Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
I thought that already was happening every time I go to a site with flash banners. Flash Attack. Yes, that name fits quite nicely.
and Symantec has just the product to sort all this out?
Alex
How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?
I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode
You mean like Windows Update?
Now I'm just a humble corporate drone but wasn't Slammer doubling in size every 8 or 9 seconds simply by spreading as fast as the internet would let it?
How in the world are these "flash attacks" supposed to attack the entire internet in seconds? Launch from multiple points at once? Go faster than light?
System Admins are always trying to keep up with hackers, and i dont see that stopping anytime soon. There is only so much we can do to prevent it, and the only way to be invunerable is if your computer is off or not on the net. And that's not very productive. System admins are just going to have to keep coding their own firewalls and other anti-virus stuff, download microsoft "security" patches, and just roll with the punches. There is no way to stop hacking, and if we could, would we want to?
OMG OMG OMG WTF OMG WTF BBQ STFU RTFM, OMFG OMG OMG OMG ROFL LMAO OMG WTF STFU ROFLMAO
Monoculture is bad.
Diversity is the only way out of this, long term. The idea of having only one codebase for 95% of the computers in the world is insane. The long term fix is to actively encourage alternative platforms, and multiple competing versions of software that aren't clones.
A hetrogeneous network is going to be much more resilient, though this is a tradeoff from efficiency. As with the original design of the internet (packetizing data instead of streams), the tradeoff more than pays for itself in the long run.
--Mike--
How many people expected this article to have some reference to a new security exploit using flash?
Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.
Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.
I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)
On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.
Speed is the key to deterrence. Arrest someone; put them to trial; punish them. Swift, harsh but just punishment is a deterrent. If attacks result in loss of life, capital punishment is called for.
The law should be changed so that appeals don't drag out for 20 years. That old saw is as true today as it ever was:
scubacuda writes
"Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged."
If they were really Warhol attacks, they'd be crappy hacks (because they'd only be famous for 15 minutes, not in 15 minutes.)
My
Limekiller
The same old story. Scare people, hype up these dangers, come up with totally unrealistic "threat" scnearios.. and then put your hand out and ask for money.
Basically what he just said, in order, was:
1. If something breaks it should be fixed quickly soon
2. If something breaks you should turn it off before it breaks any more
3. You should try to make things not break
Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.
The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.
The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
One solution (as pointed to by an earlier poster) is diversity.. If people are running different OSs and different flavours then it's a bit harder for somebody to take total control. I wouldn't even suggest a 100% movement away from MS (although 75% would make life a lot easier). Even the heavily audited OpenBSD has managed a root compromise or two in it's history, and it only takes one zero-day bug to bring down a whole system.
For those people running MS, yes -- you definitely need help. That having been said, I would still suggest some diversity there... Not all machines should be running Semantic. There should be at least a few running other AntiVirus products (like AVG). That way if Semantic misses something, there's still a possibility that one of the other virus checkers in a company will catch the bug (and enable faster recovery). It would also provide some hope of survival in the case of a symantec takeover like I mentioned in the first paragraph.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Most admins with any security background know that the right answer is DEFAULT DENY.
When is the mainsteam going to wake up?
It seems to me that's exactly what they're doing.
No not making the worm, but going to address the UN about these three classes of attacks. Who came up with these classes and the names? I would be surprised to find out it was anyone other than Symantec, I've never heard of them before.
In particular this supposed "Class I flash attack" which sounds right out of your favorite cold war B-Movie, Clyde is warning of well funded squads of uber hackers funded by national agencies. He is just pandering towards current international paranoia regarding terrorism.
It's even better than creating the attacks themselves (since you run the risk of gettin caught), creating attackers that don't even exist! (yet?)
Speculation and cyber fantasy aside, everyone who lets loose worms or viruses to my knowledge generally turns out to be people with no backing and no real agenda. Has there ever been evidence of international players being caught with their hand in the cookie jar funding any kind of worm or virus or ddos attack?
And really, if you were to effectively prevent this kind of attack by deploying systems widely, wouldn't these super hackers simply launch an attack when they had found an effective way around these measures?
I think it's more likely that frequent update systems would keep out the lowest common denominator attacks, script kiddies and common worms.
Don't get me wrong i think there are big issues with how software comes configured and how security holes are dealt with, and i think it is for the good of the internet as a whole organism that these be addressed, and one of them may very well be very quick automated updating of network facing software.
But it pisses me off to see someone from what i would consider a shady industry (virus protection) addressing people at the UN about these future terrorist hacker squads or whatever, essentially fear mongering to sell software. All on the backs of a great tragedy that had nothing to do with any of this.
"It will not be long before well-funded teams of hackers sponsored by countries or other organizations begin to create Flash attacks that can be launched in seconds,"
But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
-davidu
# Hack the planet, it's important.
I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).
DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.
Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.
In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.
I hate replying to myself and continuing to rant but i had one more thing i wanted to get off my chest.
Talk to any number of "in the know" types in the public or private sectors and one of their number one suggestions for personal security is to run some type zone alarm style personal firewall that allows you to manage and block outgoing communications from processes running on your computer. The reason? To combat key loggers and the like that once run and communicating virtually anonymously over the internet the entire rest of your security is blown. They have all your passwords, everything you might decide to type. The implication of this advice has always seemed clear to me, that US organizations are at least in part, using these without warrants.
Where are the trojan fingerprints for these US government developed keyloggers? Certainly you wont be finding them in Symantec's product lines.
sorry for coming off like a conspiracy theorist.
Side note: if you use Mozilla, download the autoscroll patch. When you middle-click to start the scrolling process, the Flash ads disappear. This is a very cool side-effect.
I feel fantastic, and I'm still alive.
They have such a history of screwing up everything they touch. Why should we trust them for securing ANYTHING, let alone Internet services?
You would think just about anyone over the age of 15 who has some kind of affinity for technology would have seen at least one movie depicting the kinds of problems with Symantec's solution taken to its logical conclusion. For example:
"SKYNET became self-aware at 4:01 AM on August 4th, 1997 and at 4:12 it ordered a pre-emptive nuclear strike."
When information is power, privacy is freedom.
Am I the only one that noticed the increased possibility of attacks, caused by an app running on the network waiting for "automatic" updates? Whatever method they try to use for the updates, will also be susceptible to attacks. So to me, it sounds like they want software companies to put a giant backdoor in their software, and then get paid to protect said backdoor. This sounds like Symantec watched Matrix: Reloaded, and decided that the only way to stay in business was to create a Keymaker.
C. Griffin
"Can I keep his head for a souvenir?" --Max from Sam 'N Max Freelance Police
Isn't it possible to get a Flash animation to run malicious code? I'm not sure about its destructive abilities, but I'm pretty sure you can launch a client-side denial-of-service attack using a really large Flash file with lots of extraneous links. Combine that with existing Javascript vulnerabilities and you've got one pretty good trojan. (I imagine a cache flush and a self-reload might even do the trick...)
Pet peeve: Profane people propagating perfunctory pedantry.
Who in the hell funds hackers to write viruses that attack networks? Sure, the military and intelligence agencies do it, but I really doubt that they're writing stuff like the SQL Slammer.
So what corporate SOB is funding this sort of thing?
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
Having an heterogenous network is not such a straightforward solution as you put it. With the number of protocols still using cleartext passwords, and the tendency of users to use the same password in many places, a simple packet sniffer can take a cracker pretty far inside your network. The bottom line is: cracking a single box is often enough to compromise the security of a whole network.
So having multiple OSes as you suggest just increases the number of potential security holes, making your network easier to attack, not to mention harder to maintain.
I believe that security can be better achieved by a good network design (yes, it's not just the boxes: a good network design can greatly improve security, while a bad one can be a security hole by itself!), sticking to as few OSes as possible ("secure" ones of course), patching often, educating your users, etc... Standard security practices. But one thing not to be forgotten is that computer security is always a compromise. It is how much an attacker is willing to try, versus how much you are willing to invest in preventing a security breach. There is no 100% security.
I code, therefore I am.
It's nothing more than a smear campaign by Ming the Merciless designed to break up the alliance with the Hawkmen.
Jeez, you people shouldn't believe everything you read on an internet rumors site.
Ergonomica Auctorita Illico!
The parent post is gratuitous plagiarism. See for yourself.
From Bruce Schneier's February 15 Crypto-Gram:
"But there's an interesting Microsoft twist. During the days of the attack, Microsoft tried to deflect any blame by claiming that they issued a patch for the vulnerability six months previously, and that the only affected companies were the ones who didn't keep their patches up to date. A couple of days later, news leaked that Microsoft's own network was hit pretty badly by the worm because they didn't patch their own network."
From the parent:
"There's an interesting Microsoft twist to the recent Sapphire Worm, aka SQL Slammer. During the days of the attack, Microsoft tried to deflect any blame by claiming that they issued a patch for the vulnerability six months previously, and that the only affected companies were the ones who didn't keep their patches up to date. A couple of days later, news leaked that Microsoft's own network was hit pretty badly by the worm because they didn't patch their own network."
From Crypto-Gram:
"For a couple of years now I've been saying that the idea that we can achieve network security by finding and patching vulnerabilities in the field is fatally flawed. I don't blame Microsoft sysadmins for not having their patches up to date -- no one does -- but I don't like the hypocrisy out of the company.
The SQL Slammer worm also reopened the full disclosure debate. Microsoft announced the vulnerability in July 2002, at the same time they released the patch. A few days later, David Litchfield published exploit code that demonstrated how the vulnerability could be used to break into systems. January's SQL Slammer worm used that exact code. Some point to that and say that Litchfield should not have released the code, while others correctly say that the code wasn't hard to write, and that the worm author could have easily written it himself.
An amusing, but irrelevent, incident: A week after the worm, I was invited to speak about it live on CNN. The program was eventually preempted by the Columbia tragedy, but not before the CNN producers invited Microsoft to appear on the segment with me. Microsoft's spokesman -- I don't know who -- said that the company was unwilling to appear on CNN with me. They were willing to appear before me, they were willing to appear after me, but they were not willing to appear with me. Seems that it is official Microsoft corporate policy not to be seen in public with Bruce Schneier."
From the parent:
"The idea that we can achieve network security by finding and patching vulnerabilities in the field is fatally flawed. I've been saying this for a couple of years now. I don't blame Microsoft sysadmins for not having their patches up to date -- no one does -- but I don't like the hypocrisy out of the company. The answer lies in software programmers creating secure code.
The SQL Slammer worm also reopened the full disclosure debate. Microsoft announced the vulnerability in July 2002, at the same time they released the patch. A few days later, David Litchfield published exploit code that demonstrated how the vulnerability could be used to break into systems. January's SQL Slammer worm used that exact code. Some point to that and say that Litchfield should not have released the code, while others correctly say that the code wasn't hard to write, and that the worm author could have easily written it himself.
An amusing, but irrelevent, incident: A week after the worm, I was invited to speak about it live on CNN. The program was eventually preempted by the Columbia tragedy, but not before the CNN producers invited Microsoft to appear on the segment with me. Microsoft's spokesman -- I don't know who -- said that the company was unwilling to appear on CNN with me. They were willing to appear before me, they were willing to appear after me, but they were not willing to appear with me."
Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks."
Or if you're not so well-funded you achieve the same effect by linking a site on Slashdot.
and i have to say, some of the people who have responded and been modded up have been along the lines of "well-funded groups of hackers, please!"
"somebody is crying wolf to stir up business obviously!"
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
no, i am not a symantec drone, but during the may day week after the hainan island spy plane incident a few years back, didn't some rather organized attacks and counterattacks occur between american and chinese hackers feeling a little too much of their nationalistic jingoistic cojones?
i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem
am i spreading FUD? or does my "false" alarmism insult your "false" sense of security?
go cnhonker.com if you dare
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I was once contracted to Symantec in the not-too-distant past, and this I can tell you for certain, having witnessed it on multiple occasions: Symantec in no small way creates many of the problems it then 'solves' with its software.
Here's just one example: Symantec used to offer a bounty for viruses. It's rather underpaid antivirus support staff, with access to all documented viruses as well as existing exploits in current software would, on their free time, craft viruses and then 'discover' them for the bounty. The trick was to do this through friends, often splitting the rewards, to avoid getting caught out.
Despite this, the management was well aware that its antivirus staff was creating much of the virus 'problem'. And they turned a blind eye to these activities, because it generated more business for them.
This is just one example of a number of rather reprehensible business practices I observed while working for Symantec. I found the company to be so sleazy I terminated my contract after five months, and refused to work with them again.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
It's no wonder this comes from someone at an anti-virus corporation, whose main purpose is to patch the holes left in unsecure operating systems. Now, if he had suggested the correct solution, making the systems at least somewhat resilient to attacks in the first place, he would also suggest that his company shouldn't really need to exist, making shareholders unhappy.
I can't imagine a worse nightmare than having to rely on insecure systems going through automated updates with a frequency as low as 15 minutes. Do you think all those patches are going to work? That they are actually tested? That they don't create as many new holes as they tighten? That they don't change your carefully tuned setup which wasn't vulnerable for what the patches are supposed to fix anyway?
Please give me some design and forethought instead...
Why don't we start writing more responsible fucking code? I think that if as much time and effort were spent doing security evaluation of commercial software development as goes toward finding the most underpaid programmers the developing world has to offer, we wouldn't be asking underpaid adminstrators to automate patching.
While I agree in principle, the idea of ensuring more responsible code could also be used to support regulation of programmers in a similar fashion to the way some states regulate engineers.
And it doesn't even need to be a hacker. What if your government becomes interested in all your activities? I'm sure TIA gets a lot easier if you can install backdoors on demand on all computers.
What happens if such a patch breaks something? Instead of a few machines breaking, you could break machines all over the world before anyone can get the word out.
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
I have never liked virusscan vendors, they call their product "antivirus software", but it hasn`t changed one bit since the dos days when they where just tools to find which of the 100 files on your hd where infected with one of the 10 or so viruses in the wild. They dont offer any protection against the holes in all the new services and features in operating systems and applications. They only offer help cleaning up known mallware (except for mallware from people that can sue symantec for interfering with their business: spreading spyware)
Clyde: The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years."
With the Antivirus vendors the attack frequency is always going up ;-) I believe them on that one though. But the complexity? Nothing as complex as nimbda for months now. "the tools" in my view where asambler compilers in the old days, and are C/C++ compilers these days... I hardly think this mathers that much, and if it did, why didn`t we see more C viruses in the dos days? (visual basic has a harder time abusing vulanerabilities, and therefore is unlikely to be used in real worms)
Clyde: The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days."
A proactive aproach? well I guess the "sitting around eating pie" option is definantly out of the windows then? The vulnarability window for me goes from the moment the faulty code is compiled to the moments every single user is running patched code, everywhere... Getting this window to zero could prove difficould but I am sure mister Clyde will be offering a product that reduces the time to "virtually zero", although it wont be A product but really a service.... an expensive one. I think the six months between discovery and exploit, are six months between vendor notification and bugtraq post of exploit code, I dont think there has ever been a vulnarability so complex it would take a competent coder more then hours to build something exploiting the hole. There are many competent coders out there, not all of them post their work to bugtraq. The posted exploits are usualy posted to force vendors into patching code real fast (usualy after they apeared to be doing nothing for a while), I guess that when it comes to holes in a microsoft product used by 50% of the planet "real fast" is just shorter then the stuff that was discused in the old days on bugtraq.
Clyde: To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode.
Fast machines with big pipes where what made code red spread fast, machines like the windowsupdate servers.... If even the open source community has problems getting software safely to the users (several cracked ftp mirrors with altered releases) then its safe to asume that big players in the software market are not gonna get the automated update system right in one try. Just think of the holes in hotmail.... sure updating services will have more attention on security, but the hotmail holes where really really pathetic and the most recent one wasn`t any more complex then the previous ones.
Clyde: Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that
Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.
This relates to something I've said all along:
Virus checkers don't work
Norton/Symantec/McAfee would like you to believe that $39.95/year or whatever will protect you but the truth is: these programs check against known viruses only. There is always an incubation period between the appearance of a new virus in the wild and the appearance of the update to detect and kill it. This incubation period provides a window for a real virus to do real damage.
To date, there have been no highly damaging viruses. You are lucky. Don't rely on the virus checker to protect you. Instead, look for operating systems and software having inherent immunity built into their design.
Sure, you can use the virus checkers as a secondary measure. But they won't protect you fully.