to give me some sort of discount on what I'm paying them every month?

    • So, would owning the net mean that my ISP would be obliged to give me some sort of discount on what I'm paying them every month?

      Kinda... I hear the net acess is free in "federal pound-me-in-the-ass" prisons, so you could think of it as a 1000% rebate on $0, after they figured out who 0wn3z the net and locked you up.

  • Odd... They don't mention Pitr Cola [userfriendly.org] once in the whole paper. Are they overlooking the obvious?
  • This takes care of most of the problems, and makes fixing the rest easier.

    1. Insert Linux Boot CD, Install.
    2. Begin Install
    3. Delete all NTFS, Fat32, FAT partitions
    4. Continue install. Set up firewall and normal Linux security stuff.

    Like magic, the whole internet becomes more secure.

    • Until the majority starts using linux and virus creators focus on linux instead of MS.
      And don't gimme that crap on how linux is invulnerable to virus/worm attacks... It's just more interesting for virus writers to focus on MS, as it's products have the biggest share on the desktopmarket. "It's a bigger kick" ;)
    • No. it is not the same. For instance: Windows, all varieties, virtually demand that the user be 'local administrator'. A lot of software doesn't work correctly unless that is so. Rather than fight it, that is what is done. So anything the local user executes happens to the machine. Software holes are fixed only when MS gets around to it, after they admit there is one to begin with. It is really easy to write a worm/virus for Windows. The 'I love you' virus was a single page of plain text, very simple to accomplish.

      OTOH, Linux and other Unices, the administrator (root) is strongly discouraged to be the 'user'. And the 'user' has no direct access to the machine. He can hurt himself, but not the machine. And since it is open source, the fixes are much more likely to come sooner and be better done.

    • Like magic, the whole internet becomes more secure.
      It's because of thinking like this that the Internet is inherently insecure.
      • Like magic, the whole internet becomes more secure.

        It's because of thinking like this that the Internet is inherently insecure.


        Installing Linux causes Microsoft worms? ???

        There are no magic bullets, but Linux and moreso the BSDs have the attitude that the user should be in control and know what is going on. Maybe not secure yet, but enough is being done with jails and sandboxes and such that before long I should be able to run unpatched exploitable code with impunity. The only significant difference between the current Microsoft wormage and the UNIX Honor Virus is the user's awareness of just what is going on.
  • So what role for anti-virus firms, like symantec and sophos - how would they feel if a publicly funded angency were producing effective countermeasures to worms?

    I can see commercial interests taking priority over those of the internet at large. Could there also be in increase in complacency amongst users to not use appropriate system security or anti-virus measures if they think there's a "control centre" waiting to bail them out from any misfortune they experience as a result of their own failures?

    The idea seems attractive, I'm just unsure about the other implications.

  • Yes, many of you will say "duh!" when it comes to the conclusions of this paper, but what is great about this study is that it provides empirical evidence for the stuff that we've "known" for some time. In particular, look at the graph of Code Red Iv2 traffic. Even after all the hubbub, it comes back every month. Moreover, this paper gives some very good models for showing how these things spread.
  • OK, I know that security through obscurity sucks but is anyone else worried that right now thousands of script kiddies and black hat crackers are hard at work making the suggestions from that document a reality? I know if I was a worm author I would be treating the information in that document as a gold mine - it describes in pretty comprehensive terms some very effective ways of writing worms that can quickly grab a large number of hosts.
    • This paper doesn't say anything new about how these worms work, rather it provides empirical evidence and models on how they spread. All of the information about these worms was already available elsewhere.

      As for security through obscurity, look at the target of all of these worms...
  • I am just wondering that since now in the US it can be a terrorist offense to wreck networks or create DDOS attacks, are other countries jumping on this bandwagon? I mean, what can you do about things coming from .no, .nl, .jp, etc?

  • I'm not going to wait until they get me, I'm disconnecting righ-
    • Now that's funny. If some of that comes true, I guess one morning when I cannot connect to the internet I need to turn on the TV and see if someone evil now owns the internet.
  • As I was looking up a link, I was directed to this page [sigma7.com] which gave me a "js.exception exploit" in logo(1).gif, virus alert. This is the first time I've ever found a virus? online.
  • by 0xA ( 71424 ) on Sunday May 26, 2002 @10:44AM (#3587111)
    Does it seem to anyone else that while these guys are obviously good at building models to explain behaviors and have some interesting ideas they don't know diddly squat about how networks operate. Take this statement:

    There is an additional synergy in Nimda's use of multiple infection vectors: many firewalls allow mail to pass untouched, relying on the mail servers to remove pathogens.

    Just what do you want your firewall to do about this? Provided you want to do statefull inspection on your firewall, you still have to figure out what is bad stuff and what is okay. You're still going to be trying to match the attachment (or whatever) against a list of known bad stuff, be it a virus database or a list of disallowed extensions or something. Why wouldn't you do that at the mailserver, what are the advantages of trying to do it with a firewall? I have mine setup to just trash anything executable, works fine for me.

    Maybe they are just trying to write to a larger audience that admins and are "dumbing down" the language.

    • Does it seem to anyone else that while these guys are obviously good at building models to explain behaviors and have some interesting ideas they don't know diddly squat about how networks operate.

      I think you might find that this particular set of people know a whole lot more about how networks operate than they can put down in a six page conference paper.

      The point they are trying to make is that multiple attack vectors yield a better chance of entry than a single attack vector, precisely because there are multiple lines of defence. They are just stating fact, not suggesting that a single line of defence would be any better. Obvious to many of us, of course, but this is a survey of the problem space, not a deeply technical paper.
    • Why wouldn't you do that at the mailserver, what are the advantages of trying to do it with a firewall?

      Obviously that's better if you have a small network, one firewall, and one mail server.

      But if you own the entire network subnet that you're trying to keep clean (like a large ISP), your firewall could block out all incoming viruses. If you don't, you're relying on each person running a mailserver within your network to strip those viruses out.
    • If you only scan the mail, you are only scanning a fraction of your traffic. Eg. TrendMicro (I don't endorse their products) makes a Linux add-on for Firewall-1, that scans http and ftp traffic for viruses and trojans.
      A firewall, in its traditional sense, is unable to do that.
  • That this too technical for Valeni, Rosen, or Eisner to understand...I think they are too busy plugging their analog holes...
  • by cybrpnk2 ( 579066 ) on Sunday May 26, 2002 @10:51AM (#3587131) Homepage
    I posted a reference to Nicholas Weaver's work less than a week ago on the initial Slashdot Kazaa worm [slashdot.org] story...glad to see he's getting the recognition he deserves!!! The paper cited in the headline story is only a recent part of his efforts. His current web page on this topic is here [berkeley.edu] and his original essay (for which he received a LOT of flack for not taking down) on this topic is here [berkeley.edu]. A PDF version of his work is here [berkeley.edu].
  • Some Problems (Score:3, Insightful)

    by fuzzybunny ( 112938 ) on Sunday May 26, 2002 @11:14AM (#3587207) Homepage Journal


    One of the points the concept of a Warhol Worm [berkeley.edu] relies on (catch name, Nick) is the ability of a worm to coordinatedly scan vulnerable hosts in order to create the required 'hit list'.


    This assumes that nobody will notice the scanning; while most PC users won't notice, you're not going to scan a sufficient number of hosts to create a usably large list of vulnerable targets in a sufficiently small time window that nobody will catch on.


    Even extremely cleverly disguised scans can be logged and distinguished from regularly scheduled traffic, if a site's security people have any idea what they're doing (not necessarily a given.) Once the cat's out of the bag, you've lost the element of surprise (thus sinking your opportunity to get by, for example, corporate firewalls/mail servers relying on virus signatures to block unwanted traffic.


    Another problem I have with this is the not-so-decentralized nature of the internet; granted, if it's able to generate a sufficient amount of traffic, a worm can take out entire backbones. But as we saw with both Code Reds and Nimda, even a well-written scanning permutation generally has the side effect of eventually throttling itself.


    For example, I'd predict that a fairly overwhelming majority of vulnerable hosts will be on dial-up or broadband networks (62/63/64.x.x.x). If a worm such as CRII, as the paper says, scans primarily local hosts, it's to be assumed that any given provider's IP range will become saturated fairly quickly. Several thousand hosts on a provider's IP range may all launch scans at the same time, but cumulatively they're still limited to the provider's backbone...


    Otherwise, nice paper.


    And I partied with Nick Weaver.

  • Remember, Kazaa also installs Brilliant Digital Projector [businessweek.com], the P2P adware/spyware/download network. That's an ideal vehicle for high-speed worm distribution - a peer to peer push-type network invisible to the user. It supports forced download of programs to be executed and run. And those are documented features [sec.gov], not holes. It's designed to own the net. Brilliant calls it "Internet 3", or Altnet [altnet.com].

    "See how we're planning to partner with you to change the world of computing" - Brilliant Digital slogan

  • Interesting (Score:2, Interesting)

    by fusion812 ( 521238 )
    This, if anything, shows the need for (as stated in the paper) a need to have a central system for recovery and research of what was described. The obvious double edged sword of this document, and documents similar, in my opinion show the need for a head strong security movement. I, like many Linux users, are constantly amused and entertained by the 'average' individuals lack of know how in this field, however, I am not amused or entertained at their ignorance to security in general. It would seem that part of the blame could be the software companies lack of forwarding information to the customer on the issue, and part of the blame in the customers hands themselves. I am not pointing fingers or blame, just simply saying they are not educated enough to control the security of their own system(s). In my opinon, this is dangerous and there should be much more education given to the hands of the end user. Obviously an 80 year old woman with a background in knitting is not going to be able to secure her home PC, so I am not speaking of extreme change. However, I am speaking of individuals, who move from mom and pop stores to ecommerce means. So often I see individuals start an ecommerce site, and then are startled why their site was owned when they are using outdated forum software, cart software, or other software, and a password that consists of 'changeme'. Maybe a dumbed down security manual referred to by ecommerce providers would do the trick, maybe not. I don't know, I'm not a security executive, so I dont have the solution (...yet, lol). But just something, anything, to show the end user some basic means of boosting security and authentication may be enough to get the ball rolling. - Ross Smith

  • We had better keep this little tid bit under raps, me thinks Pitr from http://www.userfriendly.org may use it to his diabolic desires.

    It's bad enough he took over both the Pepsi and Coca Cola corporations.

    Pitr Cola, it just feels right.
  • So what would happen if someone managed to maintain a DDOS attack from say 10 million compromised systems against the root name servers? Would all the caches eventually go bad and get wiped, so nobody could connect to any hosts and the net was dead? Or would the cached data stick around, so that people could still connect to existing systems, but updates would no longer propagate? Or something else? Thanks!
  • He allready owns the internet. he carries it arround on a floppy disk in has back pocket.

    He had an IT guy download it last week for him.

    (its a joke, laugh)
  • by geirt ( 55254 ) on Sunday May 26, 2002 @06:08PM (#3588535)

    The obvious solution:

    Many sysadmins understand that they need to put their servers behind a firewall, protecting the servers from malicious inbound traffic from the internet. Now is the time to educate these sysadmins that they need to configure the firewalls to also block outbound access from the servers to the internet.

    For instance, a web server don't need outbound access to the internet at all, you are not going to use the server to browse the internet, so please block all outbound traffic from the web server. If this server get infected by a new worm, the worm can't spread to other hosts trough http. Simple.

    I have read a lot about firewalls lately, most focus on securing the inbound traffic, a few talks about egress filtering to stop address spoofing, but none writes about blocking outbound access from the servers, to stop worms from spreading from your server.

  • by mindstrm ( 20013 ) on Sunday May 26, 2002 @07:44PM (#3588828)
    Yes, it's possible to cause massive disruption. It has been for a long, long time.

    I recall the FBI stating that it was not some ddos attack that scared them, but hte fact that so many young kids controlled so many computers and DIDN'T do anything with it.

    So we ask ourselves, what if this were in the hands of someone who actively wanted to exploit it?

    Who are we kidding? Most of the kids that control tons of computers for their ddos attacks for taking over irc servers are not geniuses. If someone had a reason to take over many, many cmoputers and use them for financial gain, they would do it. Plain and simple.

    The fact is, owning tons of bandwidth and cycles for a brief amount of time (because that's all you are going to get) is not all that useful long term. How are you going to cash in on it?

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...