Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?
I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode
You mean like Windows Update?
System Admins are always trying to keep up with hackers, and i dont see that stopping anytime soon. There is only so much we can do to prevent it, and the only way to be invunerable is if your computer is off or not on the net. And that's not very productive. System admins are just going to have to keep coding their own firewalls and other anti-virus stuff, download microsoft "security" patches, and just roll with the punches. There is no way to stop hacking, and if we could, would we want to?
OMG OMG OMG WTF OMG WTF BBQ STFU RTFM, OMFG OMG OMG OMG ROFL LMAO OMG WTF STFU ROFLMAO
Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.
Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.
I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)
On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.
The same old story. Scare people, hype up these dangers, come up with totally unrealistic "threat" scnearios.. and then put your hand out and ask for money.
Basically what he just said, in order, was:
1. If something breaks it should be fixed quickly soon
2. If something breaks you should turn it off before it breaks any more
3. You should try to make things not break
Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.
The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.
The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
-davidu
# Hack the planet, it's important.
I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).
DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.
Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.
In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.
Am I the only one that noticed the increased possibility of attacks, caused by an app running on the network waiting for "automatic" updates? Whatever method they try to use for the updates, will also be susceptible to attacks. So to me, it sounds like they want software companies to put a giant backdoor in their software, and then get paid to protect said backdoor. This sounds like Symantec watched Matrix: Reloaded, and decided that the only way to stay in business was to create a Keymaker.
C. Griffin
"Can I keep his head for a souvenir?" --Max from Sam 'N Max Freelance Police
there is no way a single central server could initiate the "flash" that the exponential slammer worm had - each node infected on the network randomly attempted to infect other random nodes - once this took hold it would MUCH faster than any single source central attack could be.
Yes Slammer started on a single machine, but did not do real damage until it hit critical mass.
i was awestruck (as I'm sure others will have been) when I heard about this "warhol" type attack actually coming - before it happened it was only a worst case scenario, now it HAS happened, symantec have had to readjust their figures.
liqbase
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
Having an heterogenous network is not such a straightforward solution as you put it. With the number of protocols still using cleartext passwords, and the tendency of users to use the same password in many places, a simple packet sniffer can take a cracker pretty far inside your network. The bottom line is: cracking a single box is often enough to compromise the security of a whole network.
So having multiple OSes as you suggest just increases the number of potential security holes, making your network easier to attack, not to mention harder to maintain.
I believe that security can be better achieved by a good network design (yes, it's not just the boxes: a good network design can greatly improve security, while a bad one can be a security hole by itself!), sticking to as few OSes as possible ("secure" ones of course), patching often, educating your users, etc... Standard security practices. But one thing not to be forgotten is that computer security is always a compromise. It is how much an attacker is willing to try, versus how much you are willing to invest in preventing a security breach. There is no 100% security.
I code, therefore I am.
"Monoculture is bad."
Diversity is just a form of security through obscurity. Which we all know is bad, as it is anathema to the Open Source philosophy.
Besides, think about how expensive diversity is. Won't it be great in a few years when any code can run on any OS from any vendor, on any hardware? That notion is a just logical extension of current trends, after all. Just to name a few examples, we have cygwin and wine, thousands of ports in every direction being produced and Moore's Law all at work to tighten the gap between OS capabilities. Soon, at this rate, it is easy to see that the gap will disappear altogether, as Op/s become cheap and fast enough to allow all manner of emulation. Future chips might even run a mix of -endian-ness at will, natively (PGAs anyone?)
Diversity is not only unlikely, it is not even desirable in light of the massive costs involved with the many code incompatable platforms we are faced with even today, even with such a powerful medium as the internet easing the pressure.
Aside from all that, what's fundamentally wrong with the continuously updating security and cooperative routers the man mentioned? I don't believe he said that Symantec should be the only supplier of these services.
It's no wonder this comes from someone at an anti-virus corporation, whose main purpose is to patch the holes left in unsecure operating systems. Now, if he had suggested the correct solution, making the systems at least somewhat resilient to attacks in the first place, he would also suggest that his company shouldn't really need to exist, making shareholders unhappy.
I can't imagine a worse nightmare than having to rely on insecure systems going through automated updates with a frequency as low as 15 minutes. Do you think all those patches are going to work? That they are actually tested? That they don't create as many new holes as they tighten? That they don't change your carefully tuned setup which wasn't vulnerable for what the patches are supposed to fix anyway?
Please give me some design and forethought instead...
Great plan...until your rush to judgment results in a mistake (read: miscarriage of justice). You get two nasty consequences: total loss of any moral autority, and others are inspired to retaliate.
With regard to various network based attacks, just about anyone anywhere would be in a position to retaliate.
Diversity is the only way out of this, long term.
Let me repeat: Diversity of Windows installations caused so much pain in the case of Slammer. If all your machines are uniform, they are much easier to maintain.
And what is a heterogeneous network? One that uses IP, DECnet and IPX?
Slammer fired its packets blindly. A flash attack would have to be prepared by a discovery phase during which vulnerable machines are identified. Of course this could be considered part of the attack so actually the attack wouldn't be a matter of seconds. It would be comparable to a photo flash: First the capacitor is charged. Then, when the photographer shoots the picture, the accumulated energy is released in a very short and bright flash.
Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.
"SERIOUS problem"? Like what? People get a slow response from the Taiwanese tourism site? No more Taiwanese posts to Slashdot? What is this "serious trouble"?
Anybody who wants to cause that kind of trouble can achieve it more easily by overloading phone lines, putting white powder into envelopes, or spreading rumors about SARS.
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
All I know is that Symantec has never caught a virus on my PC, but it has caused numerous software to fail, sometimes in very mysterious ways that were difficult to track down. Regardless of whether there is a problem to be fixed in the first place, Symantec is not the company to fix it.
This relates to something I've said all along:
Virus checkers don't work
Norton/Symantec/McAfee would like you to believe that $39.95/year or whatever will protect you but the truth is: these programs check against known viruses only. There is always an incubation period between the appearance of a new virus in the wild and the appearance of the update to detect and kill it. This incubation period provides a window for a real virus to do real damage.
To date, there have been no highly damaging viruses. You are lucky. Don't rely on the virus checker to protect you. Instead, look for operating systems and software having inherent immunity built into their design.
Sure, you can use the virus checkers as a secondary measure. But they won't protect you fully.
Diversity would mean that there is a healthy mix of signifigantly different sytems.
If this "healthy mix" included a vulnerable MS SQL server, you lost when Slammer hit.
The problem with diversity is that considerably increases maintainance costs and requires admins with multi-platform skills. In my experience, most admins have problems staying up-to-date with respect to their primary platform and learn all this new security stuff. What will happen if they have to follow, developments for, say, three platforms, Linux, Windows and Solaris?
Diversity is a very effective defense, of course, but it comes rather late in the list of things you should do to increase security. Diversity will not help you if you can't keep up patching your machines, for example. It will make things worse in this case because diversity increases the workload and leads to less patching.
I think you're solving the symptoms and not the cause.
Want to stop exploits? Write good code and have it reviewed, test it, review it again, test again...release and test, review............
Severe punishments or punishment in general are rarely good enough deterrents. Do you have $15 000 to give to the RIAA? I'm sure the millions on Kazaa don't but they trade anyway because they never think about getting caught.
The solution...education/ethics training. You have to teach people not to be assholes BEFORE they become assholes...not wait until they do something crazy and then hand out a stiff punishment and claim you're doing something *now*.
My motto: You can't stop crazy people but you can stop people from being crazy.