Archaeologists wonder why the city of Naachtun, capital of the Mayan kingdom of Masuul, was abandoned suddenly, with no evidence of natural or manmade disaster. No volcanic eruption. No invading hordes. Why, after more than 250 years of growth and economic vigor was this city abruptly evacuated? Did the leading people in the city fail to react to some important change? What happened?
Two recent Internet worms, Slammer and Witty, have sounded an alarm to the entire computer security industry. To date, however, we have failed to respond to the alarm with the vigor warranted. Could we be dooming the Internet itself to the fate of Naachtun?
When Slammer hit in January 2003, it shocked the security community by growing with unprecedented rapidity‚ — doubling every eight seconds or so. The bulk of the machines destined to be infected were hit within 10 minutes, although the impact on the Internet peaked after only three.
Oh my gosh, we all said; this is really bad. Later, we breathed a sigh of relief, thinking the worm’s virulence had been a fluke. We thought we’d never again see an exploit that could be distributed in a single UDP packet. And it was really our own fault, we acknowledged, because the vulnerability and its patch were published in July 2002, six months prior to the attack; the lesson is that we have to tighten up our system-management capabilities.
The good news is that we haven’t yet seen another major worm propagated via single UDP packets.
Now for the bad news.
Media reports indicate that some new virus toolkits make malware construction as easy as running a computer game’s installation wizard. While such toolkits might not be very serious threats in themselves, they warn us that we can no longer assume that the time scale for virus and worm propagation is slow enough to analyze, plan, and execute in the way we’re used to doing.
And now for the really bad news.
On 8 March 2004, a vulnerability was discovered in a popular security product. Ten days later, the vendor released a vulnerability notice along with a patch. The Witty worm, designed to exploit this vulnerability, struck the following day. The Witty worm is notable for four things:
It was released one day after the publication of the vulnerability with the associated patch.
It pretargeted a set of vulnerable machines, thus accelerating its initial growth.
It was actively destructive.
It targeted a security product.
Colleen Shannon and David Moore of the Cooperative Association for Internet Data Analysis (CAIDA) completed an excellent analysis of the Witty worm shortly after it hit; their report is included as a special feature in this issue of IEEE Security & Privacy. As they note, the key point is that, “the patch model for Internet security has failed spectacularly…. When end users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we must reconsider the notion that end-user behavior can solve or even effectively mitigate the malicious software problem ….”
So now what?
The US National Cyber Security Partnership has recently completed a set of recommendations in response to the National Strategy to Secure Cyberspace report. One of its top recommendations is, “developing best practices for putting security at the heart of the software design process” (www.cyberpartnership.org/SDLCFULL.pdf). Denial is right out, though we will continue with business as usual for a while. Meanwhile, we’d better get cracking on replumbing the software-development infrastructure so that we can confidently know that any program that can hang out a socket won’t be vulnerable.
[Here is a PDF file of the original editorial.]