Truth About Computer Security Hysteria
CERT® missed Melissa's ultimate lesson
Rob Rosenberger, Vmyths co-founderTuesday, 6 July 1999
CERT® MISSED MELISSA'S ultimate lesson. I don't make this claim lightly.
Regrettably, they got tied up with technical minutiae when the hysteria subsided. They needed to supply reportersCongress with facts & figures about the havoc it wreaked.
Trademarking their name
and launching a publicity campaign took its toll as well on the agency. CERT® simply cannot see the forest for the trees right now. I dare say they no longer remember why they formed; they only remember how.
| Pethia told Congress his agency reacted to Melissa with lightning speed. In truth, CERT reacted years after the fact. |
They forgot why, so I'll tell you. CERT assembled in 1988 to combat an infrastructure attack. Keep this in the back of your mind for a few moments.
Right now, let's focus on CERT's failure to learn Melissa's ultimate lesson. This lengthy (and I do mean lengthy) series of quotes comes from CERT director Richard Pethia's written testimony to the U.S. House Subcommittee on Technology, 15 April 1999. Click here if you want to skip past it:
The CERT/CC also handles reports of vulnerabilities in commercial products. When we receive a vulnerability report, our vulnerability experts analyze the potential vulnerability and work with technology producers to inform them of security deficiencies in their products and to facilitate and track their response to these problems. Another source of vulnerability information comes from incident analysis. Repeated incidents of the same type often point to the existence of a vulnerability and, often, the existence of public information or automated tools for exploiting the vulnerability. To achieve long-term benefit from vulnerability analysis, we have begun to identify the underlying software engineering and system administration practices that lead to vulnerabilities and, conversely, practices that prevent vulnerabilities...I apologize for these lengthy excerpts from Pethia's testimony. I need to show this much to demonstrate how utterly CERT missed Melissa's ultimate lesson.In addition to incident response and vulnerability handling, the NSS Program focuses on security improvement and network survivability...
Macro viruses for Microsoft products appeared as early as 1995, with over 1000 variants for Word and other products by 1998. Melissa is different from other macro viruses because of the speed at which it spread...
The macro then infects the Normal.dot template file. By default, all Word documents use the Normal.dot template; thus, any newly created Word document becomes infected...
The CERT/CC included in its advisory on Melissa a list of product vendors that have provided solutions. The CERT/CC also recommended that users
Staff members worked through the night to analyze the virus, speak with other technical experts, and work with vendors on solutions...
- disable macros by default
- be cautious when operating any product when macros are enabled
- set Word to prompt the user before making any changes to the normal.dot file
- keep their antivirus software up to date
- be wary of unsolicited documents or executable programs received in electronic mail and of software that comes from untrusted sources
- notify anyone who sends them a virus; the sender might not realize they have it...
The Melissa virus represents a new level of sophistication in the progression of computer viruses. Melissa’s impact is so great because it exploits, in a very simple and clever way, the power that has been built into the flexible and expressive technologies in use on the Internet today...
Melissa achieved its impact because of the power of the software that it exploited: the macro-processor and electronic mail system. It demonstrates some of the consequences possible of using powerful software in a networked environment without also using adequate controls...
The virus carried its own source code making it relatively easy to understand. Vendors of anti-virus products, and other products such as electronic mail packages, were able to upgrade their products or create special filters that "caught" Melissa quickly...
The news media spread the story widely and provided accurate information on how to identify and eradicate the virus. Armed with good information, information technology managers and others at individual sites took steps to protect themselves and eradicate the virus if they were infected...
Future mutations, or entire new strains, could easily be much harder to detect, spread even more quickly, and cause significantly more damage...
Successfully combating these new threats will require improvements to existing capabilities as well as fundamental changes to the way technology is developed, packaged, and used...
New forms of communications must be developed that provide system operators with near real-time status on network security events with less person-to-person interaction than is required today. Incident response organizations must develop more effective ways to analyze security events and vulnerability data and to disseminate the results of the analysis to their constituents quickly. The mechanisms we have today work in units of hours and days, more time than we will have if faced with widespread, rapidly moving problems...
Technology producers must recognize that their products are being used in hostile environments and take steps to insure that their products are fit for use in those environments...
Viruses propagate and infect systems because of design choices that have been made by computer and software designers. Designs that allow the import of executable code, in one form or another, and allow the unconstrained execution of that code on the machine that received it, are the designs that are susceptible to viruses and their effects. Unconstrained execution allows code developers (e.g. macro-code developers) to take full advantage of a system’s capabilities, but does so with the side effect of making the system vulnerable to virus attack. To effectively control viruses in the long term, vendors must provide systems and software that constrain the execution of imported code, especially code that comes from unknown or not-trusted sources. Some techniques to do this have been known for decades...
Melissa represents a new form of virus that demonstrates how quickly an infection can spread across a network and hints at the kind of damage that could be done. Incident response organizations were able to limit Melissa’s damage by working effectively together to analyze the problem, synthesize solutions, and alert the community to the need to take corrective action. With possible future viruses, it may not be possible to act as quickly or effectively...
Operators must demand, and developers must produce, products that are fit for use in this environment. As new forms of attack are identified and understood, developers must change their designs to protect systems and networks from these kinds of attack...
PETHIA TOLD CONGRESS Word macro viruses made their debut "by 1995." His technical description of Melissa pegs it as yet another generic macro virus in a long line of generic macro viruses. It uses well-known infection methodologies, differing from its siblings only "because of the speed at which it spread," as Pethia put it.
| Melissa slipped past gateway antivirus packages, email backbone antivirus packages, and file-server antivirus packages. It slipped past desktop antivirus packages which bind directly to the user's email client and monitor every file the user opens in Word. |
| CERT blamed Melissa's spread on everything except this overwhelming vulnerability. |
Pethia claimed CERT analyzes historical data for critical trends. "Repeated incidents of the same type often point to the existence of a vulnerability," he explained. Pethia repeatedly acknowledged vulnerabilities in "the macro-processor and electronic mail system" — yet he specifically failed to mention antivirus software vulnerabilities. A critical trend seems obvious, doesn't it? Word macro viruses made their debut "by 1995"; they number at least "1000" unique viruses; they infected untold numbers of computers over the years; yet antivirus software on 26 March still could not detect a generic Word macro virus. This historical data comes from Pethia himself.
Pethia told Congress his agency reacted to Melissa with lightning speed. In truth, CERT reacted years after the fact.
CERT deputized the media as a last-ditch warning mechanism when they couldn't warn everybody fast enough after the fact. Pethia told Congress "the mechanisms we have today work in units of hours and days" and went on to say "it may not be possible to act as quickly or effectively" against faster-spreading generic Word macro viruses.
CERT exhibited a mental block when they recommended solutions to this problem. Pethia's exhaustive written testimony never once blamed antivirus software vulnerabilities for Melissa's spread. He never even implied we could stop viruses before the fact.
| certist: (n.) [var. of cultist] a person with devoted attachment to, or extravagant admiration for, CERT® ideologies |
Terrorists would rule the skies if airport security worked like today's antivirus security. "Well, let's see. You dress like Osama bin Laden. You spout anti-American rhetoric like Osama bin Laden. You threatened to blow up an aircraft, and I noticed a powerful bomb in your carry-on luggage. However, your passport doesn't say Osama bin Laden. Have a nice flight! Don't forget your bag."
WE KNEW HOW to detect and eradicate Melissa years before its creation. Amazingly, CERT acknowledged Word offered better protection on 26 March than popular antivirus programs. Let me repeat myself just in case you missed the irony. Word — a Microsoft product! — outperformed popular antivirus software.
Notice I said popular. Niche products can detect viruses by their profiles rather than by a unique "signature." Indeed, this methodology surfaced years before signature-based detection. Andy Hopkins, for example, wrote an on-demand profile scanner in the early 1980s called CHK4BOMB. Ross Greenberg later developed an on-access profile monitor known as Flu_Shot. Wolfgang Stiller focused on data integrity with a package called Integrity Master. The list of profile-based software goes on.
These and other products gained popularity in the earliest days of IBM PC security. Of the three I mentioned, I regret to say only Integrity Master survives today. The market for profile-based detectors dried up ... because software reviewers recommended signature-based scanning to the exclusion of all else.
That's right: journalists with no expertise told everybody to use insufficient virus detection methods.
| That's right: journalists with no expertise told everybody to use insufficient virus detection methods. |
A typical comparison review soon went something like this: "Product 'A' and Product 'B' each detected the viruses we threw at them. However, 'A' only detected them in a generic sense. 'B' identified each one by name, making it clearly superior. We give our coveted editors' choice award to Product 'B'." Publications dropped profile detectors altogether from comparison reviews by the early 1990s. Stiller now faces a brick wall of software reviewers who don't know (and sometimes don't care to know) the idea behind Integrity Master.
In an example from April of this year, PC Magazine excluded Teagam's In-Defense from an antivirus roundup. Reviewer Larry Seltzer at least discussed In-Defense in a sidebar story, yet he made profiling sound like an emerging new concept. "We'd all welcome an antivirus program that never needed updating," Seltzer mused, "but PCs still aren't smart enough to recognize computer viruses accurately without a cheat sheet. We recommend you stick with the tried-and-true approach."
We probably will label profile-based methodologies as an "emerging," if not new, concept. Research stalled out eight years ago and needs a kick-start to overcome pervasive media ignorance.
McAfee bailed out of the industry with a golden parachute when his publicity machine self-destructed ... but by then computer users cared only for signature scanners. These users went on to staff new computer security positions where they wielded monetary influence. Antivirus firms focused on signature scanning just to remain competitive.
VENDORS DIDN'T MIND the shift to signature-based methodologies, though. Profile detectors suffer from an "out of sight, out of mind" problem — you set 'em and forget about 'em until a new type of threat comes along. Signature detectors, by contrast, require an update for every new threat. Users end up like drug addicts waiting to score their next antivirus fix. Some firms pander to corporate addictions: they offer software for a song because it generates lucrative support contracts.
| Terrorists would rule the skies if airport security worked like today's antivirus security. |
Some popular packages do offer limited profile detection if you change a few settings. Trust me: vendors will go out of their way to show it to any reporter who asks. You'll hear them call it something like "heuristics" or perhaps "digital immune system" (IBM's after-the-fact signature update methodology). Vendors will market it aggressively in the very near future ... but not for the reasons you might think.
It all comes down to the bottom line. It costs money to analyze every single virus, yet only a few viruses these days receive enough media attention to {ahem} pay for themselves. Phone/email support crews get bogged down with users who need help every time an update hits the streets. Web-based virus knowledge databases need constant updating, too.
Many vendors also suffer from the problem of "diminishing processor returns." It takes a lot of CPU time to scan a Word file for every macro virus ever written. It gets worse if you scan the same Word file every time you open it. Users at many Fortune companies use old, slow PCs — and they disable antivirus utilities just to get some work done. This can translate into a weird bargaining chip: "we don't see a need for 17,000 licenses when only 3,500 employees regularly use it..."
Antivirus firms believe profile methodologies will improve their bottom line. Users will benefit when we discard unprofitable aspects of signature-based detection. The media will make vendors look like heroes when we get the second half of the technology we need. Everybody wins.
AS I MENTIONED earlier, CERT formed in 1988 to combat an infrastructure attack. Let's fast-forward to 1999. Many users didn't know Melissa infected their PCs until a bleary-eyed technician lunged out of an elevator. This little Borg queen assimilated computers, all right: her drones swamped email infrastructures, 50 addressees at a time. You'll notice I said 50 addressees, not 50 emails. Vitally important. (We'll cover it in a minute.)
GartnerGroup analysts Helen Flynn and Arabella Hallawell seemed to strike a bullseye in a 29 March "First Take" on Melissa: "as this incident highlights, virus management is highly reactive." They then fell right into CERT's tar pit by calling for "good incident response processes. In this instance, enterprises should install signature updates to software immediately" after the fact. GartnerGroup, like CERT, pinned Melissa's success on common network architectures with homogenous applications. They specifically slapped Microsoft products: "the virus' success demonstrates a negative effect of global homogeneity (in this case, widespread use of Outlook and Word)."
| Memo to Steve Ballmer: I authorize a 0.25% spot bonus for the entire computer security team. See to it. |
If a lowly intern can select "All Employees" with a single mouse click, then any given virus can select "All Employees" as well. If you alone run the powerful Foobix operating system with a Foobix email client, a super-rare Foobix virus could send an email to one addressee which ultimately lands in everybody's inbox. It doesn't take much to attack the infrastructure this way — send one email from your home account to "allemployees@example.com" if you don't believe me.
It doesn't matter what operating system you run or what email client you prefer. WinNT, Outlook, Word? Their commonality comes in second. The infrastructure itself is the true "common" threat. We designed the Internet to link diverse network architectures so they could communicate with each other after a nuclear holocaust, remember?
Yes yes yes, common applications like Microsoft Word let a virus execute on all the more computers. Guess what? Java or Linux or whatever comes next will create even more homogeneity at the session, presentation, and application layers. "Sure, Rob, but we'll sacrifice flexibility & functionality for safety when VaporOS v1.0 debuts." Ah, of course. Will VaporOS v1.1 downgrade its security specs like Java v1.1 did?
Let's return to our super-rare Foobix virus. It must first reach your computer before it can ever hope to assimilate it. Viruses like Melissa reach more computers than ever, more quickly than ever, because we made the lower layers ubiquitous. Don't blame Microsoft for a cable snaking out of your box.
| Remember when Good Times surfaced? A lowly intern can still cripple your network with a single mouse click ... yet CERT hailed Melissa as an email "wake-up call." |
DOES "EMAIL INFRASTRUCTURE attack" sound like a new concept? Think again. Well-meaning users started crashing email servers when the Good Times hoax alert surfaced. Crashes continue to occur years later with a single mouse click ... yet CERT hailed Melissa as an email "wake-up call." It sounds to me like they just woke up.
CERT formed eleven years ago to combat an infrastructure attack. They focused their attention on an electron flood, not a small piece of software executing on a few thousand computers. When the din subsided, they recommended infrastructure changes to prevent similar attacks.
Eleven years later, CERT missed the ultimate lesson when they zoomed in on a small piece of macro code instead of a gaping antivirus vulnerability. They simply cannot see the forest for the trees right now.
Rest assured: CERT's PR department will pooh-pooh my opinions. They'll point to different sections of Pethia's testimony in an effort to save face. "Look here, it says 'Melissa achieved its impact because of the power of the software that it exploited...' Look here too, it says 'computers and software are becoming more powerful and more interconnected...' "
A generic Word macro virus swept the planet by exploiting antivirus software vulnerabilities. It slipped past gateway antivirus packages, email backbone antivirus packages, and file-server antivirus packages. It slipped past desktop antivirus packages which bind directly to the user's email client and monitor every file the user opens in Word. Pethia never pointed out this overwhelming fact in his exhaustive written testimony.
| Memo to Richard Pethia: read this. |
Word itself — a Microsoft product! — detected and stopped generic Word macro viruses years before Melissa struck. Woody Leonhard, one of the foremost authorities on macro viruses, isn't a virus expert by trade — he made his name writing Word add-ons. My knife broke at the hilt while trying to cut through this irony.
Then again, what gives me the right to critique the world's premiere computer security agency? I'm just a self-proclaimed hobbyist industry observer trying to stop interns from sending email to "All Employees" with a single mouse click.