Modernizing Authentication — What It Takes to Transform Secure Access
This article was excerpted from the Cutter Business Technology Council Opinion, Pandemic I: Malicious Disruption (the Halloween Scenario). For a complete copy of the piece, visit http://www.cutter.com/consortium/trends/offer.html.
Weapons of mass hacking, analogous to weapons of mass destruction, have now proliferated to such an extent that we can expect Internet disruptions to occur at any time, on an epic scale. Those who are inclined to use such tools include bored, disaffected teenagers; terrorists and rival national interests; competitors; speculators; and people with a grudge against certain companies (cable companies, phone companies, banks, and credit card companies have managed to offend nearly everyone at one time or another).
It is the rare company that can confidently assert that "no one wants to harm us." Most companies remain sanguine because of the sense that the capacity to do them harm is limited or unavailable to those who would act against them. We hope to undermine that false confidence and replace it with a realistic assessment of risk and a clear course of protective actions.
Five overall enabling conditions set the stage for a pandemic:
- Universal connectivity: We are suddenly very tightly connected to our employees, our clients, our potential clients (who may also be potential disrupters), and the public at large. In historical terms, this sudden coming together is analogous to the formation of cities. Just as those first cities created a new and entirely unexpected possibility of disease spreading almost instantly through an entire population, so too our information infrastructure opens new possibilities of disease-like phenomena spreading along its channels. Viruses are one example, but not nearly the most dangerous. For the first time, there are large numbers of "always-on" broadband machines on DSL and cable modem connections, not installed by experts but by nave home and small-business users who do not realize they have created an attractive nuisance.
- Complexity: Penetration of any system's security is via exploitation of error in the conception and construction of that system. A typical penetration today might exploit a bug in the overflow logic in a piece of operating system code. When the bug is provoked, the perpetrator gains access to built-in debugging points that can be further exploited to gain privileged status. Today's systems are so complex that there is little likelihood of wiping out all such enabling bugs.
- High-speed communication: As bandwidth and traffic increase, the time necessary for propagation of ill effects goes down. We have already seen simple viruses reach literally millions of computers before they are noted by anyone.
- Openness: The underlying philosophy of the Internet is openness. The very steps we might take to inhibit the spread of disease are contrary to the ethic of open access that has been one of this era's great strengths.
- Monoculture: The lack of diversity in our information infrastructure components exposes us to a potentially disastrous ripple effect. Just as a monoculture of grapevine in mid-19th-century France and Germany led to economic chaos upon the arrival of the philoxera virus, so too the ubiquitous use of Windows, BIND, and SendMail could result in a situation in which a security lapse somewhere means a security lapse everywhere.
These five matters expose us to certain kinds of natural, nonmalicious perturbations that can be enormously disruptive. In addition, for those who are inclined toward malicious perturbation, there are some additional factors that make their task easier and the task of those who would oppose them much more difficult:
- Developers' use of components that may not be dependable. Components provide an easy entry possibility into many systems.
- Testers' avoidance of esoteric and sophisticated test strategies. The traditional heuristics of "good enough" testing don't work when it comes to security. Note that the very scenario that the tester finds too unlikely to be worth testing is the treasure that the hacker is actively seeking. Buffer overflow errors are examples of this effect.
- Imperfect testing and fixing of operating systems and networking software, leaving exploitable security holes. We all know that the probability of introducing a new bug as part of a bug fix is high and hackers know this, too.
- Millions of poorly maintained computers continuously online with fat pipes. Although your company may be careful to keep its systems up to date all known security leaks plugged that home system of yours that is currently on in the bedroom and connected to an always-on cable modem may be available for capture by hackers.
- Lax security encouraged by proliferation of attractive networked applications.
- Windows XP providing technology to spoof IP addresses. (More about this below.)
Since personal computers were supposed to be "personal," their original architecture made no provision for security of any kind. Since the concept of the personal computer predates networking, they were designed without any network-level security in mind. All of this creates opportunity for hackers and headaches for the rest of us.
The mechanics of mass hacking
The technology to enable mass hacking has been evolving for years. Some of it is software explicitly written to enable malicious use, and some of it is software that is vulnerable to such misuse.
Computer intrusion was once a largely solitary activity. Individual hackers gained and used deep technical knowledge of specific systems to perpetrate surgical attacks, one system at a time. Hackers gathered and shared their knowledge and tools in obscure enclaves. It took time, talent, and dedication to learn their methods. Although the black art and shadowy community of hacking remains strong, a new kind of hacking has emerged in the past few years.
Hacking has entered the age of mass production. This means mass attacks, as well as surgical ones, mounted by completely unskilled hackers ("script kiddies"), as well as skilled. The tools and methods now exist that allow amateurs to disrupt the Internet and to bring individual sites down. With the addition of one more element, Windows XP, mass hackers gain a formidable new tool IP spoofing. This will allow them to commit untraceable and unstoppable DOS attacks. Here's how they will do it.
There are more than 100 million computers connected to the Internet. Instead of using their own systems to attack their victims, the modern mass hackers dip their ladles into that vast ocean of other people's computers, co-opt some of them, and use them to launch the main assault.
Five technologies used in combination for such an assault are:
- Security information services. Internet security organizations like CERT and SANS, independent full-disclosure mailing lists such as bugtraq, security software vendors such as Symantec and McAfee, and infrastructure vendors such as Microsoft and Cisco all publicize fixes for bugs and security vulnerabilities in software and networking technology. They have no choice, really. To plug holes in security, thousands of system administrators all over the world must apply patches and reconfigure their networks. Of course, these information services are also a great service to hackers. Thus, security has become an ongoing race between hackers and system administrators, each side having essentially the same access to information. System administrators have the advantage because it's usually easier to plug security holes than it is to exploit them. But that goes only for those administrators who are paying attention and only those who know how to apply patches, and that can only be done once the patch is developed and made available by the vendor. What kind of system administrator doesn't know how to apply a patch? Well, for instance, Lenore Bach, wife of James (co-author of this piece), a reluctant computer user whose computer is always connected to the Internet, thanks to the miracle of the cable modem. There are millions more like her.
- Worms. A worm is an autonomous program that propagates and replicates itself over a network. It's similar to a virus, except instead of infecting and taking over programs, it stands alone. When a worm uses such tricks as IP guessing and port scanning (described below), taking advantage of common security holes, you have the potential to infect masses of machines. When the worm also carries with it a trojan (described below), you have the potential to do great harm.
- IP guessing and port scanning. Computers make themselves visible on the Internet via an interface akin to radio or television frequencies. When one computer wants to talk to another, it selects a channel, called a port, and initiates communication. The other computer must have a service running on that port or nothing will happen. For instance, when you browse the Web, your browser talks to the server on port 80. When you run a Web server, the server is listening on port 80. To find vulnerable systems, hackers scan IP addresses at random, but especially within IP ranges known to be used by cable modem and DSL customers. Then they scan ports conventionally used by services vulnerable to the particular exploit they are using. They can use a completely automatic process to achieve this.
- Trojans. A trojan is a program that looks harmless but isn't. A popular trojan known as SubSeven is so sophisticated that anyone with basic computer skills can construct an e-mail attachment that will instantly and silently install an elaborate remote administration system on the host computer. Once installed, SubSeven sends a message to the hacker announcing that the party has begun, so to speak. SubSeven works like PC Anywhere, allowing complete control of the host. Trojans used to be lovingly prepared by hacker-chefs. Now they're scripted and as easy as drive-thru.
- Scripts. Once a vulnerability becomes known and publicized, it only takes one technically proficient malicious hacker to use the vulnerability to produce a scripted "exploit." The vulnerabilities that hackers like best are those that can be exploited quickly, quietly, ubiquitously, and without human intervention. Apart from deliberate sharing of these exploit scripts, once the exploit is attached to a worm and sent into the field, other hackers will adapt the technology for their own attacks. Only one month passed between the public disclosure of a vulnerability in Microsoft's IIS Web server and the first appearance of the Code Red worm, which exploited that vulnerability.
Here's how the five technologies can be used together to create an army of zombies: A malicious hacker pores over the information provided on the security services to learn of a new kind of exploitable flaw, typically an operating system or component bug. The hacker constructs a worm that uses IP guessing and port scanning to find systems running a possibly vulnerable service, then tests for those that have not yet repaired the bug. The worm takes advantage of the opening to enter the system and apply a trojan to it. Meanwhile, the worm is proceeding to launch itself from that computer to find others to infect. Finally, the worm writer may choose to immortalize his or her work by making it into a scriptable package that can be used by others, each customizing to the extent of inventing his or her own trojan to attach.
Once infiltrated and co-opted, each computer can be used as a platform for serious, sustained attacks on other systems that may be much more difficult to penetrate. The owners of the zombie computers may never know that their systems have been compromised, and the hacker remains hidden in the shadows while the zombies do the dirty work. The well-documented attack on Gibson Research in May 2001 was an example of this: Each infiltrated system was installed with a trojan that continually monitored a specified IRC channel for instructions. The "zombie master" only had to enter the same channel and key in a few strokes in order to launch repeated accesses against any selected target. The result was a DOS attack that involved no direct action by the actual hacker, but nonetheless brought the site down. See www.grc.com/dos/intro.htm for the whole story of this attack.
With these technologies, a hacker of moderate skill can recruit and control a network of stolen computing resources. And it's getting easier. A month after the Gibson Research attack, a vulnerability was discovered in Microsoft's IIS Web server. A month later, the Code Red worm emerged, with a payload that attacked the White House Web site. The Code Red II worm used exactly the same technology as Code Red, not to attack one site but to exploit unpatched versions of IIS in deactivating the security of more than 100,000 computers. A side effect of the scanning process caused each infected system to broadcast itself to thousands of other systems. It's as if someone found a way to cause all the unlocked doors in an entire city to cry out, "I'm unlocked!" for the benefit of any interested burglar. Each time Code Red II tries to penetrate your system, it conveys back to you the identity of an infected (therefore security deactivated) computer. James was able to use this information and a Web browser to view the hard disks of two such infected systems. It's that simple.
That's what James can do, and he's an amateur. Just think what a dedicated hacker can do. Think about what a state-sponsored terrorist hacker can do.
IP address spoofing
Zombies comprise what might be called an ephemeral network: a sort of makeshift supercomputer. With one more technology, it could be a means to take down the mightiest dot-com. Permanently. That technology is IP spoofing.
All traffic on the Internet comprises discrete packets that have a certain format. This format includes a destination address and a source address, among other things. That means any computer that attempts to communicate with (or attack) another computer on the Internet can be identified, unless the source address is forged. You might wonder how communication is possible if the address is forged. Indeed, two-way communication isn't possible, but that doesn't matter in a DOS attack. The only goal of a DOS attack is to overload the receiving system with so much traffic that it can't communicate with anyone. A DOS attack using IP address spoofing is like sending a million postage-paid reply envelopes in the mail every day, with no return address. The structure of the Internet is such that there is no practical way to trace spoofed packets back to their source.
Until now, the most vulnerable systems out there, Windows systems, weren't able to launch spoofed packets very easily. Windows XP does have that capability, and it's easy to exploit. As Steve Gibson writes (see www.grc.com/dos/xpsummary.htm), "The security features built into all other raw socket capable operating systems (Windows 2000, Unix, Linux, etc.) deliberately restrict raw socket access to applications running with full 'root' privilege. However, the Home Edition of Windows XP executes all applications with full administrative ('root') privilege. Thus, Windows XP eliminates the raw socket safety restrictions imposed by all other operating systems." Microsoft, for its part, says the problem is not raw sockets but malicious code the cyber equivalent of the old rejoinder that "guns don't kill people; people kill people." But in its official statement on this issue, Microsoft does not acknowledge Gibson's key point that this particular gun is being handed fully loaded to untrained users, with the safety off.
Add a zombie army to IP spoofing, and you get a practically unstoppable, unfilterable, distributed DOS weapon: the very structure of the Internet that makes it powerful can be used selectively to destroy it. Imagine 100,000 zombie computers saturating 10 major financial institutions in the US using fake, randomly chosen source addresses. A sufficiently creative attack with a sufficient number of zombies could have a profound impact on e-commerce, not to mention Internet communication in general. This tool could be used to manipulate the stock market. It could be used to permanently excommunicate any company or organization from the Internet.
This article was excerpted from the October 2001 Cutter Business Technology Council Opinion, Pandemic I: Malicious Disruption (the Halloween Scenario). For a complete copy of the piece, including concurring and dissenting opinions by Cutter Business Technology Council members Rob Austin, Tim Lister, Jim Highsmith, Ed Yourdon, and Ken Orr, visit http://www.cutter.com/consortium/trends/offer.html.