And another one just for fun!
From: Lohkee (Lohkee_at_worldnet.att.net)
Date: 08/24/03
- Next message: leslie: "Microsoft Cerebrates Fifteen Years of Poor Security"
- Previous message: Mike Salazar: "Re: keeping nosy neighbor off my wi-fi"
- Next in thread: Jim Watt: "Re: And another one just for fun!"
- Reply:(deleted message) Jim Watt: "Re: And another one just for fun!"
- Reply: donut: "Re: And another one just for fun!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Aug 2003 06:54:29 GMT
Anti-Virus Software
Copyright (c) Lohkee 2003
All rights reserved
According to industry experts, there are more than sixty thousand viruses
lurking in the shadows waiting to victimize you, and each passing month adds
several more to the list. Reveling in the mathematics of exponential
propagation and dire predictions for those foolish enough to ignore this
potentially devastating threat, some have even gone so far as to compare
these irritating little programs with the biological virus responsible for
AIDS! Not too surprisingly, many of these same experts just happen to be in
the business of selling anti-virus software or related services!
It is a given that computer viruses can destroy hardware, software, or
massive amounts of information in the blink of an eye. Computer viruses have
also repeatedly demonstrated their ability to span the globe within minutes
often causing thousands of servers to crash in the process. During these
attacks, the news media rarely misses an opportunity to inform us that our
electronic world is teetering on the brink of destruction. What they
generally neglect to mention is that the success of these programs was not
due to any particular genius on the part of their creators; rather an
amazing lack of concern for security within a great many organizations. The
simple truth is that most, if not all, computer viruses are designed to take
advantage of well known and easily patched vulnerabilities or require their
targets to be "wide open" in order to survive and multiply. A virus is like
any other computer program. It must have access to those resources that it
depends on to run.
Perhaps the most insidious threat posed by computer viruses, particularly
those designed to spread via email, is that of confidential information
being indiscriminately scattered to the wind during the program's
replication process. Melissa, for example, spread like wildfire and was
responsible for the mass-disclosure of thousands, if not millions, of
extremely sensitive documents. My personal collection of unsolicited email
courtesy of this virus included, among other things, rental applications,
employee evaluations, letters of reprimand, miscellaneous financial
information, a pretty dismal prognosis for a woman with breast cancer, an
incredibly hot love letter (complete with nude photos), legal
corresp0ndence, and a rather long-winded but very detailed network security
assessment. It is truly amazing how many people are willing to connect
systems containing sensitive information to an unsecured public network via
wide-open protocols using operating systems that are widely known to be
substandard with regard to security. Probably the most remarkable aspect of
the Melissa fiasco was the deafening silence within the legal profession in
the days that followed (one can only assume they were far too busy cleaning
up their own systems to notice what should have been a veritable gold mine).
Whatever the reason, many organizations managed to escape accountability for
their cavalier approach to security and safeguarding confidential
information and yours may have even been one of them. Unfortunately, this
does not change the undeniable fact that the wrong file, sent to the wrong
person, could very easily lead to embarrassment, loss of confidence in the
organization, and a significant financial liability. The question is, how
many times are you willing to spin the cylinder and then pull the trigger?
The professional security community is generally more than happy to point
out that it only takes one virus to create serious problems for an
organization and strongly recommends the use of anti-virus software to
protect against this threat. Some even recommend using multiple anti-virus
products. That it only takes one virus to cause problems is certainly a true
statement; however, it also one that happens to argue strongly (albeit
briefly) against the use of these products. History has shown time and time
gain that anti-virus software can only offer reliable protection against
known viruses (assuming that you actually take the time to update it
whenever a new virus is discovered). Did your favorite brand of anti-virus
software stop Melissa, Code Red, Nimda, Anna Kornikova, or the Love Bug from
infecting your systems; or did you download virus signature updates after
the fact only to discover that you had a real mess on your hands? The
problem here, and it is a big one, is that people who create and unleash
viruses, worms, and other types of nasty software, seldom take the time to
notify the anti-virus vendor establishment beforehand. Even after a virus
has been unleashed it is unlikely that your anti-virus vendor will find out
about it until it has gained some momentum which means two things: You are a
sitting duck until they do and; the chances of your anti-virus software ever
being able to detect a well-written program designed to strike a single
target are about zero! As you read this it is entirely possible someone has
already installed a "back door" into your system that your anti-virus
software will never know about. When it comes right down to it, the use of
anti-virus software is analogous to going into a gunfight wearing a
blindfold and then letting your opponent take the first shot. That anyone
would actually embrace, let alone actively promote as an "industry standard
best practice" such an inherently self-destructive paradigm, is simply
beyond belief.
Adding insult to injury, embracing this suicidal paradigm represents an
indefinite commitment on your part to download and rollout updated signature
files on an almost daily basis. The outrageous initial cost of a
site-license for this software notwithstanding, how long do you think it is
going to be before someone in marketing gets the bright idea to initiate a
subscription charge for these updates? Depending on how such a fee is
structured and the size of your organization this could easily turn out to
be a considerable additional expense over the lifetime of whatever product
you have chosen. Think about this for a minute. Not only do you get to go
into a gunfight wearing a blindfold and let your opponent take the first
shot; you also get to pay a small fortune for the privilege of doing so. And
this is a good idea how?
I am not suggesting that you ignore the menace posed by computer viruses. On
the contrary, these programs pose an extremely serious threat to society and
the individual; one which has been grossly underestimated by the government
and those within the professional security community. To date, most viruses
have been relatively benign. Seldom do they make any meaningful attempt to
hide as they propagate or cause real damage to the target and, in this
sense, the digital word has been very fortunate. It has yet to experience
the effective use of a virus as a weapon. It is only a matter of time before
this changes. The Naval War College, along with numerous experts from
various industries, conducted a three-day "war game" to explore the effects
of "cyber-terrorism" against energy grids, telecommunications systems, and
financial institutions. Collectively, they came to the conclusion that an
attacker would need about 200 million dollars, extensive intelligence, and
years of preparation to significantly disrupt the country's critical
infrastructures. I disagree.
The Internet makes it possible for anyone to disseminate information to
millions of people in the blink of an eye anonymously. Unfortunately, bad
information does not go away for a very long time (just look at the number
of tired old hoaxes that manage to get resurrected year after year after
year). In a society trained to forsake critical thinking and rely on
thirty-second sound bites to make important split-second decisions, the
possibilities for mischief are endless. More importantly, an attacker does
not need 200 million dollars to commence hostilities. The price of a
cappuccino at any Internet café will suffice. Sufficient intelligence to
launch an attack is easy obtained while you enjoy your beverage via any of
the popular search engines. Go to www.sec.gov and rummage through the
documents found on their website. Collectively, these files provide an
extensive correspondence course on document preparation and government lingo
complete with a treasure trove of names, telephone numbers, and email
addresses (their website, by the way, offers a very nice graphic of that
agency's official seal). A quick search of the Usenet archives will reveal
to whom people at the SEC are talking to and what they are talking about. If
virus writers can consistently dupe people into clicking on e-mail
attachments from unknown sources with grammatically incorrect nonsensical
subject lines, how hard do you think it would be to trick someone into doing
this if they were to receive an e-mail message from somebody they "know" or
who is trying to help them with a problem? I suppose it could takes years
some techno-peasant to orchestrate a viable attack, but it is also true that
almost any computer literate kid with a little programming skill could
easily cobble together some fairly sophisticated code designed to attack a
specific target within a week or two; the anti-virus industry depends on
this for its very survival. Simply stated, the resources needed to launch a
successful attack against society are minimal and easily obtained by anyone
with Internet access.
Many businesses, such as the airline industry, operate on tight margins. It
does not take much to send them into a financial tailspin, and when they
suffer, a lot of other industries suffer right along with them. Stock
markets are extremely sensitive to mood swings. Even the most naive investor
knows what happens to the stock of a company that comes under investigation
by the Securities and Exchange Commission. One negative press release can
send a company's stock plummeting within a matter of minutes. On the other
hand, a stock can soar to dizzying heights based on nothing more than the
mere illusion of some pending breakthrough in the treatment for cancer. Why
bother to attack Wall Street's computers (which is illegal) when it is so
much easier to manipulate its investors? If you think this is far-fetched or
could not happen easily, think again; it already has. In one case, a young
man by the name of Jonathan Lebed, aged 15, successfully influenced the
stock market and made over $800,000 by simply posting poorly penned "expert"
opinions of various stocks to the Internet. More importantly, he is not
serving time; he is spending money. The social and political arena is
perhaps even more volatile. A single inappropriate email or unintentional
slip of the tongue has effectively destroyed more than one otherwise
promising career.
The key to launching a successful attack is creativity (this is where the
Naval War College, in my opinion, missed the boat entirely). Attacking
hardware is not that difficult a task. Most modern BIOS chips use flash
memory thus enabling users to download and install updates across the
Internet. It would not be too difficult for a competent assembly language
programmer to create a virus that erased BIOS chips as it moved from system
to system. Such an attack could leave millions of computers in a completely
unusable state for a considerable period of time and would undoubtedly have
catastrophic consequences for many of those affected. The overall economic
impact caused by an attack of this type could be staggering.
Preventing this type of an attack, however, is as easy as setting the BIOS
write-protect switch on the system's motherboard. The question is why would
an attacker want to mess around with attacking hardware when manipulating
people is so much easier? Destroying people's faith in the systems and
institutions that affect their daily lives can be far more devastating than
simply blowing up some building.
Writing a program that will monitor a workstation, generate an email message
when a specific user logs on, and then self-destruct without leaving a trace
immediately afterward is child's play. Such a program would not even need
any special "permissions" or system-level access to run. More importantly,
any subsequent investigation would be hard pressed to show that the sender
was, in fact, a victim. Getting the email addresses for leaders within the
business, government or political communities is also a fairly trivial task.
Consider the consequences of an email from one politician to another
expressing racist views two or three days before an election. How about a
memo (complete with official seal) from the chairman of the SEC ordering an
investigation into serious criminal conduct by the executives of a major
corporation? There is also the possibility of a few emails sent between
employees of a major airline expressing concern about the safety of their
aircraft and a subsequent cover-up my management - something about wrongful
death suites being cheaper than fixing the problem. How would it effect
society if these things were happening at the rate of about one a week over
a sustained period of time? What effect would it have on the economy? The
only real problem, from the attacker's point of view, is getting the program
to run on the targeted system. The only thing standing in his way, for the
most part, is anti-virus software. Software that has proven itself over and
over again to be completely ineffective when dealing with anything that it
does not already "know" about. There are many ways to prevent an anonymous
outsider from running malicious code on your systems. Anti-virus software is
not one of them.
Lohkee!
- Next message: leslie: "Microsoft Cerebrates Fifteen Years of Poor Security"
- Previous message: Mike Salazar: "Re: keeping nosy neighbor off my wi-fi"
- Next in thread: Jim Watt: "Re: And another one just for fun!"
- Reply:(deleted message) Jim Watt: "Re: And another one just for fun!"
- Reply: donut: "Re: And another one just for fun!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
