Home page logo
/

interesting-people logo Interesting People mailing list archives

IP: Stratfor: "I Love You" and the Problem of Cyberwarfare
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 15 May 2000 15:43:29 -0700



From: GLIGOR1 () aol com
Date: Mon, 15 May 2000 16:09:06 EDT


An interesting article to share....



From: "Bill" <wdimitroff () idirect com>
To: <wdimitr () aol com>
Subject: Stratfor: "I Love You" and the Problem of Cyberwarfare
Date: Mon, 15 May 2000 15:15:29 -040


Stratfor.com's Global Intelligence Update - 15 May 2000


"I Love You" and the Problem of Cyberwarfare

Summary

Last week, officials from the government and the computer industry
gathered in the wake of the massive denial of service attacks
against commercial web sites and the outbreak of the "I Love You"
virus. The real problem the United States and much of the world
faces is that people are overwhelmingly dependent upon a single
computer operating system that is exceedingly vulnerable to even
simple attacks. The PC and the Internet have become indispensable -
while remaining indefensible.

Analysis

Last week, U.S. government and computer industry officials gathered
in California for a summit on computer security. The meeting took
place in the wake of a recent spate of computer viruses and
attacks, including the massive denial of a service attack,
apparently launched by a Canadian teenager, and the "I Love You"
virus, seemingly launched by someone in the Philippines.

It is important to realize that neither of these attacks were
developed by computer geniuses. The Canadian teenager's ability to
shut down Amazon.com was perhaps one notch more sophisticated than
setting an autodialier on a telephone to repeatedly call someone's
phone, making it impossible for real callers to get through. The "I
Love You" virus was a simple macro written in a fairly simple
language, Visual Basic, that took advantage of the lack of security
on Microsoft's e-mail package. No one is going to be offering
either of these software creators jobs at the National Security
Agency.

Some people are taking comfort in this. John Dvorak, a usually
astute observer of the computing world, wrote in PC Week, "The Love
Bug Virus is the type of thing that's great for keeping journalists
busy on a slow news day. I've never seen anything get so much ink.
The question of the day: Will writing two-bit destructive viruses
become the way that loners and goofballs get their 15 minutes of
fame? I suspect this is the case. It certainly beats setting
oneself up on the school clock tower and picking off fellow
classmates with a rifle."

Dvorak is of course right - but he's missing his own point. Vitally
important news is being made. The news is this: It is now possible
for a comparatively unsophisticated computer programmer to create
absolute havoc. It is not the hacker's psychological profile that
is interesting; it is the intellectual profile that is stunning. It
used to be possible for a brilliant but unstable person to wreak
havoc. Today, a not particularly bright crackpot can achieve the
same outcome. And that is the point. There are few brilliant people
in the world. There are lots of dullards. Based on the ratio of
fools to geniuses, the likelihood of future attacks increases.

The problem is this: the personal computer and the Internet are
both revolutionary - and yet, terrifically vulnerable. Both are
less than a generation old and comparatively primitive, like the
telephone or automobile early on in their evolution. Yet the
revolutionary nature of computing today allows all kinds of people
to do important things in ways once impossible. Everyday people in
all walks of life and work have become dependent on these systems.

The vulnerability of these systems stems from the simple fact that
they were never intended to be the center of such dependency. The
personal computer was developed as a stand-alone system. Unlike
mainframes with multiple users using multiple accounts, the PC was
deliberately designed to serve the needs of an individual. The
entire purpose of the PC was to be a functioning system that
provided the user unfettered access to his data, programs and even
operating system. Hence its name. It followed from this that the
individual was unlikely to seek to harm his own computer or the
data on it. Security was hardly a priority.

Connectivity between PCs has crept in slowly. Not so long ago,
people couldn't conceive of a mass market for PCs. As word
processors and spreadsheets emerged, the usefulness of the PC
became more apparent. Still, few people in the 1980s imagined that
one of the PC's primary roles would be that of a communications
device. At first limited to a handful of military and academic
users, e-mail usage began to explode in the late 1980s.

Early e-mail had been built around a few academic mainframes. A PC
user would get a campus account - either on a mainframe or
minicomputer - in terminal mode, not as a true computer. He would
dial up to that account via a modem, at 300 or 1200 baud. That
computer would link to other computers in a crazy quilt pattern
called Bitnet, which had spun off from ARPAnet (a Defense
Department initiative). Over time, data files were stored on
various university mainframes. One of the biggest was at the
University of Minnesota, with tons of non-graphical information.
Using this network of computers, the user could hop around the
world. Out of this primitive connectivity, came the explosion of
the World Wide Web.

But the PC was never intended for this purpose - it was created for
a single user. Efficient usage meant that much of the function of
the operating system was hidden from the user, who really didn't
need to know what was going on within the system. Also, in the
interest of ease of use, the different applications became more
tightly integrated with each other and within the file system. The
outcome, of course, was the Microsoft-driven computer of today
where the word processor, spread sheet, e-mail package, web browser
and file system are intimately connected.

As a result, it is difficult today to figure out exactly what is
going on inside your own computer. The integration of processes
obfuscates the operating system. A good example can be found in the
famous "blue screen of death" that functions like a "service
engine" light. It tells you that you are in trouble, but doesn't
tell you why. The inability of the Microsoft Operating System (OS)
to tell the user what is wrong is a feature, not a bug, as they
say. The OS frequently doesn't have any idea what has failed. The
complexity of the system itself makes transparency impossible.

Microsoft triumphed because it provided for the easy exchange of
files within the PC and between PCs. But that very ease of exchange
created the current potential crisis. The Microsoft operating
system took advantage of connectivity opportunities. Once the
computer became connected, it was no longer under the sole control
of the owner, whose interest was in protecting his computer and his
data; instead the owner is now exchanging information with others
who might have more malicious interests. The structure of the
Microsoft OS made it extremely difficult to deal with maliciousness
for two reasons:

1. The increasingly tight integration of the OS with applications
and links between applications means that malicious imported code
can migrate rapidly from one part of the system to another. The "I
Love You" virus, for example, attacked the address book of the
email system, as well as attacking music and graphics files.

2. The lack of transparency of the operating system makes it
extremely difficult to create programs that can see what is
happening inside of the computer in real time, creating shut-offs
or fail-safes. Current anti-virus software is forced to identify
known viruses by scanning incoming files. This means that new,
unknown viruses can't be stopped.

During the denial of service attacks on web sites, no one could
figure out where attacks came from because a single attacker can
route attacks through thousands of computers. It is possible to
plant malicious code on a computer whose mission is not to attack
the host computer - but to propagate itself to other computers and
then to begin simply linking to Internet sites, shutting them down
by sheer overload. Finding these tiny bits of malicious code on a
server is mind-numbingly difficult. It can be anywhere in the file
system and called virtually anything. There is some software
designed to detect this code. But it needs to be installed by
people who are concerned with damage to other servers - altruism
that is fairly rare.

A teenage kid can knock out hundreds of corporate systems because
the foundation of modern computing, the operating system, has been
in rapid, forced development since the success of MS-DOS. It was
designed for one user who would treat it right. The hyper-
connectivity of the Internet exposes it to code delivered by
others. The Windows operating system was simply not built with this
in mind. It has served brilliantly as a tool for exchanging
information.

But its very success has created the menace. The neat macros
created in a spreadsheet can be made malicious by a teenage kid.
Interoperability and interconnectivity were created without regard
to security. And there can be none without transparency. You can't
be secure if there is no method for knowing what is happening in
your operating system. It is the perfect environment in which
viruses can flourish. That is true on the client and the server.

The problem is that we are dependent on these systems for our daily
work and our daily work can be used to spread harmful programs. If
a teenager can wreak this havoc, imagine what a concerted effort by
a well-funded government intelligence agency can do. That, of
course, is the point. Dependency on the computer and the Internet
at this primitive stage of development opens us to attack,
particularly from societies that are not dependent on PCs and the
internet, but that do possess the intellectual skills needed to
mount the attack.

One executive of an anti-virus company has suggested that you
should never open a file from someone you don't know. That is a
measure of how shallow our defenses are. How can you be sure that
the person you know hasn't become infected? In fact, how can you be
sure that the person you know doesn't want to zap you? Some
companies have solved the problem by prohibiting attachments and
removing floppy drives. In other words, they have solved the
problem by losing the capability. The solution is not in policies,
but in technology. The problem's center of gravity is the operating
system.

Security requires a complete re-engineering of the operating system
to permit rapid diagnosis through complete transparency. It will
not be easy to evolve Windows or NT in this direction. It seems
that officials may want to deal with this problem. After all, the
real threat from rogue states won't be nuclear attack, but cyber
attack. Rogue states won't launch nuclear attack for fear of the
counterattack. But how do we retaliate against a virus attack? We
depend on computers. They don't.


(c) 2000 WNI, Inc.


  By Date           By Thread  

Current thread:
  • IP: Stratfor: &quot;I Love You&quot; and the Problem of Cyberwarfare Dave Farber (May 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]