Two lovers stand in the bedroom gazing into each other's longing eyes. They move toward the bed, their bodies pulling closer like a magnet and a piece of iron. Their hearts thump like loudspeakers at a rock concert. Closer they move to the point of serious communiqu . Now, with lust in their hearts, they exchange their x.509 certificates and send an encrypted message of love.
Whew that was hot! What intense communication! Fortunately, our lovers practiced "safe communication." First they exchanged certificates and then consummated their communication. In this case, they set up a secure channel between themselves and established end-to-end privacy. This process involved using the certificates to identify themselves, after which they enabled SSL. And the data flowed in both directions. They lived happily ever after and were totally safe from all bugs and viruses that is, until one of them said, "I love you." Oops. I just crashed my partner and wiped out his/her hard drive. How can this be? All I did was forward the simple message "I love you." What happened?
The moral of our story is ... love hurts. No, wait, that's not it. The real lesson is that secure messaging is a battle against the elements, which include the following:
Bad use of messaging resources
Limited implementation of messaging that is, not enough resources
Messaging is one of the most important mission-critical applications of the network era. For anyone who is not convinced, imagine shutting down the messaging servers in your company for five days. What would happen? The CIO would be inundated with complaints from the company's employees and even from customers and vendors that the business was inoperable without messaging capability. As we can see, messaging is critical to doing good business.
Following are some of the components that comprise a messaging system:
The ability to send a messages to multiple recipients
The ability to send attachments
The ability to send encrypted messages (S/MIME, PGP, and others)
The ability to enable an application with messaging components, such as an approval notification
Calendars and scheduling
Typically, some type of system to address recipients (an address book)
Instant messaging integrated with traditional messaging
Ability to access standards-based e-mail from many different clients, including a browser
Messaging can have many different components and hundreds of features, depending on the vendor. With this power comes a significant security risk. Messaging is an integral part of most of the enterprise businesses in the world. As evidence, you can check out the statistics on the "I Love You" virus. As of mid-May 2000, the "I Love You" virus had caused $8 billion worth of damage to businesses worldwide. This bug impacted more than 600,000 computers.
Billions of e-mail messages are sent over the Internet every day, and one day in May 2000, a few million messages were sent, all with a subject line of "I Love You." A computer science student in the Philippines created this program, thinking it would be contained within his realm of influence. Suddenly, it had replicated itself all over the world. Basically, it worked like this: If a user opened the attachment that was in the message, the virus would send itself to all the contacts in the recipient's e-mail address book. This may not sound too bad on its own, but here is the problem: This virus attempted to send the message to all of the contacts in an address book. In most companies, this could be several dozen to several thousand addresses. Once it hit one business, it was sent on to others. As an example, say the virus arrived at a somewhat small company. The message went into the company, where it parsed itself through the company directory and sent a message out to everyone in the company's directory, including employees, vendors, and customers. This scenario repeated itself in one company after another. Business after business had thousands of e-mail messages running through both the Internet as well as their internal mail systems. In a typical corporate address book, with hundreds and even thousands of users listed, each user opening the attachment would cause it to resend the message to everyone over and over again. This made for a vicious cycle, with so many messages that the messaging servers overloaded and crashed to the ground. The virus also overwrote files that use the extensions JPG, JPEG, and MP3. The "From" field, in many cases, showed the message as coming from someone the recipient knew. So the new target would see the message and say, "Oh, that is nice. My sweet snookums says "I love you." Let's see what is in this attachment" (attachment name LOVE-LETTER-FOR-YOU.TXT.VBS).
Think about the articles that you have read in newspapers and magazines regarding viruses, worms, Trojan horses, logic bombs, and password grabbers. These are all known as malicious software tools. All of these tools can be enabled using messaging as a transport. Most of the major attacks that have crippled computers worldwide have used messaging as the mechanism to deliver their payload. Messaging is powerful, but it is also very vulnerable to attack and it is easy to use as a method of attacking other subsystems. Remember the Chernobyl, Melissa, and Worm viruses? Guess what they were all spread via e-mail. The end result of these attacks was denial-of-service. These attacks brought major e-commerce web sites to their knees and many web administrators to prayer.
Many of these tools create problems because they do the following:
Copy (effectively replicate themselves)
Resend a copy
Attack delete some files on the local drive
The technology that recent viruses are using is built into the mailer program or operating system itself. One example is application programs. These use macros that are built into a program, such as word processing. These macro viruses are triggered automatically by tasks within these programs, such as Microsoft Word.
Figure 8.1 shows how the Love Bug took advantage of a scripting language that was built into a mailer program.
A message would arrive in a user e-mail client.
The user would open the message and launch the attachment.
The virus (or agent or tool) would start to run and scan the user's address book.
The virus would start to send messages out to the users listed in the address book, both to the Internet and/or the user company mail system.
The agent would start to overwrite local files on the workstation. This would include JPEG, MP2, and others.
The agent would then attempt to redirect the user's browser to a web site that would download a program to steal passwords.
If any passwords were captured, the program would send them to a preset address on the Internet.
And the cycle would be repeated over and over.
The sad part of this problem is that these really "bad dudes" are able to mess with our minds and our computers because they are taking advantage of product features. Yes, that is correct features! The macros and scripts that are built into the product are features that enable the product to do many different things. Think of it this way: You have a car, and one of the features is a radio. Someone on your block starts to pirate broadcast some really lousy music on your favorite station frequency. A feature that you use in your car (the radio) has now been used against you. The car still runs, but you cannot listen to your favorite station on the radio. In the case of the virus, not only is it analogous to goofing up your radio station, but it also resets all the other stations that you had programmed. So being a good software citizen, Microsoft issued a fix for many of its products, but at the same time, some of the features were impacted. This is a no-win situation for both the consumer and the software manufacture. In May 2000, Microsoft issued the following URL, which shows some features that may have been impacted by a fix implemented by Microsoft to combat the Love Bug.
Impacts to Love Bug Fix for Outlook 98/2000:
In Word, routing documents through e-mail does not work.
Palm, Windows CE devices (PDAs) have synchronization issues. These include: Synchronizing with the Inbox displays a prompt and then fails. This is under investigation.
Due to the programmatic access limits of the update, the SQL SendMail feature is affected and restricted.
Also check out the CIAC advisory on the bug itself: http://www.ciac.org/ciac/bulletins/k-039.shtml.
Software companies are being held hostage by their own software. Many will argue the point that "the software was developed with holes, poorly written." For the most part that argument is worthless. Why? Following are steps to prove it:
Create some software. Be sure to make it very complex, make it something that does useful work, and that is needed by the general public.
Make the software as secure as you can.
Then tell the world, via a press release, television, newspapers, and the Internet that your software cannot be hacked or misused by the features that are in the program. In essence, your claim is that the software is totally secure.
Do you know what will happen? Over 10,000 hackers from all over the world will make it their "mission" to hack into your software and prove you wrong!
Let's flip the coin to the other side. A poorly written code has been released to the public early. Yes, this does happen! With that said, the following steps must be taken:
If you find a bug in a piece of code that would cause some type of harm, damage, or anything bad, it is your responsibility to contact the vendor and alert them to what you have found. Do not, repeat, do not post it on a discussion database or forum on the Internet.
All software vendors must come clean and fix these bugs (okay, exposures) with best effort. If they don't, the general public will lose confidence in them and eventually stop purchasing their products.
Finally, don't become a hacker. (That would make a good song: "Mamas, Don't Let Your Babies Grow Up to Be Hackers.")
As you can see, we are in this together.
The Love Bug is only one of many types of e-mail viruses that exist. Actually the Love Bug combines many different types: virus, worm, Trojan horse, and hoaxes. We will examine each of these.
A computer virus is a program that spreads by making copies of itself and sending them from computer to computer, wreaking havoc on each computer it visits. The term "virus" is used loosely to cover any sort of program that tries to hide its possibly malicious function while it spreads onto as many computers as possible. A virus can spread itself via a number of mechanisms: a floppy disk, a CD, an e-mail message, and even an application. Viruses can even use your computer's internal clock to trigger the actual program on a certain date.
A worm gestates in a networked environment and then spreads by spawning copies of itself onto other computers on the network. Worms eat up computer resources such as memory and even network bandwidth. Also, worms sometimes delete data and then spread themselves via e-mail. Here we are again: The transport of choice is e-mail. One of the earliest worms that caused great disruption on the Internet was the Morris worm in 1988. This worm was a harbinger of things to come. The Morris Internet worm burrowed through the Internet of 1988. It only impacted 6,000 out of a possible 60,000 computers. Stop and think about that only 60,000 computers were on the Internet at that time. That may not sound like much, but that worm hit 10% of the existing community. The Love Bug hit 100 times as many computers. As technology has been growing, so have the worms.
A Trojan horse is a program that appears legitimate but contains secondary hidden functions that can (and many times do) cause damage. E-mail with the aim of stealing passwords from a victim's computer and then e-mailing the stolen data to a targeted recipient often distributes one of the most common types of Trojan horse.
There are many vendors with information and tools to combat viruses. Following are a few: http://www.symantec.com/; http://www.mcafee.com/; and http://www.drsolomon.com/. For more information about viruses check out http://www.bocklabs.wisc.edu/~janda/virl_faq.html#B01.
One of the most irritating e-mail messages one can receive is one that has been broadcasted to everyone in the company warning about a new virus. Why should this make us mad? Because some Good Samaritan is trying to keep us from reading some e-mail that may mess up our computer. Before we go any further, we must say thanks to all of you nice people who are trying to protect us. Second, we'd like to say, "Don't ever do that again!" Out of all the warning messages received in this manner, 99% of them are hoaxes. Here is our advice: Before you forward a message about a virus, do the following:
Check with your company's web site and read the e-mail policy about sending out broadcasts and alerts. You may find a phone number or e-mail address of whom to contact about any potential alerts or viruses.
Go to http://ciac.llnl.gov/ciac/CIACHoaxes.html and check out the latest hoaxes (also check out http://kumite.com/myths/ one of our favorites).
Hoaxes themselves are nothing new. Remember cold fusion: The great breakthrough in 1989 that was going to solve the world's energy problems? When all was said and done, it was discovered that the data has been adjusted to match the wanted results. In other words, it did not work. Things haven't changed much since that famous hoax. People still fall for hoaxes, most notably via the Internet and messaging. For some foolish reason, we trust what our computer tells us. One of the best examples of Internet hoaxes is "The Good Times Virus Hoax." Several messages began circulating via the Internet in 1994. Over time the text of the original Good Times message has been rewritten. This hoax warns you to delete any message with the subject heading "PENPAL GREETINGS" because if you open it, a Trojan horse virus will supposedly remove all the data on your hard drive. Despite the fact that many prominent antiviral authorities and the CIAC Virus Bulletin quickly debunked Good Times as a hoax, the myth refused to die, popping up again several months and even years later.
For a full report on the Love Bug, check out the CERT Advisory (CERT ) at http://www.cert.org/advisories/CA-2000-04.html.
Please check out http://www.microsoft.com/ for any updates, and to determine if this URL is still valid.