CastleCops® - Service Model to Combat New, Uglier Threats in '04

Service Model to Combat New, Uglier Threats in '04
November 25, 2003
By Larry Seltzer

It's hard to say that 2003 has been a good year for security, but conscientious IT staff can feel good about their odds in the battle for security. You can protect yourself. But the arms race with attackers is getting nasty, and 2004 will be harder.

There's no doubt in my mind that the biggest problem with computers these days is spam. It's a problem that everyone has to deal with, even if it's managed to the point where it's just an annoyance. Don't expect the problem to be solved; expect the spam problem and the e-mail worm problem to converge. We've begun to see this happening in phishing worms like MIMAIL that contain special, disguised worm applications. MIMAIL, Sobig and the other major worms of 2003 indicate a growing level of sophistication among the top attack writers. The other major trend that will continue to manifest in 2004, and which parallels the evolution of legitimate software development, is increased ease-of-use of attack development tools.

From the standpoint of the vermin who write these things, MIMAIL is clearly an improved, next-generation worm. Why write a worm that just attacks and spreads? Why not write one that also creates the possibility of collecting personal information to sell? From the distribution standpoint, unlike older phishing attacks that just send you to a fake company site, MIMAIL redistributes itself.

I'm impressed enough with this technique to make a prediction: If easy development tools for apps like MIMAIL can be made available, look for conventional spammers to start using them (to my knowledge, this hasn't happened yet). The application wouldn't be an explicit scam, just the usual vulgar penis-enhancing stuff, but it would have several big advantages.

First, it would self-propagate; any ad like this should search all files in the system in slow motion, so as not to raise attention, and distribute to all of them. Second, because it's a native application as opposed to a simple Web page, it would have full freedom to create even richer content to catch the reader's eye. For example, why not throw in a little DirectX game? Third, once you've installed an executable like this, you're probably able to install facilities to receive instructions from the Internet without having the user run another attachment. In fact, modern protocols like Web services would suit this very well.

One new area where security companies expect attacks to develop is in instant messaging. There have already been some minor efforts at this, but I'm not as sure that this will develop into a major problem. All traffic on the major IM networks flows through central servers, an obvious point to monitor for attacks, and security products have begun to monitor these channels. Still, it's a tempting target for attackers, especially for those targeting kids. There have already been several worms that attack through IRC (Internet Relay Chat), but because this is not a centralized service, it's a far easier target.

The good news is, as eWEEK Labs predicts, that if you're conscientious and intelligent about it, you can protect yourself against all of this, or at least a very high percentage of it. In almost every case, IT departments had a minimum of several weeks between the release of a patch and the release of the exploit. (In fact, ironically it's often the patch that drives the exploit, as attackers reverse-engineer the patch as a quick and dirty path to the exploit.) Even if they don't always keep up to date because it's tedious and users resist it, IT personnel know that services at all levels—especially the desktop itself—should be locked down except where necessary. Now even Microsoft is learning this lesson.

Over the past several years Microsoft has been dragged, kicking and screaming, into the lockdown paradigm, and this will develop further with Service Pack 2 of Windows XP and Service Pack 1 of Windows Server 2003, both of which were announced at the recent Microsoft Professional Developers Conference and should hit the streets in 2004. Despite a sincere effort to make Windows Server 2003 secure out of the box, it wasn't too long before the RPC buffer overflow bug and subsequent Blaster worm showed that even the 2003 version was too open. But the new service packs, if they're everything Microsoft has indicated, could help a great deal. For the first time, new Windows computers in default configuration could be impervious to any attacks they are likely to meet.

But like most improvements built only into new versions of Windows, these will take years to have a significant impact. Consider what happened with mail clients: In the wake of Melissa and ILOVEYOU, the two pioneering mail worms, Microsoft imposed severe lockdown restrictions in its mail clients, blocking API access to the address book without explicit user permission and stripping all executable attachments. For years now, the only users subject to the most successful mail worms are those running non-Microsoft clients and old, unpatched versions of Outlook and Outlook Express. I actually expect the worm problem to abate slowly over time as a higher and higher percentage of consumers move to new computers with newer mail clients; most business users have some protection at the gateway, even if they continue to run old, vulnerable mail clients.

This year brought us many state laws against spam, and it appears that Congress is on the verge of passing legislation. I sure hope I'm wrong, but don't look for this law to cut the amount of spam in 2004 (or 2005, 2006, 2007... should I go on?). The spam problem is not the result of mail sent by the sort of legitimate marketers who would obey such a law.

Even if spam should be illegal, because fraud should be illegal, the law is not going to solve the problem. Some say that the solution to the spam problem, as well as to other problems such as mail worms, is user education. And just like a law against forged mail headers, user education is an undeniably good thing and can help. But it's not going to solve the problem in 2004, or anytime soon, because all it takes is a few unsophisticated users to keep these problems alive.

If technology is all that's left to work with, what will be the leading technologies in 2004? As it has been for years, my bet is still with the service model. Companies like Postini and MessageLabs can completely outsource portions of the security model for an enterprise or even an ISP. The current year saw growth in this model in both the business and consumer space, as ISPs began taking on many security-related tasks centrally. Since this is the only model that can make a big dent in the growth of Internet-based attacks, I expect it to continue to grow in 2004. Eventually I expect and hope that ISP accounts that don't at least offer spam and threat protection will be untenable in the market, if not actually illegal.

Yes, illegal. One day people will realize that even if they take all the precautions they can, there are still oblivious suckers out there running infected systems that are dumping all over everyone else. Perhaps ISPs should be expected to provide a safe environment, rather than letting users fend for themselves. I can see some legislature requiring ISPs to provide that. Probably not in 2004, but before too long. And there's a law that could make a difference.

Security Center Editor Larry Seltzer has worked in and written about the compute industry since 1983.

Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved.
Source: eWeek


	2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 189ppm 0.145s (0.008s) Making cybercriminals unhappy since 2002*