Homeland Security

MUSINGS ON THE CURRENT COMPUTER SECURITY ENVIRONMENT

Mudge

VP of R&D @Stake

Mudge@atstake.com

If there is one thing that the recent Distributed Denial of Service attacks has pointed out it is not that the Internet is fragile and wrought with peril. This is something that has been known for over a decade. What we are learning now is that knee-jerk reactions and short-term planning still rule the corporate mindset. Luckily, this can be changed.

The cry of people to remove offensive information from the Internet shows a lack of understanding in the mechanics of how the Internet operates. The Internet guarantees that information moves from where it is -- to where it is not. As such, you cannot stop information after the fact. If a piece of information is released the price of copying and redistributing it is nothing. Once it has been released it has essentially been irrevocably published. You cannot go back and stop it from being published at this point.

So how do you combat this? You cannot, in this environment, attempt to legislate what can and cannot be said and expect it to hold across a network that exceeds our legal jurisdiction. If you have to fight bad information you must do so with good information. Imagine that you are a fire department and you have no water at your disposal. You fight fire with fire. But therein lies the rub. How can tools of healing be so similar to tools of destruction, and if they are so difficult to tell apart when there is no motive or action behind them to directly color their impact how can we clamor for their removal? How can we believe that we are trying to help the world if we are not attempting to research and discover new tools of this nature? If for no other reason to understand where vulnerabilities exist and how to prevent them before they are exploited by others. After all, why do we bother with war colleges? Because the worst-case scenarios that can happen should never be a surprise!

You cannot make it illegal to publish information or block the information that is being presented on the 'as you call them' hacker sites. You cannot even tell if this information is a tool of healing or a tool of destruction. In this case I will argue that more often than not the information is good.

Can we expect to stop useful information from being distributed? - No.

Can we stop useful information from being used for malicious purposes? - No.

Can we find and publish useful information slanting it for beneficial purposes? - Yes.

Can we do this in a preventative fashion as opposed to pretending that useful information can only be reactive in nature? - We must.

Steal their thunder! Do research into finding the security problems and shortcomings of these networks. Publish the results! If you wait for other people to find the problems then they get to slant how the information is presented, and ultimately used... not you. You are, at that point, relegated to cleaning up the mess that they have created. Would it not be a better situation to have released the information on your own and been able to slant its uses towards beneficent goals?

Ask any corporation if they would prefer to air their own problems or have someone else do it for them and thus loose that control.

Two years ago I gave testimony before the Senate Committee on Government Affairs along with my colleagues. We spoke about the weak infrastructure of the Internet. We touched upon topics dealing with massive disruption of service and how to prevent against them. Two years later and I find myself attempting to part similar information to the President. This, along with other examples such as the reaction of industry to the DDoS attacks that had been known about for some time, would lead us to the conclusion that more effort should not be spent in helping companies recover or coordinate after the fact. Instead, effort should be made to ensure that companies make use of the information available and perform the due-diligence that is expected of them by their customers and stockholders. Crying over spilled milk gets old after the second time.

If corporations are still calling for the various federal agencies to assist them then maybe one of the hold-ups is an inability for the federal groups such as the FBI to educate the companies as to what will help in investigations or claims. This would help in reducing the number of false positives that the FBI must disprove. People implicitly know that they should not wander around a crime scene disturbing potential evidence. Further, when called in to look at a crime scene the investigators will restrict access to prevent others from destroying potential evidence. This is relatively common practice in the physical world. Unfortunately, it is still the exception when dealing with filesystems and transient data found on computers and networks.

The publishing of a clear and concise list of what types of information are useful to computer investigations would help to educate the entities that find themselves compromised or under attack. Here is an example of an instance in which publishing information can be used for good or bad purposes. If an attacker knows what information will aid in an investigation then he or she can try to remove it. If someone trying to protect their company assets or image knows what information will help the appropriate organizations or agencies track down the culprit then they can take steps to protect it and insure it's integrity.

Let us briefly examine what could happen if the incorrect stance of restricting useful information is taken. The victim had no idea what information or logging and accounting mechanisms to protect and therefore cannot be help responsible for not attempting to protect the system. Underwriting or insurance mechanisms cannot be called in to effect here as there is no official document stating the equivalent virtual construct to "you have a wood frame building... where are your sprinklers". The attackers? They are going to remove every log file or disable any accounting mechanism they can find.

With the stance of distributing information on what helps in investigating these crimes one would be able to enforce underwriting. A price can be placed on ineptness. The potential victim is able to take appropriate steps in preventing attackers from removing or altering log files and accounting that will be useful in analysis.

I do not believe the older investigative components of the government are currently sufficiently up to speed in these areas. This might explain some of the reluctance for corporations to approach places like the FBI and instead turn to areas such as the CIAO for assistance.

To close, allow me to point to our actions instead of my words. The organization that I have been involved with since 1992 - the L0pht, now the R&D component of a newer company called @Stake, has been sharing our discoveries and methodologies since our inception. We have come out with descriptions of problems, how we found them, how people can test for them, and how to solve them. We decided that if information can be presented without encouraging people to misuse it then people use it for laudable purposes.

We have ultimately improved our surroundings and those of the people and companies with whom we have been involved. That is, after all, the goal - and something not many can lay claim to.