Vulnerability Is Over - The Progression Towards Proactive Security
It was Thursday, September 16, 1996 around 10:00am when the first news stories broke announcing that the Central Intelligence Agency had been hacked. News reporters scrambled to get further details on the story and write their own reports on the “compromise of the Central Intelligence Agency computer systems”. As people tuned in for their morning news shows they learned of this devastating computer intrusion into the United States top spy agency. The break-in furthered the growing hacker hysteria.
The reality of the situation was eventually set straight by a few knowledgeable security enthusiasts and hackers who began attempting to educate reporters that the break-in “at the C.I.A.” was not equivalent to someone having access to classified information, or computers that were housed within C.I.A. buildings. Instead, the people who broke into the C.I.A. had simply defaced the Internet-facing website of the C.I.A. As reporters began to understand that the C.I.A. had not been compromised to the level of their imaginations, they began to release updated news stories attempting to educate the public on the differences between being digitally compromised and having a website defaced.
This is but one of many examples of how people presently think about hacking and security very different than in the past. Today, security topics such as hacking have broken completely into the mainstream -- from the countless movies that feature hacking, to Paris Hilton’s recent appearance on the Tonight Show talking about “hackers breaking codes” to hack into her T-Mobile account.
The increased exposure to security topics has no doubt traveled through the minds of even those who are not the most computer savvy. Businesses have also become vastly more knowledgeable in their understanding of security compared to years past. Yet with all of this focus on security it seems in many cases that we are taking two steps back while the bad guys are taking a giant leap forward.
Five years ago most computer intrusions were benign in nature. They were typically performed by people motivated to perform a digital prank or make a statement, as was the case with the C.I.A. hack. Most corporate break-ins were typically someone altering a company’s website to show amusing graphics or to put up a political message. Many website defacements were also done by teenagers who just wanted the satisfaction of knowing they could do it -- the thrill of the hack. But not all hacks were simple pranks.
Phishing is one of the most widely used terms today in computer security, and its roots really started years ago on computer network services like AOL, Prodigy, and Compuserve. Phishing started off as mostly a one-to-one social engineering scheme. The first real criminal uses of phishing attacks were actually on AOL. Attackers pretended to be AOL employees and attempted to trick (via electronic chat) AOL customers into giving up their passwords and account information. These attackers would then use this account information in order to use AOL services for free or to sell the accounts to other people. Once people began to realize how easy it was to falsify trust on a computer they started to elevate the attacks to go beyond tricking people out of their account information and instead started to get people to provide their credit card and social security information. Attackers then began using this information to order merchandise that they could either use themselves or that they could resell to people for money.
Eventually attackers found easier ways to perform phishing scams by using backdoor programs, or trojan horses. A trojan horse is software that can be installed on a victim's computer to give an attacker full access to everything on the computer. This meant easy access to any account information, credit card data, etc. But even when attackers started to realize they could make a little money by performing illegal computer activities, the average attacker was still more driven to make a statement or get media recognition. One of the more popular ways of achieving this goal, then and now, was by writing a computer virus.
Computer viruses have been around longer than most any type of computer threat, and also have been one of the most popular ways for hackers to make a name for themselves due to the large amount of press coverage that an effective virus can have. A virus can garner recognition far beyond any website defacement. But viruses had to run their course of popularity and give way to the ultimate "prank", and potentially the most devastating attack: the computer worm.
Unlike a virus that requires a user at a computer to be tricked into running a "bad" program, worms can simply replicate from one computer to another without any human intervention. While computer worms sound a lot more advanced than viruses, they are not a new phenomenon. In fact one of the earliest computer worms was discovered over 17 years ago in 1988. This first known computer worm was written by the son of a scientist who was employed by the United States secretive spy agency, the National Security Agency. That worm eventually became known as the Morris Worm, named after its author.
Worms have been around for a while but nothing made the public so aware of the power of a computer worm more than the introduction of the CodeRed worm in 2001. Since then, computer worms have been one of the biggest driving factors behind increased computer security. Software vendors were given a wake-up call to build more secure software, and businesses also realized they needed to do more to secure their organizations because worm attacks resulted in large losses of revenue.
Worms affected the computer security world so intensely that people seemed to forget that threats did exist beyond the computer worm. As more worms like Sapphire/Slammer, Blaster and Sasser were discovered and reported on by the media it seemed as though organizations built all of their security processes almost entirely around worms. But what happened to websites being compromised? Backdoors/trojans? Phishing attacks? And targeted computer intrusions? Had the bad guys really forgotten about all of these possibilities and simply retired to write computer worms? As our security consciousness began to awaken we realized that the "bad guys" had not forgotten, we had.
The security industry became so fixated on large-scale attacks such as computer worms that many people forgot about the basics of security and the threats we face. Even companies such as Microsoft woke up one day to find themselves surrounded by spyware and phishing problems to which they could offer their customers no solutions. Microsoft, like most of the industry, is quickly trying to react to these "new threats" which seem to have popped up over night. Other industry giants like Symantec and McAfee have also been blindsided by their complacency. A new hundred-plus million-dollar spyware industry has cropped up almost overnight. Is spyware really even a new threat? Have we not been paying attention to the age-old basic security threats?
The anti-spyware business is one of the greatest scams to ever happen within the security industry. Most spyware attacks have the same properties of older threats such as viruses and trojans, and the fact of the matter is that anti-virus engines are the technology best suited to detect and eradicate spyware. But why should the anti-virus vendors tell you, the consumer, that their anti-virus engines can detect and block spyware when they can sell you a completely separate spyware solution for another $30 per desktop in addition to the $30 you probably are already paying for anti-virus? It is clear that spyware is no different, from a detection perspective, than the viruses and trojans of years past, but one thing has changed; the people behind these newly "rediscovered" threats are no longer kids motivated by pranks and media recognition.
In the last two years the type of people behind the threats businesses and consumers are facing are dramatically different. While there are still the handful of young attackers looking to make names for themselves and have a little "fun", the overwhelmingly more common attacker is someone who is motivated purely by money. Look no further than threats like phishing and spyware for evidence of this.
Phishing has grown from a one-on-one social engineering scam to a globally coordinated criminal business that yields even the smallest of phishing groups millions of dollars. With the merging of real-life and cyber criminals there is a very real threat to financial institutions and businesses. Phishing attacks can now be coordinated scams to steal hundreds of thousands of credit card numbers and identities, which can be used by criminal enterprises to turn information into real-world currency. This is all made even easier by coupling the resources of organized crime; for example the ability to setup fake businesses and merchant accounts in order to processes large quantities of stolen credit card information. Bad guys have realized that if you are able to hack into a website to be able to deface it you can probably make a lot of money off of the data stored on that website. You can see at least a few examples a month of companies being broken into and having their customer databases stolen. These databases are just information but this information is now a commodity that can be bought and sold to the highest bidder for real-world currency.
While the financial losses due to phishing attacks may be more tangible than the effects of website defacement, are the attacks themselves really that much different? Unfortunately the answer is no. So why is it still happening?
Through it all people have remained reactive: software vendors, security companies, consumers, and businesses. For as much as security is a hot topic of discussion, it is still not a core focus for many organizations. It is a top priority and yet the first thing to take a back seat to other projects. We never progress with anticipation, we digress with adaptation.
Software authors still treat security as more of a public relations problem than something they truly have to invest in, and why should they treat it any other way? Businesses and consumers continue to buy insecure software without demanding better. Some software vendors such as Microsoft have made a visible effort to improve the security of their software, but at the same time they have doubled their efforts to improve the PR processes to create a sense of security beyond the true efforts they are setting forward.
Security is obviously a focus for security software and service companies, but the reality of the situation is that most of the large security companies are happy providing reactive security solutions to businesses and consumers because reactive solutions sell well. They also constantly need signature updates, which means a steady revenue stream for them, at your expense. Few security companies have truly challenged their engineers to create solutions that protect from the core of security problems, and the few companies that have are quickly acquired by the much larger security companies and the innovation dies out.
To businesses, security is still not equal to paying your electric bill. It is a nuisance, a distraction, a resource drain, and it is expensive. However, when that worm hits, when that hacker attacks, then blame is quick to be assigned. What most organizations do not yet understand is that improving security is not all about buying the latest and greatest products. It is about changing the corporate culture to make security a realistic priority, and to understand that the upfront investment in security resources and processes will be far less costly than the reactionary efforts after an attack.
We truly have started to reach the climax of a time when information is power. Technology pioneers have always sought the holy grail of information at your fingertips and ubiquitous computing. The one thing that none of these pioneers thought of at the time is the fact that ubiquitous computing really means ubiquitous information. Our lives and businesses are constantly becoming more digital, and that only makes it easier for criminals to further monopolize on the insecurities within software and systems. As things progress the effects of a successful technology hack will grow exponentially more severe. With this exponential increase in the criticality of threats there has never been a time that requires innovation and proactive security solutions more than now.
Proactive security is the only way we will begin to attain trusted computing and take back technology from criminals. The idea of being proactive with security is not something mythical by any means. It starts with attacking the root of the problems we face. The core characteristics of attacks have not changed. Classes of attacks such as buffer overflows have not changed much in twenty years. Nor have other application-layer attacks such as those that affect protocols like HTTP. Security technologies have advanced and will continue to be developed to prevent general classes of attack; but proactive security is not just about advanced security technologies that can generically prevent classes of attacks. We must be proactive on all fronts.
Businesses and consumers need to think proactively about how to protect their systems in the long run. They need to design processes that review security on a regular basis, not just in reaction to attacks. They also need to demand better from software manufactures and force vendors to create more secure software by not continuing to purchase knowingly vulnerable software. Software vendors also need to take their part in being proactive about security by investing in proper security planning before development efforts begin.
Some would say the future of security is doom and gloom, but in reality I think the light at the end of this tunnel has never been brighter. Through all security discussion there is one theme that binds everything together: vulnerabilities. As I have watched hacking and security change over the years the only thing that has remained constant are the vulnerabilities and the characteristics that shape vulnerabilities. If security vendors and consumers believe in this, then we will reach a point where we can finally say "vulnerability is over".
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
P.S.
On a personal note vulnerabilities have been my life’s passion and with that the core focus of eEye and the products we create. For those that have followed us over the years you have probably seen the numerous highly critical vulnerabilities we have discovered, and the worms we have researched, from CodeRed and beyond. Through the years of vulnerability research we have finally built a product that we hope can help solve the problems businesses face, and at the same time challenge people to bring innovation back to the security industry. And with that I would like to announce: Blink - eEye's Host Based Security Solution. See the 'Announcements' section below on how to obtain a demo of of Blink 2.0 Beta. |
News & Articles
Reader Q&A
Announcements
Tech Talk
Etcetera