EYE ON SECURITY

The World of Secure Development.

February 2008

Sometimes I think I should have been a network engineer. I love all that "belly of the internet beast" stuff—giant high-speed routers, huge data pipes, and all things close to the backbone of the Internet. But then I remember my grades from my engineering classes, and why I dropped engineering, and switched my major to English. Perhaps the engineer who broke both YouTube and the Pakistani Internet yesterday should have switched his major, too, before it was too late. I mean, I wouldn't want to be that guy right now. Would you want to be the guy who kept Pervez Musharraf from getting to his MySpace page?

It all stems, of course, from Pakistan's recent directive to its country's ISPs to block YouTube because of videos of those supposedly blasphemous Dutch cartoons. Yes, that again. Won't die, will it? In a nutshell, when someone in Pakistan modified some routing tables to direct all Pakistani traffic to YouTube into a black hole, the routing information escaped national boundaries by way of Hong Kong, and began routing worldwide YouTube traffic to that Pakistani black hole. Whoopsie. I give credit to Ars Technica for a detailed and fascinating explanation of the underlying problem.

Apparently, the problem was corrected in a couple hours, and the consensus seems to be that it was an accident. If it was a concerted attack, or a test of attack methods, it certainly would have been a clumsy one, since it essentially resulted in a DDOS attack on the hypothetical attacker's own country. About as effective as a lit stick of dynamite strapped to a boomerang, really.

But that doesn't mean there isn't a huge vulnerability underlying this whole incident. It's conceivable that an attacking country (or other entity), if it were well prepared and didn't care all that much if innocent bystanders got cut off from the world, could use this routing vulnerability to strike at an enemy. It all depends on how desperate they are, and how willing they are to cripple the Internet as a whole. Gee, it doesn't seem too difficult to think of one or two groups who might fit that bill.

I suppose there's reason to hope that this incident will throw the spotlight back on a vulnerability that we've known about for years, but have never gotten around to fixing. That fix won't be easy, but clearly it's necessary.

Posted by Kevin Carlson at 11:02 AM  Permalink |

A new paper by Milan Vojnovic, Varun Gupta, Thomas Karagiannis and Christos Gkantsidis from Microsoft Research examining the best ways of propagating information across a network has resurrected the oft-discredited idea of "good" viruses spreading peace, harmony and security patches across computer networks.

I feel a bit sorry for the researchers, because in the manner of good scientists everywhere, they tried to be objective, and remove the ethical considerations of the methods they were studying, and focus simply on the technical factors involved in network propagation. The idea is to get the knowledge first, then worry about the ethical considerations. Ethical judgements without knowledge of the facts are usually bad judgements. But of course, this is a touchy subject, and anyone even hinting that there might be benefit to delivering information in what the researchers term an "epidemic style" is likely to get an earful of criticism.

Indeed, the very birth of the worm itself seems a cautionary tale. The first worm was created by John F Shock and Jon A Hupp of Xerox PARC, and its initial intent was good. Depending on which sources you read, it was either intended to help implement some sort of CPU load sharing, or to install tools to measure network performance. But a bug in the program caused it to spread mayhem instead, crashing each machine it touched as it travelled around the network.

So why do people keep talking about "good" worms for delivering updates and patches? Two reasons that I can see: It saves load on a central server, and it makes much more efficient use of network bandwidth to distribute the code to all users. This becomes especially attractive for delivering security patches when you consider that traditional means of patching are necessarily much slower than the speed at which the virus propagates. There's never any hope of getting ahead of the malicious code to stop its spread. All you can do is heal infected machines after the fact, slowly hardening the network as you go.

But the two main arguments against "good" worms are pretty compelling: First, they're too risky, and second, they're too sneaky. They're too risky because a very tiny bug can turn a beneficial worm into an unintentionally malicious worm, even if all that buggy worm does is bog down a machine, or eat up endless network resources. Those flaws alone can bring down an entire network. And they're too sneaky because they have to do what they do without permission from the user if they are to propagate with any sort of efficiency. It isn't just that we feel our sense of control violated by this—it's bad design. A system that changes itself without our permission or knowledge is, for all intents and purposes, an unstable system that we can't count on.

Posted by Kevin Carlson at 02:56 PM  Permalink |

Last fall, we learned that identity fraud is more of a low-tech than a high-tech crime. Now, there's some new evidence that ID fraud is on the decline overall. A new report suggests that financial losses from identity theft dropped 12% in 2007 to $45 billion, down from $51 billion in 2006.

This is great news, but the big question is: why? The report suggests that it's a combination of consumer awareness and organizational security. In other words, whether you're a programmer working on secure data systems and practices for the enterprise, or just a consumer of those data systems, you can pat yourself on the back.

Consumers have learned more about the problem in the last year, and have gotten more vigilant in monitoring their accounts. This has led to more early detection of fraud, and limited damages. Another trend is that consumers continue to adopt online account management and forgo paper statements. As we learned last fall, it's these paper statements that are far more dangerous than online account access. Fewer paper records mean that dumpster diving becomes less profitable, and everyone is safer.

But there are some dark clouds in the survey as well. While the overall cost of ID fraud has decreased, the damages per victim have risen. This makes sense: the harder you make it to commit the crime, the fewer amateurs will be successful. That just leaves the clever crooks. So you have fewer incidences of crime, but those remaining incidents are more carefully designed frauds, and so are more effective and profitable taken individually.

The other black lining in this silver cloud is that your safety from ID fraud depends on where you live. If you live in California, Idaho, Illinois, West Virginia or Delaware, you are more likely to be a victim of ID fraud than say, a resident of Alaska, Colorado, Louisiana or Maine.

Posted by Kevin Carlson at 12:55 PM  Permalink |