Section 1.1. The New Insecurity

1.1. The New Insecurity

Since the terrorist attacks on September 11, 2001, computer security has taken on some new meanings. The first is positive. As part of a global tightening of belts and rolling up of sleeves, there emerged several outreaches designed to provide security training and certification to folks in all walks of life, from the consumer being alerted about identity theft, to the soldier and sailor and weapons scientists taking greater precautions with items of national security, to the common person on the street gaining a heightened awareness of hackers and crackers and cyber attackers. Gradually this new emphasis on computer and network safety has percolated down to the ordinary user's computer in the den or living room. And because it really is a small Internet, and what affects one usually affects all, the safer individual users are, the safer the Net is for everybody.

Unfortunately, in return for a perception of security, both physical and on the Internet, some computer users have begun to accept unprecedented compromises in privacy as being part of the price to be paid to counter an envisioned terrorist threat associated with computer usage. In return for a feeling of "protection" with vague ties to national defense, more and more of what used to be private data and folks' own business is now available for inspection by corporate and legal observers. Giving up the proven checks and balances that are the underpinnings of a free society may do more harm than good. Recent reports, such as a summer 2003 incident in which one or more airlines turned over to a contract firm working for the Department of Defense the transaction records of a half million passengers for use in an experiment on database profiling, have demonstrated that relaxed restraints against law enforcement agencies can lead to egregious actions. Numerous press reports have indicated that the expanded powers granted to law enforcement agencies in the name of homeland defense have resulted in those powers being used increasingly to investigate and prosecute crimes under laws not related to homeland defense at all. This, in turn, has resulted in a mini-backlash designed to rein in the security promoters, heightening the debate.

Possibly in response to a perceived decrease in privacy, a large number of new laws have come into play that attempt to protect individuals against widespread dissemination of personal information and regulate the creation and exchange of financial information regarding corporations. These new laws have long names, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Family Educational Rights and Privacy Act (FERPA). These laws make it a crime to reveal personal information gathered in the course of doing business, and often require the reporting of computer crimes that were formerly swept under the carpet to avoid embarrassing the agency or company allowing such a lapse.

The ordinary user, such as the salesperson or secretary who logs on in the morning and shuts down at night, would rather not think twice about security. In fact, she might not think of it at all until a worm or some other attack affects the machine on which she has to work.

Some of the most invasive computer attacks against individuals may not involve infecting a computer, but merely listening to one. With machine patience, sniffers and database programs can accumulate data about peoplelots of peopleover as long a time as is needed to gather enough information to make an attack. Usually, the attack takes the form of making credit card purchases, or applying for credit in the name of the victims whose details have been pieced together. Such crimes, often called identity theft, can be devastating. It is not that the victim is always left liable for the fraudulent purchases; consumer protection laws and the rapid closing of accounts help a great deal to prevent that. It is that the victim may be left unable to exercise his own credit, or establish more because vendors can't easily be sure if any new transactions after the ID theft is reported are being made by the customer or by the thief. And it is highly likely that the victim will be unaware of any of these activities until the damage has been done.

Now that it increasingly impacts the average user, public awareness of computer security has risen dramatically. Computer security has hit the newsstands, with more and more articles warning the public about viruses and other perils. The media also describes an increasing array of preventatives, ranging from changing network habits to adding firewalls and intrusion protection systems. Mix in the specter of terrorism, and the stakes get even higher.

1.1.1. Who You Gonna Call?

A new generation of security consultants what Business Week once termed "hackerbusters" have hung out their shingles. A number of organizations stand ready to provide expert assistance in case a computer virus outbreak threatens the Internet:

• Funded by the Defense Advanced Research Projects Agency (DARPA), the Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie Mellon University was created to provide information and support against any Internet crises, cyber attacks, accidents, or failures. Now officially named the CERT Coordination Center, this clearinghouse is the mother-of-all-CERTs, and regional and corporate incident response centers are springing up to handle crises locally.

• The Federal Computer Incident Response Center (FedCIRC) is the federal government's trusted focal point for computer security incident reporting, providing assistance with incident prevention and response. In 2003, the FedCIRC officially became part of the Department of Homeland Security's Information Analysis and Infrastructure Protection (IAIP) Directorate. IAIP will continue to provide the FedCIRC services.

• The Department of Energy has also established a Computer Incident Advisory Capability (CIAC) oriented to its own agency needs, including a "hoaxbusters" page dedicated to helping users recognize which attacks are real and which are based on hysteria. The gentle gags clog up networks as users frantically alert their friends and neighbors of the supposed hazard. The vicious gags encourage users to take "protective measures" that might actually damage their own computers in an attempt to avoid worse calamity.

• US-CERT is a partnership between CERT and the U.S. Department of Homeland Security.

Other national incident response teams have been formed in many countries:

• In the United Kingdom, there is the National Infrastructure Security Co-ordination Centre (NISCC), pronounced "nicey", which is charged with protecting essential system and services known collectively as the Critical National Infrastructure (CNI).

• AusCERT (Australian CERT) monitors and evaluates global computer network threats and vulnerabilities.

• CanCERT is Canada's first national Computer Emergency Response Team.

• CERT Polska deals with security-related incidents related to Polish networks.

• SingCERT (Singapore CERT) serves Singapore and parts of Southeast Asia.

• SI-CERT is the Slovenian Computer Emergency Response Team, a service offered by ARNES (Academic and Research Network of Slovenia).

In addition to government response organizations, many commercial providers of security services and virus protection systems have also set up organizations that are prepared to come to the aid of any customers who find security holes or face attacks.

• OXCERT provides CERT services for Oxford University in the United Kingdom.

• Linux and Unix users have ample organizations that report new exploits and post cures for easy update.

1.1.1.1. Information Sharing and Analysis Centers

Akin to CERTs, Information Sharing and Analysis Centers (ISACs) help develop and promulgate "best practices" for protecting critical infrastructures and minimizing vulnerabilities. Many industries have established ISACs to allow these critical sectors to share information and work together to help better protect the economy.

In the United States, Presidential Directive Number 63 and the Patriot Act establish that the ISACs will receive governmental sponsorship. The Department of Homeland Security lists links to various industry ISACs on its web site. ISACs are established for the food industry, water industry, emergency services (police and fire), state governments, and the telecommunications and information technology industries. There are also ISACs in place for the energy, transportation, banking and finance, chemical, and real estate industries.

1.1.1.2. Vulnerable broadband

Just as corporate and government users are bonding together to provide mutual protection, however, a huge emerging class of users is expanding rapidly, and for the most part they are unprotected. As broadband Internet access becomes increasingly popular, more users set up home computers and leave them running 24/7. The result is they become targets for attackers.

One study estimated that the time between when a new computer is turned on and the first attack is underway is usually less than 10 minutes. This is because attackers often use automated scanning tools that probe constantly, looking for opportunity. An exploit can often be placed in seconds, often before countermeasures can be installed to complete an installation. Other studies claim the situation is worse still, figuring the time before attack is equal to 2 minutes. I've seen instances in which newly updated computers became infected by a virus within a few minutes, even though the computers were protected by a secure network. This happened because the infecting computers were inside the network, likely becoming infested by pathogens carried in on media workers brought from home.

As the pool of computer users has increased, ways are emerging to illicitly profit off of them. The computer of a naive user may be forced into participating in a distributed denial of service (DDoS) attack aimed toward a designated target and timed to fire off with hundreds of thousands of others so as to overwhelm the victim. Alternatively, users' broadband computers can be turned into unwilling web sites for pornography or other products, or made into relays for unsolicited email (spam).

Fortunately, help is on the way:

• Microsoft, for instance, offers easy software security updates over the Internet.

• Help sites are available for every kind of Linux and Unix.

• Many antivirus software publishers offer not only antivirus programs but also some kind of information service documenting viruses and what to do to prevent or handle specific attacks.

• Most companies today are adding their own internal security forces. Increasingly, corporate want ads request a computer security certificate or two as a prerequisite for hiring.

1.1.1.3. No computer is an island

While once it was easy to ignore most warnings and scares as mere nuisances because most sites were isolated and unconnected, in today's world, few computers stand alone. Viruses occur and spread with amazing speed, sometimes spanning the globe in hours or days (usually by stealing information, such as an email address book from one victim, and using it to infect others).

Even corporations that have secure perimeters can find themselves with significant internal virus problems. Often this is due to users who bring in infected laptops, use removable data drives, or burn information onto recordable CDs or DVDs that are infected and then brought into the office network.

1.1.2. The Sorry Trail

The story of network attacks, bugs, viruses, and criminal actions stretches as far as the computer industry itself. One of the first bugs to develop in a computer system was precisely that: a moth was found squished inside some relay contacts at a government installation. Lieutenant Grace Hopper collected that moth and duly pasted it into the facility logbook She eventually became a rear admiral, and went on to invent the computer compiler and was the driving force behind the COBOL computer language.

With each advance of technology came new threats and attacks. Rogue self-replicating programs nearly overwhelmed a research facility in Palo Alto, California; they were the first computer worms. Unchecked, worms can multiply until they fill up a hard disk. Viruses, similar to worms but requiring a host program of some kind to live in and take over, came soon after. Attacks and countermeasures followed one after another until the present. Vulnerabilities continue to be sniffed out by attackers who create viruses and worms to exploit them. Manufacturers then create patches intended to counter the attacks.

The whole adventure of viruses and worms can all be summed up in the term malicious software or malware. Malware will be covered in some detail in later chapters.

While early malware exploited single systems or multiuser systems, it took the Internet to really give malware life. The Internet forms a massive distributed environment. Malicious software can steal control of computers on the Internet, direct DDoS attacks at given hosts or servers, or pose as someone they are not in order to intercept data. The latter action is known as a masquerade attack or spoofing.

The most elaborate malware can scan a victim machine for links to other machines, then replicate itself to those other machines while working its attack on the victim machine. The infamous Code Red worm worked over the Internet in this way. After replicating itself for the first 20 days of each month, it replaced web pages on the victim machines with a page that declared "Hacked by Chinese," then launched an attack on the White House web server.

1.1.2.1. Computer crime

Computer crime has also become a major threat to business. According to the Federal Bureau of Investigation, computer crime is the most expensive form of commercial crime. In 2003, theft of information cost over $70 million, with an average cost of $2.6 million per theft. Also in 2003, denial of service attacks, which deprived companies of revenue and idled IT investments, cost over $66 million, with an average loss of $1.4 million. Estimates of the dollar figure for theft by computer intrusion and attack total $201 million.

Although almost 75 percent of organizations reported some kind of attack in 2003, only about 40 percent of those attacked could quantify the loss. It is estimated that roughly 50 percent of intrusions were not reported at all, either because their scope was unknown or the publicity was undesired.

Even though there has been substantial publicity in recent years about computer system risks and attacks, it turns out that many organizations are unwilling to report system intrusions. Doing so can result in adverse publicity, the loss of public confidence, and the possible charge of managerial incompetence. Many organizations fear lawsuits based on the emerging "standard of due care."

In fact, there are reports that in the days before regulations such as Sarbanes-Oxley, which requires increased justification of the figures used in business accounting, some businesses paid hush money to intruders. In London, a number of firms have reportedly signed agreements with computer criminals offering them amnesty for returning part of the money stolen and, more importantly, for keeping quiet about their thefts. In one case, an assistant programmer at a merchant bank diverted eight million pounds to a Swiss account. In an agreement that protected him from prosecution, the programmer promised not to disclose the system penetrationand he got to keep one million pounds!

Recent statistics indicate that payment of hush money is decreasing, often due to increasingly automated nature of the attacks. Most attacks today are run by unsophisticated youth who learn a few tricks and gather a few scripts from true gurus, and then do what amounts to vandalism for the thrill of it. However, the thrill of penetration and creating havoc is increasingly offset by the penalities. The legal fate of some big time virus writers has been widely reported on TV and in the newspapers. Some murderers and rapists have gotten away with lighter sentences.

More recently, skillful intruders are attacking computers with criminal or military goals in mind. These attackers may outwit even sophisticated security systems, and can leave dormant sleeper programs that will lay low to avoid detection until their owners summon them to action.