Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
Here is a problem I'd worry about if all computers were networked together to respond in concert to an attack - wouldn't that make all those networked computers vulnerable to an attack aimed at that connected computer network?
Now I'm just a humble corporate drone but wasn't Slammer doubling in size every 8 or 9 seconds simply by spreading as fast as the internet would let it?
How in the world are these "flash attacks" supposed to attack the entire internet in seconds? Launch from multiple points at once? Go faster than light?
Monoculture is bad.
Diversity is the only way out of this, long term. The idea of having only one codebase for 95% of the computers in the world is insane. The long term fix is to actively encourage alternative platforms, and multiple competing versions of software that aren't clones.
A hetrogeneous network is going to be much more resilient, though this is a tradeoff from efficiency. As with the original design of the internet (packetizing data instead of streams), the tradeoff more than pays for itself in the long run.
--Mike--
Speed is the key to deterrence. Arrest someone; put them to trial; punish them. Swift, harsh but just punishment is a deterrent. If attacks result in loss of life, capital punishment is called for.
The law should be changed so that appeals don't drag out for 20 years. That old saw is as true today as it ever was:
scubacuda writes
"Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged."
If they were really Warhol attacks, they'd be crappy hacks (because they'd only be famous for 15 minutes, not in 15 minutes.)
My
Limekiller
One solution (as pointed to by an earlier poster) is diversity.. If people are running different OSs and different flavours then it's a bit harder for somebody to take total control. I wouldn't even suggest a 100% movement away from MS (although 75% would make life a lot easier). Even the heavily audited OpenBSD has managed a root compromise or two in it's history, and it only takes one zero-day bug to bring down a whole system.
For those people running MS, yes -- you definitely need help. That having been said, I would still suggest some diversity there... Not all machines should be running Semantic. There should be at least a few running other AntiVirus products (like AVG). That way if Semantic misses something, there's still a possibility that one of the other virus checkers in a company will catch the bug (and enable faster recovery). It would also provide some hope of survival in the case of a symantec takeover like I mentioned in the first paragraph.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Most admins with any security background know that the right answer is DEFAULT DENY.
When is the mainsteam going to wake up?
My first flamebait!
Unfortunately, a few years ago on slashdot posts like mine above were so truthful that few would consider them worthy of modpoints.
Symantec makes good virus protection software. But they have saturated their market. Nearly every PC targeted at the average user is sold with one of their products pre-installed.
Virus software is not sexy, few will rush out to grab the latest release, or even bother with the online updates. Symantec stirs the pot every now and then with a timely reminder that the net is going to h--- in a handbasket. It's not bad for sales, much like the advertisements of burgulars breaking into a house known to contain residents dosen't hurt the sales of home security alarms.
It's not new, in 2 more years we will see the same recommendation about the new "state of emergency" we all face from malicious code.
It seems to me that's exactly what they're doing.
No not making the worm, but going to address the UN about these three classes of attacks. Who came up with these classes and the names? I would be surprised to find out it was anyone other than Symantec, I've never heard of them before.
In particular this supposed "Class I flash attack" which sounds right out of your favorite cold war B-Movie, Clyde is warning of well funded squads of uber hackers funded by national agencies. He is just pandering towards current international paranoia regarding terrorism.
It's even better than creating the attacks themselves (since you run the risk of gettin caught), creating attackers that don't even exist! (yet?)
Speculation and cyber fantasy aside, everyone who lets loose worms or viruses to my knowledge generally turns out to be people with no backing and no real agenda. Has there ever been evidence of international players being caught with their hand in the cookie jar funding any kind of worm or virus or ddos attack?
And really, if you were to effectively prevent this kind of attack by deploying systems widely, wouldn't these super hackers simply launch an attack when they had found an effective way around these measures?
I think it's more likely that frequent update systems would keep out the lowest common denominator attacks, script kiddies and common worms.
Don't get me wrong i think there are big issues with how software comes configured and how security holes are dealt with, and i think it is for the good of the internet as a whole organism that these be addressed, and one of them may very well be very quick automated updating of network facing software.
But it pisses me off to see someone from what i would consider a shady industry (virus protection) addressing people at the UN about these future terrorist hacker squads or whatever, essentially fear mongering to sell software. All on the backs of a great tragedy that had nothing to do with any of this.
"It will not be long before well-funded teams of hackers sponsored by countries or other organizations begin to create Flash attacks that can be launched in seconds,"
Actually you can set the automatic updating to install automatically and reboot once a day if necessary. However anyone that would let that happen in a live server environment is a moron, considering certain hot fixes have killed severs.
I hate replying to myself and continuing to rant but i had one more thing i wanted to get off my chest.
Talk to any number of "in the know" types in the public or private sectors and one of their number one suggestions for personal security is to run some type zone alarm style personal firewall that allows you to manage and block outgoing communications from processes running on your computer. The reason? To combat key loggers and the like that once run and communicating virtually anonymously over the internet the entire rest of your security is blown. They have all your passwords, everything you might decide to type. The implication of this advice has always seemed clear to me, that US organizations are at least in part, using these without warrants.
Where are the trojan fingerprints for these US government developed keyloggers? Certainly you wont be finding them in Symantec's product lines.
sorry for coming off like a conspiracy theorist.
They have such a history of screwing up everything they touch. Why should we trust them for securing ANYTHING, let alone Internet services?
Isn't it possible to get a Flash animation to run malicious code? I'm not sure about its destructive abilities, but I'm pretty sure you can launch a client-side denial-of-service attack using a really large Flash file with lots of extraneous links. Combine that with existing Javascript vulnerabilities and you've got one pretty good trojan. (I imagine a cache flush and a self-reload might even do the trick...)
Pet peeve: Profane people propagating perfunctory pedantry.
Welcome to the wonderful world of antivirus companies. Keep in mind that it is in the interest of these companies for computers to have very bad security and for there to be lots of people out there to exploit this lack of security. With this in mind, you should pretty much ignore anything that they are saying with regards to security. Then again, Microsoft is currently spending lots of resources on "advising" Oregon legislatars about a bill which would allow open source solutions to be considered in state projects.
Who in the hell funds hackers to write viruses that attack networks? Sure, the military and intelligence agencies do it, but I really doubt that they're writing stuff like the SQL Slammer.
So what corporate SOB is funding this sort of thing?
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
and i have to say, some of the people who have responded and been modded up have been along the lines of "well-funded groups of hackers, please!"
"somebody is crying wolf to stir up business obviously!"
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
no, i am not a symantec drone, but during the may day week after the hainan island spy plane incident a few years back, didn't some rather organized attacks and counterattacks occur between american and chinese hackers feeling a little too much of their nationalistic jingoistic cojones?
i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem
am i spreading FUD? or does my "false" alarmism insult your "false" sense of security?
go cnhonker.com if you dare
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I was once contracted to Symantec in the not-too-distant past, and this I can tell you for certain, having witnessed it on multiple occasions: Symantec in no small way creates many of the problems it then 'solves' with its software.
Here's just one example: Symantec used to offer a bounty for viruses. It's rather underpaid antivirus support staff, with access to all documented viruses as well as existing exploits in current software would, on their free time, craft viruses and then 'discover' them for the bounty. The trick was to do this through friends, often splitting the rewards, to avoid getting caught out.
Despite this, the management was well aware that its antivirus staff was creating much of the virus 'problem'. And they turned a blind eye to these activities, because it generated more business for them.
This is just one example of a number of rather reprehensible business practices I observed while working for Symantec. I found the company to be so sleazy I terminated my contract after five months, and refused to work with them again.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Why don't we start writing more responsible fucking code? I think that if as much time and effort were spent doing security evaluation of commercial software development as goes toward finding the most underpaid programmers the developing world has to offer, we wouldn't be asking underpaid adminstrators to automate patching.
While I agree in principle, the idea of ensuring more responsible code could also be used to support regulation of programmers in a similar fashion to the way some states regulate engineers.
And it doesn't even need to be a hacker. What if your government becomes interested in all your activities? I'm sure TIA gets a lot easier if you can install backdoors on demand on all computers.
What happens if such a patch breaks something? Instead of a few machines breaking, you could break machines all over the world before anyone can get the word out.
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
I have never liked virusscan vendors, they call their product "antivirus software", but it hasn`t changed one bit since the dos days when they where just tools to find which of the 100 files on your hd where infected with one of the 10 or so viruses in the wild. They dont offer any protection against the holes in all the new services and features in operating systems and applications. They only offer help cleaning up known mallware (except for mallware from people that can sue symantec for interfering with their business: spreading spyware)
Clyde: The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years."
With the Antivirus vendors the attack frequency is always going up ;-) I believe them on that one though. But the complexity? Nothing as complex as nimbda for months now. "the tools" in my view where asambler compilers in the old days, and are C/C++ compilers these days... I hardly think this mathers that much, and if it did, why didn`t we see more C viruses in the dos days? (visual basic has a harder time abusing vulanerabilities, and therefore is unlikely to be used in real worms)
Clyde: The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days."
A proactive aproach? well I guess the "sitting around eating pie" option is definantly out of the windows then? The vulnarability window for me goes from the moment the faulty code is compiled to the moments every single user is running patched code, everywhere... Getting this window to zero could prove difficould but I am sure mister Clyde will be offering a product that reduces the time to "virtually zero", although it wont be A product but really a service.... an expensive one. I think the six months between discovery and exploit, are six months between vendor notification and bugtraq post of exploit code, I dont think there has ever been a vulnarability so complex it would take a competent coder more then hours to build something exploiting the hole. There are many competent coders out there, not all of them post their work to bugtraq. The posted exploits are usualy posted to force vendors into patching code real fast (usualy after they apeared to be doing nothing for a while), I guess that when it comes to holes in a microsoft product used by 50% of the planet "real fast" is just shorter then the stuff that was discused in the old days on bugtraq.
Clyde: To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode.
Fast machines with big pipes where what made code red spread fast, machines like the windowsupdate servers.... If even the open source community has problems getting software safely to the users (several cracked ftp mirrors with altered releases) then its safe to asume that big players in the software market are not gonna get the automated update system right in one try. Just think of the holes in hotmail.... sure updating services will have more attention on security, but the hotmail holes where really really pathetic and the most recent one wasn`t any more complex then the previous ones.
Clyde: Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that