Slashdot Mirror
Using Layered Defenses to Stop Internet Worms
An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."
Hrmmm...
Do I "notify the author" (malcodeteam@nsa.gov> or just assume that Echelon will do it for me when you read this?
Trolling is a art,
Source: Outside Any
Destination: Inside Any
Block: All
"/home/grieder/WORMPAPER.pdf"? The NSA has you now, grub!!!
I'm rich.
Proud patriot and republican voter.
1 Motivation Internet worms are perceived to be one of the primary threats to the nation's information technology infrastructure. They are a significant cause for concern from both financial and network security perspectives. According to the Worm Information Center FAQ [1], the Sobig and Blaster worms, which occurred at the same time, are estimated to have cost companies more than two billion dollars. For this paper, we studied current worm strategies and implementations and tried to determine whether the trends point to a significant worsening of the problem in the near future. Are worm technologies improving? Are worm attacks becoming more sophisticated? We were also interested in defensive technologies that can be used to combat the worm problem. Where are defensive technologies best applied? Should other technologies be developed to help defend against the worm problem? Ultimately, we would like to know whether a sophisticated attack can be prevented - could current defensive mechanisms be used to defend against future sophisticated attacks? 2 Paper Organization Answering our questions required an understanding of current worm technology and how it is evolving. We choose to focus on the technology used by worms rather than the social engineering methods used to deploy them, for which there is no technical solution. In the Worm Technology section (sec. 4) of this paper, we devise a novel method for describing Internet worms based on characteristics they exhibit, which we call life functions. By decomposing these life functions, we derived the fundamental conditions needed for worm success, which we call its attack attributes. In the Attack Attributes section (sec. 5), we describe a system by which to classify worms. The Defensive Mechanisms and Techniques section (sec. 6) surveys the existing technologies that combat worms and other malicious code. The worm attack attributes are matched against the defenses in the Attacks vs. Defenses section (sec. 7) in a defense matrix. From this matrix, we draw conclusions about how best to detect and prevent worm attacks. We present a summary of our results in the Findings section (sec. 3) below. Finally, in the Applying Defensive Methodology section (sec. 8), we discuss how five aggressive worms would have been easily defeated using the defense- in-depth strategy that we advocate in this paper. 3.1 Defense-in-Depth Many defensive technologies have been developed to combat the spread of Internet worms. Unfortunately, there is no single technology that protects against all types of mobile malicious code. Many enterprises rely on only a small set of protective technologies to protect their assets, such as firewalls and virus scanners. Our research suggests that a layered defensive solution would be more effective at preventing all known worm infection vectors and, potentially, many unknown ones as well. We reached this conclusion based on our study of a wide variety of Internet worms and defensive mechanisms. As part of our research, we have produced a system for describing worms and measuring whether defenses can stop them. We believe that this method captures the critical characteristics that define current worms and the characteristics that will be displayed by worms in the future. Our system demonstrates that no single defense works against all worms and that multiple layered defenses provide robust protection. Defense- in-depth security helps defend against not only worms but other network threats like Trojan horses, malicious insiders, and hackers who have guessed passwords or entered systems via flaws in network code. It bolsters security with solutions that are effective even without forward knowledge of any attack. Such security solutions scale even to zero-day attacks, which are attacks that make use of previously unknown vulnerabilities. Reactive defenses, like signature-based virus scanners and automated patching systems are still necessary, but they are ineffective against fast moving worms or zero-day attacks. Worms have increasingly become "blended threats"[12]; they
Stopping Worms:
-Patch your systems.
-Use a firewall.
-Stop running web servers and other stuff.
Thank You,
Uncle Sam
1) Always run antivirus software
2) Automatically filter all emails with attachments into a seperate folder
3) Only have one user/computer
4) Always virus scan software first
5) Always run a firewall
6) Always have twice as much bandwidth on the website as you need
7) Block virus/worm emails using filters
Video Game cheats, hints a
wormpaper.pif?
Damn, I was about to add some damn line breaks and edit further but hit enter on accident.....
Can (should) Slashcode be changed to implement a preview instead of submission by hitting the enter key?
I didn't know the internet had worms. maybe it needs to flush its system with some colon cleaner or wormwood.
I know I'm going to be modded up on this
1) Run linux
(and yeah, no lame joke about profit)
The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
Heh. Such a typical government tech report. No pics, just text and tables.
The owls are not what they seem
Obviously multilayered security is a solution to many problems. A worm would have to exploit problems at multiple levels before being able to do what it wants. This would make it much harder for the average script kiddie to write a worm, and would force an excellent programmer to write a much larger program. It also has the benefit of stopping worm variations by applying a security fix at any one of the security levels, since it's unlikely for that complex a worm to include multiple attacks for every level.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
http://www.nsa.gov/snac/support/WORMPAPER.pdf.exe
But it is good to see the government is adopting some standards that are actually useful. but who wants to guess how much this cost them and how much it should have really cost?
Odviously this is aimed at the average american, as all the IT people and geeks out there already know this. But tell me, what average user is auctually going to take the time to read this?
I know you guys/gals will see this, so thanks!
It's cool that an agency with the worlds best IT infrastructure has the gumption to spend it's tax money and help bring the industry forward to solve practical problems.
Tragically none of the other government agencies will read your paper and the next worm will take down a half dozen of them...
Oh yeah, while were at it, we'd like to apologize for Jake 2.0...
Yes Francis, the world has gone crazy.
I wish they could just come out and clearly advocate diverstity among OSes. The biggest threat IMO is the ubiquity of holes, not severity.
In my perfect world they would advocate open standards and address the flaws in the system not just individual "patients." As these plagues come and go, if we all have the same immune systems, our collective odds are not good.
I am glad they are putting good info out there. I guess I am hoping that in each case they identify the larger problem so we can all keep our eye on the ball.
Who is General Failure, and why is he reading my hard disk?
Does anyone else find it pretty cool that this battle is NSA vs script kiddies? I mean, a $2B a year cost is equvialent to a small terrorist attack, this is a big problem. I'm glad to see people from all walks of life attempting to combat the little punks.
https://www.accountkiller.com/removal-requested
Um...
Hmm... Nevermind.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
...and I'm still upset I haven't gotten to read the OSX paper ;)
Here's a mirror. Don't hammer too hard, k?
http://seraphim.ecsis.net/~gregday/WORMPAPER.pdf
Now this is strange: the document seems to be written more toward Microsoft user. However, worms exist on every platform.
server platform 50% nix, 50% Microsoft.
things that make you go 'hmmmmm'.
Disclaimer = user base 9x.0 % Microsoft. Could this be a part of the problem? Nope.
we're all screwed now...
Pay no attention to that man behind the curtain.
Following strings direct from report!
Information Assurance Directorate
Worm Information Center
life functions
attack attributes
worm technology
defense matrix
Applied Defensive Methodology
defense-in-depth strategy
layered defense solution
worm infection vectors
zero day tactics
blended threats
worm life cycle
infection life function
operator incuded amnesia
tortoise mustard
knick knack paddy whack
worm analysis (tell me how being a worm makes you FEEL)
ad nauseum
Now I'm the grandest Tiger in the Jungle!
They never seem to stay the same. They take advantage of things that no one previously thought of, which is why they are so damaging. Defense in depth is great and all, but the next killer worm will probably blow through all of it...
... why is there a picture of a caterpillar?
Anyone else think they made the worms seem a bit too alive in the paper?
A little creepy.
I wish they could just come out and clearly advocate diverstity among OSes. The biggest threat IMO is the ubiquity of holes, not severity.
Following the diversity mantra would require me to install Windows on some servers and run IIS. I doubt that this increases security of my systems, especially because I don't know much about Windows server administration.
There is a regular discussion (or flame war) over which operating system is more "secure": Windows, Linux, the BSDs, Mac OS X, or whatever. Anyone with a bit of understanding knows that there's no answer to that discussion, except if you ask which one is easiest to secure, and even then you have to ask who the securer is and what tasks will be performed. But that's not what I want to talk about.
Telling less experience users that a particular OS is "secure" leads them to think they don't need to be vigilant. Same thing with telling them a firewall will solve their worm problems, or that as long as they keep up with patches they're safe from attacks. All of these are important, but no single one of them is a panacea.
I didn't RTFPDF, but it's common wisdom that a multi-layered approach to security is best. No individual step fixes everything, nor usually even stops all of the attacks it's designed to stop. All we do is raise the bar, and hope attackers will go elsewhere.
So don't tell me that an OS is "secure". I know there isn't such a thing. Tell me what its soft spots are, so I can layer other defenses around them. Maybe the bad guys will pass me by for a while.
sigs, as if you care.
I really don't understand that if the government spends billions of dollars a year on IT products and billions more in house fixing the holes why they don't simply create a master RFP for Microsoft clearly articulating what the security requirements are and that if they are not met they lose pieces of the bid until it is. I mean if the DoD doesn't have the clout to bash these lazy slackers in Redmond upside the head then we're all wasting our time worrying about security.
MS annnounced yesterday that they are seriously considering ending FREE security patches in order,
now listen real carefully -
NOT to provide better or worse security, but to wield an effective blunt object against counterfeiters.
Microsoft views YOUR security as nothing more than a convenient tool to blackmail the entire known world into paying for MS's product. It doesn't matter that you or I never actually stole any of their product - we WILL be threatened with cyber terrorism for the criminalities of other people until WE ALL cough up more money to pay.
And at the end of the day MS makes zero warranty that patches that cost real money will be any better than the FREE updates we already get.
Seriously, in other countries and in other industries this why industries get nationalized by an irate fed up underserviced populace.
Following the diversity mantra would require me to install Windows on some servers
;P
If you are not running Windows you are already following the diveersity mantra
Who is General Failure, and why is he reading my hard disk?
So, when you start feeling like a worm?
Do you feel like people are always looking down on you?
Do you feel segmented and isolated from society?
Do you worry about cholesterol given you have 8 hearts.
Are you always this slimy or are you just pleased to see me?
This is the sort of stuff we really need to know because to borrow the immortal words of that famous philosopher, John Rambo "To survive worm you must become worm".
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Jeeze man... U type like I do. :)
-=fshalor
FreeBSD and OpenBSD make damn good worm-resistant webservers too.
I, as a European, would like to thank our American friends for funding this information for the entire world
;-)
It's very nice to see that an organisation such as NSA makes this info Globally Accessible.
This is important, especially with your current president.
Of course, the US benefits from the fact that worms do not spread to the nation of freedom
So once again, thank you for knowing we exist!
PS Slashdot is America-centric !
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
On this topic of layered defenses:
Is it possible to use the Xen VM that was on Slashdot earlier today to run multiple OSes and use one OS on the machine as a firewall for the other?
Could you rig the setup of one so that it couldn't crash the hardware, it could at most make itself crash and reboot without the computer going with it?
From their own report, it doesn't look like it:
"It is unrealistic to assume that users will become cautious about running unknown files."
p. 6, last line of second paragraph
Even the NSA thinks ordinary people won't get smart about computer security.
Playing pornographics games during the day is evil! Play at night!
Anyone else think they made the worms seem a bit too alive in the paper?
...hold a funeral for all the old worm code once it's dead.
My.... eyes. They burn!
How many people can read hex if only you and dead people can read hex?
Well that would be a fun time wouldn't it?
Kazaa flooded by LATEST_SECERETI_PATCH.EXE with a description of "This is not a virus, honest!" and a teddy bear icon.
This is how a trojan infects someone. I don't think it should be in their list.
The USA is also an example of a country that puts the well being of a select group of individuals (and organizations) ahead of the general well being of the rest of the country. In this case the primary protected group are the ultra wealthy.
Even though some groups in the government product reports like this, the important government policies are intended to promote the interest of business even at the expense of the rest of society. For example, why does the law allow EULA agreements that provide a massive loophole for the installation of spy ware? Because the business community supports them. A click through or "open the package" EULA is like going to a car lot and discovering that you bought a car because you opened the door. Bad for you, great for the car dealer.
When government and big business combine, capitalism dies. Microsoft is on that road, along with the communication industry and the investment sector. There are other areas where capitalism still thrives, but given the chance they will also go this route. There is a name for this political system. It's called fascism. Note that this is a descriptive term, not a curse word. It describes a specific combination of power between business and government. It has other characteristics, but for the purpose of understanding the economic issues they are not as relevant.
The short answer is to stop watching the Disney channel and start reading the newspaper, primarily the news and business sections. They don't hid it very well, it's just that almost no one notices.
Can anyone post a link to this announcement?
Can we ever have an absolute secure OS? When we raise the bar then attackers will find a way to go around it. They won't go elsewhere. The only way to solve the security problem eternally is to get rid of the attackers. That's not possible. Hence having an absolute secure system is just a day dream.
I have ready better strategy guides to Starcraft...
/. no like me much anymore.
They have to the same tables of attacks and defenses,, but somehow they managed to keep it interesting!!!
Posted anonymous cause someone at
I actually hope that they do this!! It will be Christmas for Linux. Already WinBlows is many times more expensive than Linux. This will just make it that much more expensive. When critical Linux security issues are patched free within 1 day, and WinBlows security issues cost money and take over a year (just look at the unpatched 50 (I)nferior (E)xplorer holes), companies will migrate over to Linux in droves.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
My point is that you need to have that kind of situation, which is a multi-layered approach.
But to answer directly, yes, they still need to be vigilant. They're still being a client, unless the box is unplugged from the network. Do I download that RPM or MSI and install it, or do I check it out first? Do I log in as root, or do I waste time with a luser account?
The user who thinks he has a "secure" OS doesn't bother with the basics, or with a virus checker, or checking the signature on a tarball.
sigs, as if you care.
After having a couple of beers, I read this as "Using Defense Laywers to Stop Worms"... I'm still ROTFL... poor Worms!
Then again, they should already know how to do this and learn for themselves, but a dollar saved is a dollar earned. Damn worms!
Berto
I'm still looking in the Slashdot "Related links" for the best deals on worms. Might catch some fat and sassy BASS that way.
Best deals: Worms
If you're a cynic, look here:
Best deals: United States
Wonder how much it cost the RNC. (and making that video tape! Bin Laden look-alikes are real expensive these days. )
You DO understand that if a company's largest customer can't influence them then no one can, don't you? This is a real issue not some pseudotheoretical Libertarian wetdream.
"It is unrealistic to assume that users will become cautious about running unknown files."
p. 6, last line of second paragraph
Even the NSA thinks ordinary people won't get smart about computer security.
And why wouldn't they? Have you worked with these "ordinary people"?
I laugh everytime the computer guys send an email out warning about not open strange attachments and then I stop. That's because I know A: somebody probably already did it (hence the warning) and B: The network is about the get slow.
a firewall AND patching. Not one or the either! Thanks Mr. NSA!
http://shit.slashdot.org/article.pl?sid=04/11/05/1 752254
Say it with me...
t tp://www.nsa.gov/selinux/papers/inevitabilityt p://hissa.ncsl.nist.gov/rbac/paper/rbac1.htmlt p://www.radium.ncsc.mil/tpep/library/rainbow/52 00.28-STD.pdf
DAC is DAC is DAC.
http://www.dyadsecurity.com/papers/rbac.html
h
ht
ht
...1 thing - users. You can have a technically secure system but add a user and it no longer is !
Of course I've worked with them. Heck, I've worked IT and tech support. But it's been a few years, and I thought maybe things could get better. I suppose I'm an optimist in that regard. I thought that eventually enough people might use computers from childhood that these security issues would be known among normal users. I suppose that's quite a ways off, even though my first experiences with computer internals were in elementary school.
Playing pornographics games during the day is evil! Play at night!