Darl McBride, the embattled CEO of The SCO Group Inc., visited our office recently and when he showed up, his eyes were sagging. They were red-rimmed, glassy and bloodshot and, overall, he looked worn. But it wasn't because of the litigious morass he'd created by suing IBM Corp. and others over the alleged plagiarism of Unix code that his company owns--at least not directly. McBride looked haggard because of a virus called Mydoom.
The day McBride visited was the day that SCO was forced to relocate its entire website to a new URL because the viciously effective denial of service attack had completely leveled sco.com and, in the process, disrupted everything around it. It's sort of like 300,000 people showing up to protest one store at the mall. Other stores in the mall may not be a target but certainly they're affected.
"This is the real deal," McBride said that day, sounding somewhat surprised. It had only been hours since the company had removed its original URL from DNS servers for the next two weeks. People argue with McBride about virtually everything, but when he used the word sophisticated no fewer than three times to describe Mydoom, there was no arguing with him on that point. Mydoom was the third in a series of increasingly intelligent, targeted marquee attacks; it followed Blaster, which was aimed at Microsoft Corp., and Mimail, which was aimed at anti-spam companies.
Sophistication comes in two forms and this new generation of malware has both. First is technical sophistication. These attacks use advanced infiltration techniques and they carry complex payloads. They can capture keystrokes and can be programmed to capture keystrokes only at certain times. There is also social sophistication. Whereas once upon a time infectious code was flung out there in hopes it might stick and spread, now it's aimed at someone or something for political or criminal gain.
Asked to give some examples of the new sophistication in the wild, Graham Cluley of anti-virus company Sophos ticks off several without hesitating. There is a Trojan horse that has successfully directed its malevolence exclusively at online gaming sites, perhaps, he says, for extortion. (Give us money or we'll keep doing this.) There are Bagel and Netsky, viruses that experts believe are spreading rapidly because whoever launched them has control of tens of thousands of zombie computers, which makes it easy to kick start the infection process.
Many virus's derivatives (there is a Mimail-T, as in the twentieth variant) have added phishing to their arsenal. One pretends to be a request for personal information from the PayPal online payment vendor in order to update account settings. Another looks exactly like a Windows error box and asks the user to confirm his or her e-mail settings, which are promptly captured by the bad guys.
Another cunning virus, Dumaru-Y, Cluley adds, includes a photo attachment that, when clicked on, activates the worm. While trying to spread itself, it also has the capability to capture keystrokes during online banking sessions. Another uses graphic representations of words instead of text to display a randomly generated password the user must key in, a tool developed by the good guys and now used by phishermen.
If it weren't all so malicious, malware would be considered one of the most innovative business enterprises going. At the same time, the virus defense industry is about as innovative as a brick wall.
For example, on Sophos PLC's site, Cluley gives the following advice for defending against Dumaru, the virus that captures keystrokes during online banking sessions: "All computer users should think carefully before opening an unsolicited e-mail attachment.... Users should ensure their anti-virus is automatically updated, and ask their ISP or employer to block unwanted executable code...." Full marks to Cluley. It's the right advice. But it's also the same dull defense we relied on a year ago, three years ago, and beyond, when the attacks were comparatively artless.
The tragicomic effort to dam the flow of viruses appears to have failed. The current crop of attacks are clever beyond what today's limp defensive measures can effectively mitigate. If you thought it was painful and costly dealing with the shrapnel from the generalist attacks on the Internet, it will be exponentially worse dealing with a smart attack designed to hurt you or your partners. What's more, the attacks are improving so rapidly--mixing technical and social engineering along with spam-like distribution that Mydoom's destructive and costly campaign against SCO will soon seem quaint.
"We need," Cluley says, "a safer Internet than the one we have."
Next time, we'll talk about how to get that and how to fundamentally shift the game away from the bad guys.
The Ineffectual Protagonists
There are only two ways to fight the Sophisticated Adversary: Regulate and sue
Last time, I wrote about "The Sophisticated Adversary," malfeasants so socially and technically superior to you that their attacks have rendered your defenses impotent. It was a dark and cloudy bit of columning. So much so, in fact, that I felt compelled to promise a silver lining. I pledged that the next column would discuss ways to "fundamentally shift the game away from the bad guys."
In retrospect, this was a foolish promise. It assumed anyone is interested in combating the information security problem for the common good, at a holistic, architectural level; I don't think that they are. It's not hard to find people who say they are interested; most of them are selling products.
Nevertheless, I spoke with the leaders of several such vendors over the past couple of months. Smart ones, like Shlomo Kramer, who invented the firewall and has now moved on to application security; Bill Harris who took a bad expience with phishing at PayPal and turned it into an anti-phishing startup; Robert Bales, who once founded the National Computer Security Association (which became TruSecure Corp.) and is now throwing his energy into an anti-spyware venture; and Scott Charney, CSO of Microsoft.
A couple of points emerged from these conversations. One, the solution hailed by the vendors and by the current administration, namely market forces, has largely failed. And two, a holistic approach to fixing the problem isn't a likely near-term scenario. Heck, even look at the fact that all of these men got into the business of selling fixes to just small slices of the problem--:spyware or phishing and so forth--and not trying to sell the overarching solution.
As Scott Charney said, "The problem is, if you even think about the information security problem holistically, it can be overwhelming. We're talking about a multi-disciplinary issue."
Where does that leave us? It seems that, as things stand, there are only two ways to fundamentally shift the balance of power away from sophisticated adversaries: Regulate and sue.
Regulate: I'm not alone in this. The DHS cybersecurity task force recently deigned to suggest that in some cases, regulation would be necessary to protect critical infrastructure--a shocking statement coming from any group that includes vendors like Microsoft. Charney himself said, "I'm not as anti-regulatory as some." Of course, he's not bear-hugging regs either. Charney says that there are rules for writing good regulations and he (as someone who used to write them) seems open the possibility of using such well-designed government strictures to improve information security. "Assume you can't create perfect security," he says. "We can at least raise the bar."
Sue: Chris Wysopal of @Stake Inc. showed me his company's entry into a new generation of application scanners. If they work as advertised (a big if), they could fundamentally improve coding. They can dig into binary and look at flaws in context. Catch bugs during development, but also prioritize fixes and generate executive-level reports. Wysopal was giddy about the market opportunity for his product. All I could think about were lawyers. If a reasonably easy-to-use and widely available tool like this exists, why shouldn't vendors be forced to develop to certain quality levels, or face the consequences of not doing their due diligence?
Now, proving negligence is more complicated than a simple application scan, for sure, but this is an important step. I'll bet that there are lawyers out there now setting up software negligence practices who will no doubt use such tools.
Still, regulation and litigation won't spontaneously emerge. The catalyst, according to these experts and others, will be pain. More bad stuff happening. It reminds me of what one Coast Guardsman said to me when asked how his outfit would get more funding in order to improve the state of port security. It wouldn't happen proactively, he said. It would only happen after people were made to feel insecure. Only after they were affected in a visceral way would they actually take action to fix the problem holistically.
He said: "Ships gotta sink. Stuff's gotta blow up."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.