Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Symantec CTO on Flash Attacks 179

scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
This discussion has been archived. No new comments can be posted.

Symantec CTO on Flash Attacks

Comments Filter:
  • by jpsowin ( 325530 ) on Saturday May 17, 2003 @11:27PM (#5984000) Homepage
    I thought that already was happening every time I go to a site with flash banners. Flash Attack. Yes, that name fits quite nicely.
    • Funny, I thought it was a reference to Flash Man from Megaman/Rockman 2. Would you want your web server hit by the Flash Stopper? I think not!
    • by EinarH ( 583836 ) on Sunday May 18, 2003 @12:54AM (#5984318) Journal
      Rumors has it that some girls use some technique known as "flashing" to get others attention. But being a nerd I have not had the pleasure to experience such an attack yet.*

      (*Well actually I have, but that don't fit into my slashdot-image and would not make this joke funny.)

      • by Anonymous Coward
        would not make this joke funny.

        You needn't worry, there's no risk of that.
      • Oh come on! Do you think the guys at Mardi Gras are super pimp daddies who get any chick they do a sexy nod towards?
      • (*Well actually I have, but that don't fit into my slashdot-image and would not make this joke funny.)

        What really fits the image is using the slightest excuse to brag that you don't fit the image.
    • Seriously... (Score:2, Interesting)

      by ericvids ( 227598 )
      Isn't it possible to get a Flash animation to run malicious code? I'm not sure about its destructive abilities, but I'm pretty sure you can launch a client-side denial-of-service attack using a really large Flash file with lots of extraneous links. Combine that with existing Javascript vulnerabilities and you've got one pretty good trojan. (I imagine a cache flush and a self-reload might even do the trick...)
  • by Alex ( 342 ) on Saturday May 17, 2003 @11:28PM (#5984001)
    and Symantec has just the product to sort all this out?

    Alex
    • Re:Let me guess..... (Score:2, Interesting)

      by SirVesa ( 670037 )
      Here is a problem I'd worry about if all computers were networked together to respond in concert to an attack - wouldn't that make all those networked computers vulnerable to an attack aimed at that connected computer network?
    • and Symantec has just the product to sort all this out?

      Who is modding this as interesting? I think it's supposed to be funny. I smell Symantec employees modding this up.


      • and Symantec has just the product to sort all this out?

        Who is modding this as interesting? I think it's supposed to be funny. I smell Symantec employees modding this up.


        Its an attempt at sarcasm at way past my bedtime, I'd imagine that Symantec people have better things to do on a weekend other than hang on /. to suck up to work.
  • by behemot ( 653227 ) * on Saturday May 17, 2003 @11:31PM (#5984014)
    How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?

    I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
    • by Anonymous Coward
      Welcome to the wonderful world of antivirus companies. Keep in mind that it is in the interest of these companies for computers to have very bad security and for there to be lots of people out there to exploit this lack of security. With this in mind, you should pretty much ignore anything that they are saying with regards to security. Then again, Microsoft is currently spending lots of resources on "advising" Oregon legislatars about a bill which would allow open source solutions to be considered in sta
  • Automated mode... (Score:4, Insightful)

    by SirDaShadow ( 603846 ) on Saturday May 17, 2003 @11:32PM (#5984020)
    To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode

    You mean like Windows Update?
  • Flash Attacks (Score:4, Interesting)

    by Talez ( 468021 ) on Saturday May 17, 2003 @11:33PM (#5984025)
    Now I'm just a humble corporate drone but wasn't Slammer doubling in size every 8 or 9 seconds simply by spreading as fast as the internet would let it?

    How in the world are these "flash attacks" supposed to attack the entire internet in seconds? Launch from multiple points at once? Go faster than light?
    • Re:Flash Attacks (Score:4, Informative)

      by revmoo ( 652952 ) <[slashdot] [at] [meep.ws]> on Saturday May 17, 2003 @11:43PM (#5984069) Homepage Journal

      A synchronized DDoS attack, launched from already owned machines, controlled by a central source would be classified as a flash attack I beleive.

      Whereas worms take some time to infect, and they "worm" their way from machine to machine, flash attacks happen suddenly, because the machines are already infected, just waiting for instructions.

      • there is no way a single central server could initiate the "flash" that the exponential slammer worm had - each node infected on the network randomly attempted to infect other random nodes - once this took hold it would MUCH faster than any single source central attack could be.

        Yes Slammer started on a single machine, but did not do real damage until it hit critical mass.
        i was awestruck (as I'm sure others will have been) when I heard about this "warhol" type attack actually coming - before it happened
  • The Future (Score:2, Insightful)

    by Obscenity ( 661594 )
    System Admins are always trying to keep up with hackers, and i dont see that stopping anytime soon. There is only so much we can do to prevent it, and the only way to be invunerable is if your computer is off or not on the net. And that's not very productive. System admins are just going to have to keep coding their own firewalls and other anti-virus stuff, download microsoft "security" patches, and just roll with the punches. There is no way to stop hacking, and if we could, would we want to?
    • I think the point of it was to minimize the chance of another scenario like Slammer. In Slammer's case, it infected so many hosts within so little time which is what made it so 'destructive.' As some other posters pointed out earlier, I believe diversity is key in slowing down and containing such a threat. Also, making people aware that some services just don't need to be open to the hands of 15 year olds should help in isolating vulnerable services.
  • by ka9dgx ( 72702 ) * on Saturday May 17, 2003 @11:36PM (#5984040) Homepage Journal
    The basic issue is one of monoculture.
    Monoculture is bad.

    Diversity is the only way out of this, long term. The idea of having only one codebase for 95% of the computers in the world is insane. The long term fix is to actively encourage alternative platforms, and multiple competing versions of software that aren't clones.

    A hetrogeneous network is going to be much more resilient, though this is a tradeoff from efficiency. As with the original design of the internet (packetizing data instead of streams), the tradeoff more than pays for itself in the long run.

    --Mike--

    • by rice_web ( 604109 ) on Sunday May 18, 2003 @12:03AM (#5984161)
      So many theories exist on the downfall of the Mayans, but one prominent theory has always been their perfection of corn (this is already a flawed analogy, seeing as Microsoft has most certainly not perfected the OS market).

      However, the corn was then susceptible to one virus that could have killed nearly all the corn.

      With one OS dictating the market's every move, it only takes one virus to render the world useless.
      • And that will likely happen at some point, where a very bad virus/trojan trashes all (or almost all) Microsoft computers at nearly the same time.

        When that occurs, most people will finally wakeup and realize that Microsoft OSes are not secure.

        But the world won't be useless, just heavily inconvenienced. The Internet will survive, and response times for non-Windows users will be excellent!!!

      • Now, I think I'll risk getting the wrath of the CIA/FBI/DHS, but I think virus writers aren't creative enough. The viruses aren't destructive enough, aren't socially acceptable enough (I can reconize a virus e-mail without even knowing what it is), and don't exploit enough weaknesses. I think there could be a virus that works like thus:

        Day 0 - Spread like crazy through Samba shares, IMs, e-mail (with a *.zip file), and URL (a la CodeRed)
        Day 3 - Pass out *.doc/*.xls files to random people in the address
    • Heterogeneity is hard to maintain, because it's often the direct opposite of interoperability and maintainability. For example, the impact of various SSH vulnerabilities would've been minimized if people used a variety of secure shell methods instead of standardizing on SSH; but then it'd be a nightmare to connect to systems (you'd have to try out 5 clients or something).
      • You are confusing heterogenous implementations with heterogenous protocols.

        Neither ssh1 nor ssh2 has been shown to have major flaws in the practical sense. There have been some flaws in some implementations.

        You seem to be saying that because IIS has had a bunch of problems, the "diverse" solution is to use HTTP, FTP, Gopher, IRC and AIM for html transport.

        Most of the people arguing in favor of diversity are merely saying that if IIS, Apache, Tomcat, Zope, Tux, and an O'caml/Perl/C#/whatever webserver we

        • Well, I don't remember details, but I was pretty sure there were some fundamental flaws found in the SSH1 protocol, though I'm not sure how severe they were.

          Even just keeping diverse implementations is difficult though. If you wrote your software for Apache, you usually have to run Apache on all your webservers; if you need to use 3rd-party software written for Apache, the same goes. The only way this is really sustainable is if there are a small number of very major players of about equal strength (say,
    • Having an heterogenous network is not such a straightforward solution as you put it. With the number of protocols still using cleartext passwords, and the tendency of users to use the same password in many places, a simple packet sniffer can take a cracker pretty far inside your network. The bottom line is: cracking a single box is often enough to compromise the security of a whole network.

      So having multiple OSes as you suggest just increases the number of potential security holes, making your network eas
    • "Monoculture is bad."

      Diversity is just a form of security through obscurity. Which we all know is bad, as it is anathema to the Open Source philosophy.

      Besides, think about how expensive diversity is. Won't it be great in a few years when any code can run on any OS from any vendor, on any hardware? That notion is a just logical extension of current trends, after all. Just to name a few examples, we have cygwin and wine, thousands of ports in every direction being produced and Moore's Law all at work to
    • Diversity is the only way out of this, long term.

      Let me repeat: Diversity of Windows installations caused so much pain in the case of Slammer. If all your machines are uniform, they are much easier to maintain.

      And what is a heterogeneous network? One that uses IP, DECnet and IPX?
      • "Diversity of Windows installations".... if they're all Windows (TM) installations, then it's a monoculture.

        --Mike--

  • Fess up (Score:2, Funny)

    by Anonymous Coward
    How many people expected this article to have some reference to a new security exploit using flash?
    • Re:Fess up (Score:3, Funny)

      by thynk ( 653762 )
      well, honestly - I need some more coffee I think.

      The first time I read it was a "Flush Attack" - and I thought, no the iLoo was a joke.

      The next time flash was used I read it as "Flesh" and was thinking that a flesh attack might not be so bad.

      Last but not least, I saw thousands of angry flash cards marching and attacking a server.

      Making more coffee now.
  • by ebuck ( 585470 ) on Saturday May 17, 2003 @11:44PM (#5984073)
    Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.

    Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.

    I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)

    On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.

    • My first flamebait!

      Unfortunately, a few years ago on slashdot posts like mine above were so truthful that few would consider them worthy of modpoints.

      Symantec makes good virus protection software. But they have saturated their market. Nearly every PC targeted at the average user is sold with one of their products pre-installed.

      Virus software is not sexy, few will rush out to grab the latest release, or even bother with the online updates. Symantec stirs the pot every now and then with a timely reminde
  • patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performan

  • by Anonymous Coward
    Deterrence is the key; but deterrence requires that the deterrent be swift, highly visible, and certain. Unfortunately, the wheels of justice are too damned slow.

    Speed is the key to deterrence. Arrest someone; put them to trial; punish them. Swift, harsh but just punishment is a deterrent. If attacks result in loss of life, capital punishment is called for.

    The law should be changed so that appeals don't drag out for 20 years. That old saw is as true today as it ever was:

    Justice delayed is justice denied.

    • I've never seen an "after the fact" deterrent stop a crime.

      Locks are good deterrents, laws are not. The lock must be properly applied before the crime happens.

      Criminals in the US (and elsewhere I'd believe) really don't think that they will be caught. Although crime is a sober serious subject, sometimes this disbelief results in some very funny arrest reports. I know because I get to enjoy them as I watch TV, they make the best "reality" shows I've seen all season.
    • by Stephen VanDahm ( 88206 ) on Sunday May 18, 2003 @12:45AM (#5984299)
      "Deterrence is the key; but deterrence requires that the deterrent be swift, highly visible, and certain. Unfortunately, the wheels of justice are too damned slow."

      That's stupid -- what you want is impossible. Suppose the attacker is in country A and and the victims of the attack are in country B. How are country B's authorities going to bring the attacker to justice if he isn't even within their jurisdiction? Furthermore, identifying the attacker might not be possible at all. Suppose that the attacker uses a publicly accessible computer located in a coffee shop or a public library to release the virus or worm or whatever he comes up with? More realistically, what if the attacker uses his own computer, connected to the Internet by way of an unsecured wireless network? If there's no paper trail, then the authorities can't determine who launched the attack. As you can see, tougher laws are not sufficient to deter attacks since, due to the decentralized and anonymous nature of the Internet, it's so easy to avoid detection.

      Steve
    • Great plan...until your rush to judgment results in a mistake (read: miscarriage of justice). You get two nasty consequences: total loss of any moral autority, and others are inspired to retaliate.

      With regard to various network based attacks, just about anyone anywhere would be in a position to retaliate.
    • I think you're solving the symptoms and not the cause.

      Want to stop exploits? Write good code and have it reviewed, test it, review it again, test again...release and test, review............

      Severe punishments or punishment in general are rarely good enough deterrents. Do you have $15 000 to give to the RIAA? I'm sure the millions on Kazaa don't but they trade anyway because they never think about getting caught.

      The solution...education/ethics training. You have to teach people not to be assholes BEFORE t
  • Ok, when is the endless parade to 'secure' things going to come to and end. There will always be risk inherent in everything, and there is no way to eliminate it.

    But now people are worrying about the 'net being brought to a crawl by these so-called flash attacks. Look, if you corporate pinheads didnt put the internet into a state of stagation by putting in the lobby to pass all these restrictive laws, we wouldnt even have this problem

    Before all these 'laws' designed to protect came along the internet was

  • Warhol (Score:4, Interesting)

    by limekiller4 ( 451497 ) on Saturday May 17, 2003 @11:48PM (#5984095) Homepage
    scubacuda writes
    "Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged."

    If they were really Warhol attacks, they'd be crappy hacks (because they'd only be famous for 15 minutes, not in 15 minutes.)
  • So to stop a worldwide automated intrusion from working, we need to set up a worldwide automated method of changing the core software of all of our systems very quickly.

    In summary therefore, customers of IT must wait for months while a commercial software outfit fucks around with an as yet undisclosed vulnerability, but should be prepared to instantly and automatically apply whatever hack and munge job said company puts together at the last minute when the bad guys actually start exploiting the problem.

    Wh

    • Why don't we start writing more responsible fucking code? I think that if as much time and effort were spent doing security evaluation of commercial software development as goes toward finding the most underpaid programmers the developing world has to offer, we wouldn't be asking underpaid adminstrators to automate patching.

      While I agree in principle, the idea of ensuring more responsible code could also be used to support regulation of programmers in a similar fashion to the way some states regulate engi
      • While I agree in principle, the idea of ensuring more responsible code could also be used to support regulation of programmers in a similar fashion to the way some states regulate engineers.

        Well, I didn't consider making this a matter of legislation, but consider the converse of what you are proposing. Do you really feel comfortable with the idea of laws requiring IT managers to patch their systems in an automated and rapid manner?

        I don't think you can write laws to govern this sort of activity. HIPAA

        • ...but consider the converse of what you are proposing.

          No proposal was intended. Just the observation that the idea of enforcing responsibility in coding can be used to justify other measures.

          Do you really feel comfortable with the idea of laws requiring IT managers to patch their systems in an automated and rapid manner?

          I don't support this idea either.

          I don't think you can write laws to govern this sort of activity. HIPAA pretty much proves that. Because they couldn't figure out what security
  • Sounds like some flasher jumping out of the bushes...
  • The same old story. Scare people, hype up these dangers, come up with totally unrealistic "threat" scnearios.. and then put your hand out and ask for money.

  • Dah! (Score:4, Insightful)

    by donscarletti ( 569232 ) on Sunday May 18, 2003 @12:00AM (#5984150)
    To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode. Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that all network clients are compliant with security policies; and advances in securing Web services technologies that do not interfere with application performance, he said

    Basically what he just said, in order, was:
    1. If something breaks it should be fixed quickly soon
    2. If something breaks you should turn it off before it breaks any more
    3. You should try to make things not break

    Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.

    The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.

    The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.

  • It's a cult! (Score:5, Interesting)

    by darkonc ( 47285 ) <`stephen_samuel' `at' `bcgreen.com'> on Sunday May 18, 2003 @12:00AM (#5984151) Homepage Journal
    One of my definitions of a cult is somebody who says 'Just give us your money and control of your life, and everything will be fine'. Symantec's CTO seems to be almost going there... suggesting that we should give them control of our security and trust that they'll handle everything for us.. Of course, if someone ever managed to break into the Symantec site and manage to plant a trojan in place of their virus engine, the net would be seriously F*cked(TM).

    One solution (as pointed to by an earlier poster) is diversity.. If people are running different OSs and different flavours then it's a bit harder for somebody to take total control. I wouldn't even suggest a 100% movement away from MS (although 75% would make life a lot easier). Even the heavily audited OpenBSD has managed a root compromise or two in it's history, and it only takes one zero-day bug to bring down a whole system.

    For those people running MS, yes -- you definitely need help. That having been said, I would still suggest some diversity there... Not all machines should be running Semantic. There should be at least a few running other AntiVirus products (like AVG). That way if Semantic misses something, there's still a possibility that one of the other virus checkers in a company will catch the bug (and enable faster recovery). It would also provide some hope of survival in the case of a symantec takeover like I mentioned in the first paragraph.

    • The diversity idea has some interesting scenarios, implementation wise. But it's a great idea. We have redundent everything in a data center to take care of hardware issues, why not redundent diverse systems to handle software issues?

      So a site with a critical web server would somehow need to run multiple instances using different web server packages under different OSes using different processors. Then there's the entire aspect of the back-end software like the DB to think about! And it would all have to

  • You just know that Microsoft is going to use this as an excuse for Windows vulnerabilities.

    "Yes, that blue screen that you're seeing is actually what is known as a 'flash attack' that is becomming so common...."
  • by RedLeg ( 22564 ) on Sunday May 18, 2003 @12:08AM (#5984180) Journal
    Ya know..., the bulk of the the grief we endure in the sphere of network vulnerability is caused by a basic policy decision: ALLOW ALL BY DEFAULT.


    Most admins with any security background know that the right answer is DEFAULT DENY.


    When is the mainsteam going to wake up?

    • Damn right;

      There's perhaps a few DOZEN sql servers that actually are supposed to be open and accessable to the public. I'm guessing here because personally I don't know of a single one and I can't think of a single reason why you'd want to set one up that way, so perhaps I've overestimated.

      The rest are BACKEND servers, which should have been accessable ONLY by the host that uses them. If they'd all been properly firewalled the slammer worm would have never happened.

      If you want to stop this kind of shit f
    • They'll wake up when Joe Q User, doesn't call every 15 minutes becuase he can't access his favorite porn site.
  • or... (Score:5, Insightful)

    by davidu ( 18 ) on Sunday May 18, 2003 @12:20AM (#5984220) Homepage Journal

    or, we could just do a better job of:
    • segmenting our networks.
    • filtering egress traffic.
    • filtering unwanted ingress traffic upstream.
    • diversifying network hardware. (many routers fell over during SQL slammer because of packet characteristics, not because they were vulnerable to a MSSQL worm
    Basically, admins need to start taking some more responsibility and encouraging their employers to start supporting their proactive, yet defensive efforts.

    But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
    -davidu
  • by KrispyKringle ( 672903 ) on Sunday May 18, 2003 @12:26AM (#5984244)
    "Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I 'Flash attacks.' "

    I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).

    DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.

    Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.

    In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.

    • I'd be far less concerned about groups of well-funded hackers ... than I would about DDoS attacks launched by some bored teen-ager[s]

      Well, someone had to say it. It's time for the war on bored teenagers! They are an absolute menace to society, as I'm sure the Iraqi information minster will tell you.
    • Doesn't have that ring about it, but it's far more likely.
      The only plausible protection is diversity and in general making things so that people are aware of what's happening rather than having everything hidden.
      The Unix Honor Virus would be extremely effective, if only the victims would actualy fall for it.
  • by Thing 1 ( 178996 ) on Sunday May 18, 2003 @12:37AM (#5984270) Journal
    I think an attack on Flash would be grand. Remove those distractions once and for all.

    Side note: if you use Mozilla, download the autoscroll [mozdev.org] patch. When you middle-click to start the scrolling process, the Flash ads disappear. This is a very cool side-effect.

  • by Anonymous Coward
    They have such a history of screwing up everything they touch. Why should we trust them for securing ANYTHING, let alone Internet services?
  • by Jah-Wren Ryel ( 80510 ) on Sunday May 18, 2003 @12:44AM (#5984297)
    You would think just about anyone over the age of 15 who has some kind of affinity for technology would have seen at least one movie depicting the kinds of problems with Symantec's solution taken to its logical conclusion. For example:

    "SKYNET became self-aware at 4:01 AM on August 4th, 1997 and at 4:12 it ordered a pre-emptive nuclear strike."
  • Am I the only one that noticed the increased possibility of attacks, caused by an app running on the network waiting for "automatic" updates? Whatever method they try to use for the updates, will also be susceptible to attacks. So to me, it sounds like they want software companies to put a giant backdoor in their software, and then get paid to protect said backdoor. This sounds like Symantec watched Matrix: Reloaded, and decided that the only way to stay in business was to create a Keymaker.
    • Even if the backdoor is "secure", you still have the possibility that quickly-released patches, to fix vulnerabilities exposed in "flash attacks" will in fact themselves create more problems. As much as it may sound like a good idea at first, those patches could themselves prove to be more dangerous than the attacks they prevent. And the patch has a -guaranteed- method of distribution, as opposed to a virus taking the time to scan for hosts, attempt infiltration, and re-send itself from the new host. And wi
  • by Anonymous Coward
    To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode.
    The problem with most existing security methodology is that it is reactive, not proactive. A stream of after-the-fact patches seems like an ill advised, goofy response to real attacks. Take a look at Cylant Secure [cylant.com] for a proactive approach.
    • ...from their website [cylant.com]:

      CylantSecure 2.0 Named Best Security Solution in LinuxWorld's Product Excellence Awards Program

      MOSCOW, Idaho -- Cylant today announced that CylantSecure 2.0, an industry leading host-based intrusion defense system, was named "Best Security Solution" for LinuxWorld's Open Source Product Excellence Awards. Cylant beat out four other finalists to win the award, including IBM and Computer Associates.

      LinuxWorld Conference & Expo (August 12 - 15 at San Francisco's Moscone Center) is t
  • Wouldn't it make sense that this kind of "the sky is falling!" doomsday preaching would be coming from a company that makes security products for a widely deployed operating system that's full of security holes?

    It's in Symantec's best interest for people to be afraid. Take this with a grain of salt, people -- and always follow the money.
  • Well-funded hackers? (Score:3, Interesting)

    by zangdesign ( 462534 ) on Sunday May 18, 2003 @01:38AM (#5984406) Journal
    Who in the hell funds hackers to write viruses that attack networks? Sure, the military and intelligence agencies do it, but I really doubt that they're writing stuff like the SQL Slammer.

    So what corporate SOB is funding this sort of thing?
  • by bug ( 8519 ) on Sunday May 18, 2003 @01:42AM (#5984414)
    Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.

    They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.

    A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.

    Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
  • by Ilan Volow ( 539597 ) on Sunday May 18, 2003 @01:58AM (#5984441) Homepage
    It's nothing more than a smear campaign by Ming the Merciless designed to break up the alliance with the Hawkmen.

    Jeez, you people shouldn't believe everything you read on an internet rumors site.
  • to the one os no one has ever tried to hack [cs.vu.nl]

    security through... um... obscurity ;-)
  • by Anonymous Coward
    Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks."

    Or if you're not so well-funded you achieve the same effect by linking a site on Slashdot.
  • and i have to say, some of the people who have responded and been modded up have been along the lines of "well-funded groups of hackers, please!"

    "somebody is crying wolf to stir up business obviously!"

    holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?

    no, i am not a symantec drone, but during the may day week after the hainan island spy plane incident a few years back, didn't some rather organized attacks and counterattacks occur between american and chinese hackers feeling a little too much of their nationalistic jingoistic cojones?

    i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem

    am i spreading FUD? or does my "false" alarmism insult your "false" sense of security?

    go cnhonker.com if you dare
    • by g4dget ( 579145 ) on Sunday May 18, 2003 @05:51AM (#5984842)
      i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem

      "SERIOUS problem"? Like what? People get a slow response from the Taiwanese tourism site? No more Taiwanese posts to Slashdot? What is this "serious trouble"?

      Anybody who wants to cause that kind of trouble can achieve it more easily by overloading phone lines, putting white powder into envelopes, or spreading rumors about SARS.

      holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?

      All I know is that Symantec has never caught a virus on my PC, but it has caused numerous software to fail, sometimes in very mysterious ways that were difficult to track down. Regardless of whether there is a problem to be fixed in the first place, Symantec is not the company to fix it.

      • you obviously don't work for the taiwanese tourist board ;-P

        learn some perspective... you can cage ANY server shutdown as "inconsequential" due to the "fringe" and "unnecessary" nature of the internet, no?

        don't let my post get you excited now... you are the one arguing against "false" alarmism, remember? ;-)
  • by maxpublic ( 450413 ) on Sunday May 18, 2003 @03:09AM (#5984555) Homepage
    I was once contracted to Symantec in the not-too-distant past, and this I can tell you for certain, having witnessed it on multiple occasions: Symantec in no small way creates many of the problems it then 'solves' with its software.

    Here's just one example: Symantec used to offer a bounty for viruses. It's rather underpaid antivirus support staff, with access to all documented viruses as well as existing exploits in current software would, on their free time, craft viruses and then 'discover' them for the bounty. The trick was to do this through friends, often splitting the rewards, to avoid getting caught out.

    Despite this, the management was well aware that its antivirus staff was creating much of the virus 'problem'. And they turned a blind eye to these activities, because it generated more business for them.

    This is just one example of a number of rather reprehensible business practices I observed while working for Symantec. I found the company to be so sleazy I terminated my contract after five months, and refused to work with them again.

    Max
  • yeah, yeah... (Score:3, Insightful)

    by joto ( 134244 ) on Sunday May 18, 2003 @03:32AM (#5984600)
    We all need to patch our systems facing the Internet faster. Because, as we all know, patching itself never creates problems. Especially when it's automated....

    It's no wonder this comes from someone at an anti-virus corporation, whose main purpose is to patch the holes left in unsecure operating systems. Now, if he had suggested the correct solution, making the systems at least somewhat resilient to attacks in the first place, he would also suggest that his company shouldn't really need to exist, making shareholders unhappy.

    I can't imagine a worse nightmare than having to rely on insecure systems going through automated updates with a frequency as low as 15 minutes. Do you think all those patches are going to work? That they are actually tested? That they don't create as many new holes as they tighten? That they don't change your carefully tuned setup which wasn't vulnerable for what the patches are supposed to fix anyway?

    Please give me some design and forethought instead...

  • Don't trust Symantec (Score:4, Interesting)

    by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Sunday May 18, 2003 @04:13AM (#5984687) Homepage
    Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).

    Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
  • by Anonymous Coward on Sunday May 18, 2003 @04:27AM (#5984709)

    I have never liked virusscan vendors, they call their product "antivirus software", but it hasn`t changed one bit since the dos days when they where just tools to find which of the 100 files on your hd where infected with one of the 10 or so viruses in the wild. They dont offer any protection against the holes in all the new services and features in operating systems and applications. They only offer help cleaning up known mallware (except for mallware from people that can sue symantec for interfering with their business: spreading spyware)

    Clyde: The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years."

    With the Antivirus vendors the attack frequency is always going up ;-) I believe them on that one though. But the complexity? Nothing as complex as nimbda for months now. "the tools" in my view where asambler compilers in the old days, and are C/C++ compilers these days... I hardly think this mathers that much, and if it did, why didn`t we see more C viruses in the dos days? (visual basic has a harder time abusing vulanerabilities, and therefore is unlikely to be used in real worms)

    Clyde: The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days."

    A proactive aproach? well I guess the "sitting around eating pie" option is definantly out of the windows then? The vulnarability window for me goes from the moment the faulty code is compiled to the moments every single user is running patched code, everywhere... Getting this window to zero could prove difficould but I am sure mister Clyde will be offering a product that reduces the time to "virtually zero", although it wont be A product but really a service.... an expensive one. I think the six months between discovery and exploit, are six months between vendor notification and bugtraq post of exploit code, I dont think there has ever been a vulnarability so complex it would take a competent coder more then hours to build something exploiting the hole. There are many competent coders out there, not all of them post their work to bugtraq. The posted exploits are usualy posted to force vendors into patching code real fast (usualy after they apeared to be doing nothing for a while), I guess that when it comes to holes in a microsoft product used by 50% of the planet "real fast" is just shorter then the stuff that was discused in the old days on bugtraq.

    Clyde: To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode.

    Fast machines with big pipes where what made code red spread fast, machines like the windowsupdate servers.... If even the open source community has problems getting software safely to the users (several cracked ftp mirrors with altered releases) then its safe to asume that big players in the software market are not gonna get the automated update system right in one try. Just think of the holes in hotmail.... sure updating services will have more attention on security, but the hotmail holes where really really pathetic and the most recent one wasn`t any more complex then the previous ones.

    Clyde: Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that

  • by lseltzer ( 311306 ) on Sunday May 18, 2003 @05:40AM (#5984829)
    >> Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. ... To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode.

    Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.

  • This relates to something I've said all along:

    Virus checkers don't work

    Norton/Symantec/McAfee would like you to believe that $39.95/year or whatever will protect you but the truth is: these programs check against known viruses only. There is always an incubation period between the appearance of a new virus in the wild and the appearance of the update to detect and kill it. This incubation period provides a window for a real virus to do real damage.

    To date, there have been no highly damaging viruses.
  • WTF? Why are these guys going on about speed to release patches??

    SQL 'slammer' should NEVER have been an issue. BASIC security practices would have stopped it. What kind of retards run SQL exposed to the Internet???

    Yes, patches are important, but basic common sense is much much more important. Like...people complaining about getting 'pop up spam'. Uhh...why do you have the net messenger service, let alone Netbios, exposed to the public Internet in the first place???

    I've seen Jetdirect cards on th

  • warn of a new terrorist attack - then blow something up to prove it...Symantec predicts a Flash Attack and - Wallah (pardon the fake Arabic) - some hackers will produce one next week or next month...
  • Symantec and competitors should offer a "vaccination" service to theit customers when a vulnerability is discovered, that uses the vulnerability itself to patch or otherwise alert/discover/report systems at risk or already participating. The vaccinations shpuld be IP address limited, to reduce likelihood of escape.
  • When networks have automated virus defenses, the virii will attack the automated defenses.

    Cyber-AIDS.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.

Working...