Slashdot Mirror
Symantec CTO on Flash Attacks
scubacuda writes "Robert Clyde, CTO of Symantec, recently warned an audience at the United Nations that there's an increasing gap between the speed at which attacks are being launched and the industry's ability to respond. Most attacks on Web sites are classified as Class III threats because they tend to take several hours/days to execute. Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged. Before long, Clyde predicts that groups of well-funded hackers working in concert will be able to launch Class I "Flash attacks." To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode. Admins would need better ways of locking down networks so an attack on one router is automatically recognized by all routers on the network; throttling back the throughput of suspicious packets on the network in order to limit damage; automating tools for ensuring that all network clients are compliant with security policies; and creating Web services technologies that do not interfere with application performance."
I thought that already was happening every time I go to a site with flash banners. Flash Attack. Yes, that name fits quite nicely.
and Symantec has just the product to sort all this out?
Alex
How about launching that money into developing more attack-resistant public network structure? Or working on improvements in server software?
I'm feeling uncomfortable with execs trying to stir up public funding for their non-public industry.
To combat this, Clyde says that patches would need to be developed more quickly and deployed continuously in an automated mode
You mean like Windows Update?
Now I'm just a humble corporate drone but wasn't Slammer doubling in size every 8 or 9 seconds simply by spreading as fast as the internet would let it?
How in the world are these "flash attacks" supposed to attack the entire internet in seconds? Launch from multiple points at once? Go faster than light?
Monoculture is bad.
Diversity is the only way out of this, long term. The idea of having only one codebase for 95% of the computers in the world is insane. The long term fix is to actively encourage alternative platforms, and multiple competing versions of software that aren't clones.
A hetrogeneous network is going to be much more resilient, though this is a tradeoff from efficiency. As with the original design of the internet (packetizing data instead of streams), the tradeoff more than pays for itself in the long run.
--Mike--
Symantec has a long history of trying (and somtimes succeeding) to create panic in the realm of computer security.
Usually it is accompanied by a round of advertisement telling you how (through the use of their products) you can protect yourself.
I am all for computer security, and no doubt there are many pitfalls yet to come, but staffing enough programmers to instantly respond to what they term a "flash attack" would make Microsoft look like small potatoes. I guess during all of that free time between attacks they can rewrite MSxxx to close those bugs MS can't get around to (in six years or more)
On the other hand, look for rising stock prices as Macromedia sues Semantic for defamation and misuse of their branded media player.
scubacuda writes
"Recently, however, Class II "Warhol attacks"--such as the SQL Slammer worm that make themselves famous in 15 minutes--have emerged."
If they were really Warhol attacks, they'd be crappy hacks (because they'd only be famous for 15 minutes, not in 15 minutes.)
My
Limekiller
Basically what he just said, in order, was:
1. If something breaks it should be fixed quickly soon
2. If something breaks you should turn it off before it breaks any more
3. You should try to make things not break
Those three principles are done simply as a matter of common sence by your average guy riding a bicycle, and I beleive those same principles are followed by good coders and good sysadmins as pretty much the most obvious part of their job.
The only difference between his suggestion an bicyle repair is that the computer system is automated, which is done with systems already in place on networks with competant sysadmins.
The whole suggestion is both facile and bleeding obvious and I hope that nobody was impressed by it.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
One solution (as pointed to by an earlier poster) is diversity.. If people are running different OSs and different flavours then it's a bit harder for somebody to take total control. I wouldn't even suggest a 100% movement away from MS (although 75% would make life a lot easier). Even the heavily audited OpenBSD has managed a root compromise or two in it's history, and it only takes one zero-day bug to bring down a whole system.
For those people running MS, yes -- you definitely need help. That having been said, I would still suggest some diversity there... Not all machines should be running Semantic. There should be at least a few running other AntiVirus products (like AVG). That way if Semantic misses something, there's still a possibility that one of the other virus checkers in a company will catch the bug (and enable faster recovery). It would also provide some hope of survival in the case of a symantec takeover like I mentioned in the first paragraph.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Most admins with any security background know that the right answer is DEFAULT DENY.
When is the mainsteam going to wake up?
It seems to me that's exactly what they're doing.
No not making the worm, but going to address the UN about these three classes of attacks. Who came up with these classes and the names? I would be surprised to find out it was anyone other than Symantec, I've never heard of them before.
In particular this supposed "Class I flash attack" which sounds right out of your favorite cold war B-Movie, Clyde is warning of well funded squads of uber hackers funded by national agencies. He is just pandering towards current international paranoia regarding terrorism.
It's even better than creating the attacks themselves (since you run the risk of gettin caught), creating attackers that don't even exist! (yet?)
Speculation and cyber fantasy aside, everyone who lets loose worms or viruses to my knowledge generally turns out to be people with no backing and no real agenda. Has there ever been evidence of international players being caught with their hand in the cookie jar funding any kind of worm or virus or ddos attack?
And really, if you were to effectively prevent this kind of attack by deploying systems widely, wouldn't these super hackers simply launch an attack when they had found an effective way around these measures?
I think it's more likely that frequent update systems would keep out the lowest common denominator attacks, script kiddies and common worms.
Don't get me wrong i think there are big issues with how software comes configured and how security holes are dealt with, and i think it is for the good of the internet as a whole organism that these be addressed, and one of them may very well be very quick automated updating of network facing software.
But it pisses me off to see someone from what i would consider a shady industry (virus protection) addressing people at the UN about these future terrorist hacker squads or whatever, essentially fear mongering to sell software. All on the backs of a great tragedy that had nothing to do with any of this.
"It will not be long before well-funded teams of hackers sponsored by countries or other organizations begin to create Flash attacks that can be launched in seconds,"
But that's just me...maybe people do want more 'windows update'-like systems so they can get back to their game of tetris.
-davidu
# Hack the planet, it's important.
I'm not sure I see how this necessarily follows. Certainly it is possible, and part of security is taking into account what can be done, but I don't know how you would assume it at all likely. If I had to name the biggest security threat right now (in my humble opinion, that is) I'd be far less concerned about groups of well-funded hackers (funded by who? Terrorists? Saddam? Commie subversives?) than I would about DDoS attacks launched by some bored teen-ager (something a little more television should cure, at any rate).
DDoS attacks are very difficult to stop so long as plenty of unsecured home computers are available on broadband connections. All the host-based security in the world by the victim is virtually useless if he hasn't the bandwidth to resist the attack.
Meanwhile, where are these groups of well-funded attackers, and what motivation have they? DDoS attacks are individual events; they do not propogate themselves across the internet the way SQL Slammer did. Each is of course its own sort of risk, and the effects of worms such as Slammer are similar, creating DoS attacks by attempting to propogate so fast. But I just don't see what connection more and more aggresive worms have to do with groups of organized, well funded hackers acting for international terrorists or the like (a concern repeatedly brough up by the US Cybersecurity Czar). This sounds, in some respects, like Clyde is reiterating the same refrain, a refrain which calls for harsher crackdowns and beefing up target security when we should be holding companies with insecure code (such as MSSQL) responsible and encouraging software companies and users to beef up security not only on servers but on PCs, as well.
In regards to how much real-world damage a cyberattack can create, this is a matter of much dispute, and it seems highly unlikely that terrorist organizations will resort to such moves rather than traditional, far more terrifying and effective acts of random violence. Still, I am pleased that some interest is being taken into cybersecurity; I just hope the focus is in the right place.
I hate replying to myself and continuing to rant but i had one more thing i wanted to get off my chest.
Talk to any number of "in the know" types in the public or private sectors and one of their number one suggestions for personal security is to run some type zone alarm style personal firewall that allows you to manage and block outgoing communications from processes running on your computer. The reason? To combat key loggers and the like that once run and communicating virtually anonymously over the internet the entire rest of your security is blown. They have all your passwords, everything you might decide to type. The implication of this advice has always seemed clear to me, that US organizations are at least in part, using these without warrants.
Where are the trojan fingerprints for these US government developed keyloggers? Certainly you wont be finding them in Symantec's product lines.
sorry for coming off like a conspiracy theorist.
"Deterrence is the key; but deterrence requires that the deterrent be swift, highly visible, and certain. Unfortunately, the wheels of justice are too damned slow."
That's stupid -- what you want is impossible. Suppose the attacker is in country A and and the victims of the attack are in country B. How are country B's authorities going to bring the attacker to justice if he isn't even within their jurisdiction? Furthermore, identifying the attacker might not be possible at all. Suppose that the attacker uses a publicly accessible computer located in a coffee shop or a public library to release the virus or worm or whatever he comes up with? More realistically, what if the attacker uses his own computer, connected to the Internet by way of an unsecured wireless network? If there's no paper trail, then the authorities can't determine who launched the attack. As you can see, tougher laws are not sufficient to deter attacks since, due to the decentralized and anonymous nature of the Internet, it's so easy to avoid detection.
Steve
Being able to develop and deploy patches is not the answer. A vendor being able to develop, test, and offer to the public (note that I say public, not just privileged customers with support contracts) a patch rapidly after a vulnerability has been researched and publically disclosed is necessary, but not sufficient. A userbase with the ability to rapidly test patches, and find vulnerable systems and patch them is necessary, but not sufficient.
They are necessary, but can never be sufficient, because there is always a threat that the bad guys will find a vulnerability before the vendor and the users even have an inkling of its existence. We need systems that are hardened so that they aren't likely to have anything that can be so easily compromised. Most of the automated worms out there have spread because systems were running services that the user didn't really want to run or even know were running, or those services were running extensions and modules that users only rarely need, or client software had default settings to execute arbitrary code from perfect strangers unprompted, yet another feature that users rarely need or are even aware of. If a feature is more likely to be used as a vector for a worm than by the user base, maybe, just maybe, it shouldn't be turned on.
A Warhol worm, or what Symantec wants to call a flash attack, cannot effectively be responded to. We need proactive security, or we've already lost.
Luckily, most OS vendors are getting there. Major linux distributions install by default with host-based firewalls blocking incoming connections. Even Microsoft is improving somewhat with Windows 2003's default security, although we'll just see whether Microsoft offsets their gains by more losses with new "features."
It's nothing more than a smear campaign by Ming the Merciless designed to break up the alliance with the Hawkmen.
Jeez, you people shouldn't believe everything you read on an internet rumors site.
Ergonomica Auctorita Illico!
and i have to say, some of the people who have responded and been modded up have been along the lines of "well-funded groups of hackers, please!"
"somebody is crying wolf to stir up business obviously!"
holier than thou, no corporate geek is smarter than me false sense of security is just as dangerous as false alarmism, no?
no, i am not a symantec drone, but during the may day week after the hainan island spy plane incident a few years back, didn't some rather organized attacks and counterattacks occur between american and chinese hackers feeling a little too much of their nationalistic jingoistic cojones?
i mean, if china and the us, or china and taiwan, or pakistan and india, or any other country with a well-developed technical base started seriously getting pissed off with another, you can BET the websites in each other's countries would have a SERIOUS problem
am i spreading FUD? or does my "false" alarmism insult your "false" sense of security?
go cnhonker.com if you dare
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I was once contracted to Symantec in the not-too-distant past, and this I can tell you for certain, having witnessed it on multiple occasions: Symantec in no small way creates many of the problems it then 'solves' with its software.
Here's just one example: Symantec used to offer a bounty for viruses. It's rather underpaid antivirus support staff, with access to all documented viruses as well as existing exploits in current software would, on their free time, craft viruses and then 'discover' them for the bounty. The trick was to do this through friends, often splitting the rewards, to avoid getting caught out.
Despite this, the management was well aware that its antivirus staff was creating much of the virus 'problem'. And they turned a blind eye to these activities, because it generated more business for them.
This is just one example of a number of rather reprehensible business practices I observed while working for Symantec. I found the company to be so sleazy I terminated my contract after five months, and refused to work with them again.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
And it doesn't even need to be a hacker. What if your government becomes interested in all your activities? I'm sure TIA gets a lot easier if you can install backdoors on demand on all computers.
What happens if such a patch breaks something? Instead of a few machines breaking, you could break machines all over the world before anyone can get the word out.
Symantec tried to profit from the Slammer worm, by suggesting that they were the only company that was able to warn their clients beforehand. I've seen one of their later alerts, and even as their customer networks were in flames, they suggested filtering traffic towards MS SQL host, and not from them. The latter would have been necessary to protect your network infrastructure from the traffic (and impossible in most networks).
Maybe Symantec employs a few smart people, but the company as a whole acts if it were a bunch of incompetent, parasitic morons. Symantec's predictions related network security could be true, of course, but keep in mind that this company has a strong business interest in an insecure Internet.
I have never liked virusscan vendors, they call their product "antivirus software", but it hasn`t changed one bit since the dos days when they where just tools to find which of the 100 files on your hd where infected with one of the 10 or so viruses in the wild. They dont offer any protection against the holes in all the new services and features in operating systems and applications. They only offer help cleaning up known mallware (except for mallware from people that can sue symantec for interfering with their business: spreading spyware)
Clyde: The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years."
With the Antivirus vendors the attack frequency is always going up ;-) I believe them on that one though. But the complexity? Nothing as complex as nimbda for months now. "the tools" in my view where asambler compilers in the old days, and are C/C++ compilers these days... I hardly think this mathers that much, and if it did, why didn`t we see more C viruses in the dos days? (visual basic has a harder time abusing vulanerabilities, and therefore is unlikely to be used in real worms)
Clyde: The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days."
A proactive aproach? well I guess the "sitting around eating pie" option is definantly out of the windows then? The vulnarability window for me goes from the moment the faulty code is compiled to the moments every single user is running patched code, everywhere... Getting this window to zero could prove difficould but I am sure mister Clyde will be offering a product that reduces the time to "virtually zero", although it wont be A product but really a service.... an expensive one. I think the six months between discovery and exploit, are six months between vendor notification and bugtraq post of exploit code, I dont think there has ever been a vulnarability so complex it would take a competent coder more then hours to build something exploiting the hole. There are many competent coders out there, not all of them post their work to bugtraq. The posted exploits are usualy posted to force vendors into patching code real fast (usualy after they apeared to be doing nothing for a while), I guess that when it comes to holes in a microsoft product used by 50% of the planet "real fast" is just shorter then the stuff that was discused in the old days on bugtraq.
Clyde: To deal with this eventuality, Clyde said patches would need to be developed more quickly and deployed continuously in an automated mode.
Fast machines with big pipes where what made code red spread fast, machines like the windowsupdate servers.... If even the open source community has problems getting software safely to the users (several cracked ftp mirrors with altered releases) then its safe to asume that big players in the software market are not gonna get the automated update system right in one try. Just think of the holes in hotmail.... sure updating services will have more attention on security, but the hotmail holes where really really pathetic and the most recent one wasn`t any more complex then the previous ones.
Clyde: Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that
Of course, Slammer had been patched 6 months prior. So a big part of this problem is that people don't apply patches.