Living with Worms, Viruses and Daily Security

Complicated applications and slipshod development keep security pros one step behind.

When Robert Morris unleashed the first self-propagating worm on the Internet in 1988, the state of the art in network security was callback modems, authentication servers such as Kerberos and challenge-response protocols. Technologies such as firewalls, IDS and commercial anti-virus software were still years away.

Experts estimate that within a day, Morris Internet Worm infected approximately 6,000 machines—a huge percentage of the computers connected to the Internet at the time—and cost users as much as $10 million in downtime and cleanup. By contrast, last years Code Red worm, a direct descendant of Morris creation, infected more than 500,000 servers and caused $2.6 billion in damages, according to Computer Economics Inc., in Carlsbad, Calif.

As Internet use has exploded over the past several years—with thousands of users joining the network every day—security vendors have scrambled to keep up. They have made tremendous advances in many areas: We now have intrusion detection system software capable of recognizing and repelling new attacks before they hit a network, cloaking software that can make a given PC invisible to outside attackers and military-grade encryption products available for free.

But even as security technology and human knowledge have progressed at an impressive rate, crackers, virus writers and other malicious attackers have more than kept pace, and, consequently, the state of Internet and network security has gotten steadily worse.

While any number of factors have contributed to this state of affairs, experts say they can be boiled down to two main problems: overly complex software and sloppy development practices.

"Its like an arms race," said Peggy Weigle, CEO of Sanctum Inc., an application security vendor based in Santa Clara, Calif. "Companies have been very slow to deploy security technologies. Hackers are using automated tools, and companies are trying to solve the problems manually. Companies believe that if they have a firewall in place, theyre secure. Not true. Hackers are like water; they seek the path of least resistance."

Microsoft Corp., which users and security experts often cite as a prime example of insecure coding practices and needlessly complex software, last month announced that security is now its top internal priority. In an internal memo, Bill Gates, chairman and chief software architect of the Redmond, Wash., company, went so far as to direct that everyone who writes a single line of code for the companys new .Net Framework must go through a monthlong security training course.

Of course, Microsoft has made such pronouncements before. In October, Jim Allchin, group vice president of the Windows Platform Group, told eWeek that Windows XP would be the companys most secure operating system to date.

"Windows XP is dramatically more secure than Windows 2000 or any of the prior systems. Buffer overflow has been one of the attacks frequently used on the Internet. We have gone through all code and, in an automated way, found places where there could be buffer overflow, and those have been removed in Windows XP," Allchin said.

Two months later, researchers found a buffer overflow in XP that enabled an attacker to gain total control of a vulnerable machine.

Reaction to the Gates memo ranged from skepticism to cautious optimism, but observers agreed that it will be years before the effects of the decision are felt. In the meantime, IT managers are left to fight an ever-widening assortment of attacks and malicious programs.

How bad has it gotten?

In 1988, the first year that it kept such numbers and the year that Morris ushered in the current era of widespread worms and viruses, the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh, received reports of six security incidents. By 1995, the number had jumped to 2,412, and by last year, the number of incidents had reached 52,658.

A key contributing factor to this explosion of activity is certainly the attendant increase in the number of Internet users, which has given attackers a huge field of potential targets, many of whom are home users who know little about security. But that explanation doesnt account for the Code Red and Nimda worms and hundreds of smaller, isolated incidents that target corporate networks protected by sophisticated security infrastructures.

That responsibility, experts and users say, rests squarely with software vendors.

"I think the software vendors should bear a far greater share of the blame than they are taking," said Tripp Hammer, chief of the Systems Administration Bureau in Montanas Department of Environmental Quality, in Helena. "Many of them are so focused on getting the product out without concern for any security issues. It seems that vendors simply dont care or appreciate the problems and complications of network security that they create."

Hammer cited a recent experience during an installation of Autodesk Inc.s AutoCAD LT 2002. The software, used for CAD, requires that each user have either administrator or power user privileges on Windows 2000. To guard against unapproved software installations and security risks, the DEQ has a strict policy against giving end users such powerful privileges. In the end, Hammer will have to compromise that policy to bring the Auto-CAD package online.

Security experts point out that applications have continued to evolve to the point where they now interact with dozens of other seemingly unrelated applications and must be accessible via the Internet, extranets and wireless devices, all of which leads to further complexity and more opportunities for security vulnerabilities.

"The opportunities [for security problems] have increased as more software has arrived [on the Internet]," said Avi Rubin, a security expert and the principal researcher at AT&T Corp.s AT&T Labs, in Florham Park, N.J. "There are more lines of code and more integration than before, so damage from a virus or malicious program is greater because it has access to more software."

Rubin predicted that security will keep deteriorating as companies continue to lay off IT and security workers and software vendors continue to trade security for usability.

"Microsoft only adds security after someone attacks one of their products and publishes an advisory about it," Rubin said.

Users agree. "I attribute the rise in security events and viruses in the past few years simply to Microsoft delivering poorly designed and tested products," said the DEQs Hammer. "My staff must check daily for patches and service packs, and thats a frustration. I dont believe Microsoft is being attacked simply because of who they are but rather because they have done a sloppy job of development and testing in order to get to the almighty buck."

Microsoft officials defend the companys security record but say that its new Trustworthy Computing effort should address most of the concerns that users have.

"At one level, these are things that weve been doing, but at another, theyre now more important," Steve Lipner, director security assurance at Microsoft, said at the time of Gates memo. "Security is a journey, not a destination."

As part of the companys renewed focus on security and privacy, software developers will be urged to keep their code simple and, by extension, more secure, officials said.

"Theres a trade-off between security and complexity, and having developers not trained is a factor in that," Lipner said. "Thats why were training everyone in the Windows division. Weve changed the landscape pretty significantly thanks to Bills e-mail. Thats really a watershed event."

Microsoft is far from the only culprit, however. Oracle Corp., the Redwood Shores, Calif., maker of database software, touts its 9i software as "Unbreakable." However, a security researcher this month released advisories detailing several vulnerabilities in the product, which is among the most complex software on the market.

Part of Microsofts Trustworthy Computing effort involves a moratorium on writing code during this month. Instead, developers will be poring over existing Windows and .Net code in a search for security and privacy problems.

This exercise is long overdue, given that the Windows code base is nearly 20 years old and thousands of developers have contributed to it. This community authorship has also played a part in the operating systems security problems.

"Its time to get that garage cleaned out so we can get the damn car in there," said Richard Purcell, Microsofts corporate privacy officer. "Everyone has a different coding style, and over the years, there have been a lot of people coding [for Windows]."

Related stories:

  • Researchers Say SNMP Open to Attacks
  • MSN Messenger Vulnerable to Hijacking
  • Microsoft Patch Repairs 6 IE Flaws