2003: THERE WAS STILL TIME
bottom & links
Computer viruses and their silly emails ("I love you") were amusing, but the SLAMMER worm worried me because it gained such easy access to databases.  I wrote this warning editorial, but could not get it published.
 


COMPLACENCY GUARDS THE INTERNET
J. I. Nelson, Ph.D.  
10 February 2003
 SUMMARY:  The biggest cost of an unbroken Microsoft monopoly is national security.  The stakes are about to rise, but as long as costs are off the books, nothing will change.

Continuing attacks on domestic Internet services show the U.S. has neither the technology nor the will to run a secure computer infrastructure.

"Slammer" stopped certain ATM machines, airline reservations, cell phones, and a newspaper trying to get out the Sunday edition.  And yet it did nothing but propagate itself to database "servers". Slammer's search for new victims clogged database access for customers trying to get cash or place reservations.  And behold!  Cash was not stolen, airline flights did not change cities, everyone in Korea got neither free minutes nor a permanently dead phone.  Slammer penetrated perhaps 250,000 databases, but neither erased them in a flash of destructive glory, nor quietly shipped a copy off to foreign shores.  In security parlance, Slammer was a 376-byte worm with no payload; a test, some say.

My concern is that attacks are about to change, and we aren't.

The Love Bug virus that told everyone in your Outlook address book how much you loved them was written by a Filipino student.  Although some users lost irreplaceable graphics files, most of the estimated $7B in damage was lost productivity from shutting systems down to clean them out. Cyber attacks run by kids for glory have not moved us to change how information technology is developed and deployed in this country.

Changes are coming, but not the ones we want.  The National Security Agency has warned that foreign governments have already developed ways to attack U.S. computer systems.  Our counterattack is Cyber-Warfare National Security Presidential Directive 16 signed secretly by President Bush last July, to make cyber attacks a normalized part of the U.S. arsenal, and to build a cadre of cyber-warriors for carrying them out.  The home front is not ready for the backlash.   Jim Allchin has said that the Message Queuing technology used in all Windows32 systems contains a coding mistake that would threaten the security of corporate systems if disclosed.  He should know.  Allchin is Group Vice President for Platforms (operating systems) at Microsoft.  He was testifying under oath.  Instead of forcing Microsoft to fix the security threat, the government granted Allchin permission to hide the error.

Forget the kids.  An attack run by foreign national assets will recruit machines at traffic levels below the 3 - 5% anomaly rate detectable in laboratory systems not yet deployed.  As each recruited machine acquires fresh subordinates, a hierarchy is built that can be launched to coincide with an event not of our choosing.  Slammer reached 100,000 machines in 4 hours groping blindly; a clandestine hierarchy would activate almost instantly.  While the machines wait, access codes can be sniffed and harvested, data can become dyslexic, instructions can be received for disabling security, escalating access privileges, wiping out activity logs, opening all drives to sharing.  It's not your car if someone else is driving.  The list of recruited subordinates each machine harbors is encrypted. It is hard to know anything is happening, and, if you stumble over it in the dark, you can't find, notify or count the number of affected installations beyond your own.  I do not know the state of any clandestine art.   These are only exploits already done and run, one by one, just for fun.

The software industry has become a threat to national security.  It is a hole we seem determined to dig deeper.

The White House response to Slammer was typical: software vendors issue plenty of patches to program problems, and we need to apply them.  But the current "patching regime" is bankrupt. The question is whether society will orchestrate the upheaval required to achieve acceptable security, or whether we must wait for the upheaval to be thrust upon us. A look into the trenches of patch warfare is sobering:

The first patch to fix the Slammer vulnerability was issued on 24 July 2002.  Additional Security Bulletins came in August and October, when it was discovered that another package of patches to the same database programs made them worse.  A patch to fix the new problem came on 9 October, but fully installing it would reopen the vulnerability to Slammer -- an old, vulnerable module had been included in the fix. 16 October brought a patch that actually patched Slammer, but now the other problem was forgotten.  The sixth shot was the charm: a preliminary pack of patches issued in December 2002 got both problems right, along with 188 other bugs in the 7th version of SQL Server.  Systems Administrators were told, "Microsoft DOES NOT support the use of this build in your production environments. It is being provided for testing purposes, such that you have the opportunity to uncover issues/concerns . . ."  Doubtless some waited until that pack stabilized on 4 January 2003, or until the first easy-to-install patch addressing just these two vulnerabilities was issued. That was 26 January, just after Slammer struck.

Decide for yourself whether the patch was released 6 months before the attack or the day after.  An independent researcher discovered Microsoft's Slammer vulnerability and contacted the company on 16 May 2002, so throw in the 2+ months it took Microsoft to make any public move when you add up the nation's total response delay.

Attacks exploit vulnerabilities that are already patched. If we've always had patches and we keep getting attacked, the current patch regime is not protecting us.

The reason patches don't work is obvious to anyone who has installed one. For the privilege of fixing someone else's mistakes, the user must agree to these terms:

"To the maximum extent permitted by ... law, [we] provide to you the operating system components ... as is and with all faults. [We] ... disclaim ... all warranties ... including lack of viruses, ..., workmanlike effort and lack of negligence.... The entire risk arising out of use or performance of the operating system components and any support services remains with you."  And, "... in no event shall [the supplier] be liable for ... loss of profits, loss of confidential ... information, loss of privacy, negligence, and any other pecuniary ... loss whatsoever ....'' "The entire liability [of the supplier] ... shall be limited to ... the amount actually paid by you for the operating system components or u.s.$5.00."

It doesn't pay to develop better security because the victim bears the cost.

The automotive industry is mature.  We have a National Transportation Safety Board and a recall mechanism.  The supplier does the patch himself, in a place called "dealership" or "garage".  Eventually the software industry will mature, but the country will be humiliated or worse while we wait.  Congress must declare software vendors liable for damages caused by defects they do not repair themselves.

Famous attacks cost over $5B each, so limits on damage awards are needed. A $1 million limit would give Microsoft a competitive advantage against smaller players unable to pay.  Microsoft has cash equivalents on hand able to pay the loss of a million-dollar case every day for the next 145 years. Any symbolic cost will do.  With no cost and no liability, software is shoddy and the country keeps crashing.

The biggest question cuts deepest: products will always be rushed to market and fixed later, but does it have to be this bad?  Not at all.  Many attacks use buffer overflows to seize control, and technology like Sun's java renders buffer overflows irrelevant.  Visitors play in a "sandbox", far from the soul of the machine.  Microsoft was born on the desktop, and made design philosophy choices that rendered the entire product line vulnerable, particularly as desktops are networked.  Sun Microsystems can not make money on a superior solution as long as the true costs of cyber attacks are off the books.  Microsoft is an able competitor.  It will block java, start over on its own dot-NET initiative, and hold the country to ransom until it is finished.

How did we get here?

The United States government has publicly failed to move effectively against a monopoly power in software that it identified.  It is clear to anyone studying us where our systems are weak and the courage to change them is lacking.

Who is in flight school today?  Do you know the current list of vulnerabilities for your systems?  The enduring shock of September 11th is that we did not understand the world we live in.  Airlines had security systems then too, just as computers have security systems now.  But our dedicated attackers succeeded with knowledge of how corporations and government behave, and how our own complex technology works. We failed from complacency and poor imagination.  Next?

--jerry

Jerry Nelson is an equity analyst for high tech in Washington DC.

WORD LIMITS:  752 ideal; 1272 possible;  now 1428
------------------------------ end article -------------------------

From: "Features, Edit" <edit.features@wsj.com>
Sender: "Coyle, Marie" <Marie.Coyle@wsj.com>
To: "'J.I.Nelson, Ph.D.'" <jerry-VA@prodigy.net>
Subject: RE: op ed submission "Complacency Guards the Internet" 2nd try
Date: Thu, 13 Feb 2003 15:59:10 -0500
X-Mailer: Internet Mail Service (5.5.2654.89)

Thank you for your submission to the editorial page.

We will not be able to use it, but we appreciate your interest in The
Journal.

                                Sincerely,
                                Tunku Varadarajan
                                Editorial Features Editor
                                The Wall Street Journal
----------------------------------------------------------------------------

WORSE THAN WE THOUGHT

The impact of the SLAMMER worm was greater than we realized at the time.  
On 20 September 2004, Forbes magazine reported additional disruptions to corporations.

POWER UTILITIES
"A total 270 utilities that generate 80% of the nation's electricity use control systems that are ripe for hacking, according to research by Ted G. Lewis for the Navy Postgraduate School."  [Presumably they used unhardened SCADA Supervisory Control & Data Acquisition,  and DCS Distributed Control System technology.]

"... Slammer infected a private computer network at [the dormant] David-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours, says the Nuclear Regulatory Commission.  The dormant plant's process computer failed, and it took six hours to get it up and running again.  At another utility, in an undisclosed city, Slammer downed the computer network controlling vital equipment."

The infection doubled every 8.5 seconds, and every new machine immediately sought the next wave of recruits.  In 3 minutes, 55 million systems were being scanned per second for possible entry.  After ten minutes, 90% of the world's vulnerable hosts were in thrall.  (Stefan Frei, ETH Zurich)

 
-------------------------------------------------------------------------------

2009:  IT'S  TOO LATE

PRANKS BY  KIDS TURN  INTO  ATTACKS  BY  NATIONS

Security problems will not be successfully tackled until the corporations responsible for them become legally responsible for the financial losses they cause others.  Our lack of national courage and political will to take this step is an advertisement of weakness that invites others to attack us.  In 2009, our invitation was accepted: China attacked over 30 American corporations.

DECEMBER 2009: CHINA HACKS 32 US COMPANIES

The 12/09 attack was publicly disclosed by Google on Tuesday, 12 January 2010.

"What really makes this is a watershed moment in cybersecurity is the targeted and coordinated nature of the attack with the main goal appearing to be to steal core intellectual property."
--McAfee Chief Technology Officer George Kurtz, quoted by
Steven Musil writing in C-Net news.

Source code was stolen from some of the 32 Silicon Valley companies.  Adobe Systems has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.
http://news.cnet.com/8301-1009_3-10436476-83.html?tag=mncol

The apparent target of the Google penetration was Google's g-mail service, in order to find Chinese dissidents in the US trying to support democracy in China.  Being able to find and read dissidents'  e-mail correspondence would enable China to identify and imprison activists in China as well as threaten family members in China in order to silence dissidents in the United States -- a double-sided win-win for them.

SecurID from RSA, Inc. is a keychain fob with a little LCD screen that shows a changing 6-digit number.   Corporations issue SecurID to employees who need access to classified data systems while on the road.  The numbers on every keyfob are different.  To enter the corporate network, you must possess the keyfob and log on with the correct 6-digit number for your name and PIN.

In March 2011 SecurID data was stolen from RSA, Inc.  and in June 2011, the theft came home to roost, when Lockheed-Martin and L-3 Communications experienced many attempted penetrations by would-be intruders who knew the SecurID authorization codes that opened their corporate networks.

The details:

The RSA SecurID keychain fob displays a different 6-digit random number every 30 seconds or so.  A server in headquarters can calculate each person's number and admit him if he types that number in.  This parallel calculation at the server and for all the keyfobs in the field is possible because both the HQ server and the keyfob are synchronized to the same starting number -- called the "seed" -- and are programmed to run the same cryptographic algorithm to get a fresh 6 digit number every 30 seconds.

Corporate and military networks are protected world-wide by 40 million SecurID keyfobs.

On 17 March 2011,  RSA revealed in a letter to customers that its computer network had been attacked by an "advanced persistent threat".  The data extracted by a "sophisticated" attacker was information about  RSA's SecurID key fobs.  If the data was the serial number of individual SecurID units and their random number "seeds", then the thief could potentially calculate the magic number for any keyfob at any time in the future, and breach a key barrier to unauthorized access to the nation's corporate and  military networks.  How advanced, persistent and sophisticated was the attack?  

How RSA was penetrated  

Here's how it was done, according to F-Secure:

The attackers spoofed an e-mail to make it appear to come from "web master" at Beyond.com, a job-seeking and recruiting site.  The entire message?  "I forward this file to you for review. Please open and view it." This was apparently enough to get the intruders the keys to RSAs kingdom.  This was enough to break the cryptography behind 40 million SecurID entry keys because RSA kept spare copies of all the keys issued to its customers and their servers on its own server, which was on the Internet, not isolated.  

"Please open and view it."

If the recipient clicked on the attachment, an Excel spreadsheet opened, which was completely blank except for an "X" that appeared in the first box of the spreadsheet. The "X" was the only visible sign that there was an embedded Flash exploit in the spreadsheet.  Excel automatically activated the Flash code -- the user didn't have to do anything, and the Flash code didn't do anything either, except drop a "backdoor" entrance into the user's computer system, in this case a backdoor known as Poison Ivy.  A security flaw in Adobe's Flash player which the company had not patched enabled malicious software developers to modify the big Flash program to contain and install the small "Poison Ivy" program.  So another corporation, not RSA Inc., released insecure software and the didn't fix it in time.  

Once installed, Poison Ivy reaches out to a command-and-control server that the attackers controlled at good.mincesur.com, a domain that F-Secure says has been used in other espionage attacks, giving the attackers remote access to the infected computer at EMC (EMC Inc. acquired RSA Security on 30Jun2006 for $2.1B).  From there, they were able to reach the systems and data they were ultimately after.  

F-Secure notes that neither the phishing e-mail nor the backdoor it dropped onto systems were advanced.  One might call the zero-day Flash exploit used to drop the backdoor into the victim PC "advanced", if only because it was "zero day". Most vulnerabilities are discovered by white-hat security experts, who tell the corporations which  own the vulnerable software about them.  One then counts the days (weeks, months) it takes the corporation to admit the fault, admit others were more clever than they to discover it first, and then incur the expenses needed to fix (patch) the fault.  A zero-day exploit is one that exploits a fault discovered by black-hat security experts who do not tell the company -- the company has had zero days to protect itself and its users.

THE OTHER SHOE DROPS:
1June2011, Lockheed and L-3:

L-3 Communications became the second victim of an attempted hack attack that relied on the RSA SecurID intrusion that took place in March of the same year.  

L-3's Stratus group had been actively targeted with attacks based on "leveraging compromised information" from the SecurID keyfob two-factor authentication system, according to a company memo obtained by Wired magazine.   L-3, which supplies command and control systems to the US military, would only say that this particular incident had been resolved, without saying how, or after what damage.

News of the attempted L-3 breach comes days after Lockheed Martin suspended remote access and began re-issuing the SecurID keyfob tokens following the detection of hacking attacks also linked to the high-profile breach against RSA back in March. The manufacturer of F-22 and F-35 fighter planes confirmed the attempted hack, first reported by tech blogger Robert Cringely, which took place on or around the weekend on 21 May. http://www.theregister.co.uk/2011/06/01/military_contractor_2nd_rsa_securid_hack/

2025:  IT WILL GET WORSE

World War III: Scenario for 2025

The technology of space and cyberwarfare is so new and untested that even the most outlandish scenarios may soon be superseded by a reality still hard to conceive. If we simply employ the sort of scenarios that the Air Force itself used in its 2009 Future Capabilities Game, however, we can gain “a better understanding of how air, space and cyberspace overlap in warfare,” and so begin to imagine how the next world war might actually be fought.

It’s 11:59 p.m. on Thanksgiving Thursday in 2025. While cyber-shoppers pound the portals of Best Buy for deep discounts on the latest home electronics from China, U.S. Air Force technicians at the Space Surveillance Telescope (SST) on Maui choke on their coffee as their panoramic screens suddenly blip to black. Thousands of miles away at the U.S. CyberCommand's operations center in Texas, cyberwarriors soon detect malicious binaries that, though fired anonymously, show the distinctive digital fingerprints of China's People's Liberation Army.

The first overt strike is one nobody predicted. Chinese “malware” seizes control of the robotics aboard an unmanned solar-powered U.S. “Vulture” drone as it flies at 70,000 feet over the Tsushima Strait between Korea and Japan.  It suddenly fires all the rocket pods beneath its enormous 400-foot wingspan, sending dozens of lethal missiles plunging harmlessly into the Yellow Sea, effectively disarming this formidable weapon.

Determined to fight fire with fire, the White House authorizes a retaliatory strike.  Confident that its F-6 “Fractionated, Free-Flying” satellite system is impenetrable, Air Force commanders in California transmit robotic codes to the flotilla of X-37B space drones orbiting 250 miles above the Earth, ordering them to launch their “Triple Terminator” missiles at China's 35 satellites. Zero response. In near panic, the Air Force launches its Falcon Hypersonic Cruise Vehicle into an arc 100 miles above the Pacific Ocean and then, just 20 minutes later, sends the computer codes to fire missiles at seven Chinese satellites in nearby orbits.  The launch codes are suddenly inoperative.

As the Chinese virus spreads uncontrollably through the F-6 satellite architecture, while those second-rate U.S. supercomputers fail to crack the malware's devilishly complex code, GPS signals crucial to the navigation of U.S. ships and aircraft worldwide are compromised. Carrier fleets begin steaming in circles in the mid-Pacific. Fighter squadrons are grounded. Reaper drones fly aimlessly toward the horizon, crashing when their fuel is exhausted. Suddenly, the United States loses what the U.S. Air Force has long called “the ultimate high ground”: space. Within hours, the military power that had dominated the globe for nearly a century has been defeated in World War III without a single human casualty.

--end of excerpt from:
The Decline and Fall of the American Empire
Four Scenarios for the End of the American Century by 2025
By Alfred W. McCoy, Professor of History at the University of Wisconsin-Madison
Not a book.  Find it on the Internet at
http://www.huffingtonpost.com/alfred-w-mccoy/the-decline-and-fall-of-t_1_b_792570.html
or
http://www.cbsnews.com/stories/2010/12/05/opinion/main7121029.shtml


THE BOTTOM LINE

Corporations need to be made  legally liable for what it costs customers to shut down and clean their computer systems when programs and operating systems are insecure.  We would then see secure software and much faster fixes.  Automobiles are recalled and faults are  fixed in special places called garages, but any software problem is your  problem, not theirs.  Some will observe the software industry is younger than the automotive industry and just needs to mature in the fullness of time.  I say  these corporations lack of loyalty to the country and our needs as a nation is an attack on our national security.

J. I. Nelson, Ph.D.
IEEE
 jerry-va at speakeasy dot net
--end

 top of this page: There is still time   
        It is too late.
        It will get worse.        

 home page of this Website

Rev 12/06; Rev 14Oct2011 Chinese attacks of 2010