Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?
I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode
You mean like Windows Update?
Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.
Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.
I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)
On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.
Basically what he just said, in order, was:
1. If something breaks it should be fixed quickly soon
2. If something breaks you should turn it off before it breaks any more
3. You should try to make things not break
Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.
The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.
The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
-davidu
# Hack the planet, it's important.
I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).
DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.
Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.
In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.
there is no way a single central server could initiate the "flash" that the exponential slammer worm had - each node infected on the network randomly attempted to infect other random nodes - once this took hold it would MUCH faster than any single source central attack could be.
Yes Slammer started on a single machine, but did not do real damage until it hit critical mass.
i was awestruck (as I'm sure others will have been) when I heard about this "warhol" type attack actually coming - before it happened it was only a worst case scenario, now it HAS happened, symantec have had to readjust their figures.
liqbase
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
"Monoculture is bad."
Diversity is just a form of security through obscurity. Which we all know is bad, as it is anathema to the Open Source philosophy.
Besides, think about how expensive diversity is. Won't it be great in a few years when any code can run on any OS from any vendor, on any hardware? That notion is a just logical extension of current trends, after all. Just to name a few examples, we have cygwin and wine, thousands of ports in every direction being produced and Moore's Law all at work to tighten the gap between OS capabilities. Soon, at this rate, it is easy to see that the gap will disappear altogether, as Op/s become cheap and fast enough to allow all manner of emulation. Future chips might even run a mix of -endian-ness at will, natively (PGAs anyone?)
Diversity is not only unlikely, it is not even desirable in light of the massive costs involved with the many code incompatable platforms we are faced with even today, even with such a powerful medium as the internet easing the pressure.
Aside from all that, what's fundamentally wrong with the continuously updating security and cooperative routers the man mentioned? I don't believe he said that Symantec should be the only supplier of these services.
Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.
"SERIOUS problem"? Like what? People get a slow response from the Taiwanese tourism site? No more Taiwanese posts to Slashdot? What is this "serious trouble"?
Anybody who wants to cause that kind of trouble can achieve it more easily by overloading phone lines, putting white powder into envelopes, or spreading rumors about SARS.
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
All I know is that Symantec has never caught a virus on my PC, but it has caused numerous software to fail, sometimes in very mysterious ways that were difficult to track down. Regardless of whether there is a problem to be fixed in the first place, Symantec is not the company to fix it.
Diversity would mean that there is a healthy mix of signifigantly different sytems.
If this "healthy mix" included a vulnerable MS SQL server, you lost when Slammer hit.
The problem with diversity is that considerably increases maintainance costs and requires admins with multi-platform skills. In my experience, most admins have problems staying up-to-date with respect to their primary platform and learn all this new security stuff. What will happen if they have to follow, developments for, say, three platforms, Linux, Windows and Solaris?
Diversity is a very effective defense, of course, but it comes rather late in the list of things you should do to increase security. Diversity will not help you if you can't keep up patching your machines, for example. It will make things worse in this case because diversity increases the workload and leads to less patching.