Richard Pethia and Thomas Longstaff
The standard rule of thumb among those who analyze computer security problems is that there tends to be just one “Level 9” Internet security event a year. That’s a virus or some other problem with the potential to inflict widespread damage. Level 9 refers to the kind of incident, on a scale of one to 10, that everyone recognizes as major.
Unfortunately, that standard isn’t holding this year for the world’s first Computer Emergency Response Team (CERT), at Carnegie Mellon University’s Software Engineering Institute in Pittsburgh. Richard D. Pethia is manager of the Networked Systems Survivability program and the CERT Coordination Center at the institute. Thomas A. Longstaff is head of research and development for the survivability program. Both thought they had their Level 9 of the year with the Melissa virus in April. Maybe not.
Melissa was the fastest-growing virus in history, able to invade e-mail address books and ship itself out to as many as 50 new victims, then up to 50 from each of the next infected computers and so on. It soon forced the shutdown of e-mail servers around the world. CERT, which is funded by the Defense Department and private industry, issued only the second national alert in its history.
The newest threat is Worm.ExploreZip, which appeared on June 6. It seemed to be a straightforward Trojan horse program that involves hidden functions within apparently normal computer programs, such as a fake upgrade for an Internet browser. But ExploreZip, which has already shut down some major computer e-mail systems, including General Electric and the World Bank, also has the ability to spread itself to other networked computers.
Pethia, 52, has been at CERT since its inception 10 years ago and has advised Congress, the Justice Department and the White House on matters ranging from defense of the nation’s critical electronic infrastructure to updates on computer crime. He is married and has three children.
Before Longstaff, 38, came to CERT, he was the technical director at the Computer Incident Advisory Capability at Lawrence Livermore National Laboratory in Livermore, Calif. He completed a PhD in 1991 at UC Davis in software environments and earned a bachelor of arts in physics and mathematics from Boston University in 1983. He is married with one child.
CERT’s approach to a problem like Melissa or ExploreZip is multitrack: trying to help the victims; getting a copy of the virus code and tearing it apart to understand how it works; assembling a team to write an advisory for the public; assembling another group that talks directly to manufacturers of antivirus products to give them technical support.
Last week, the two men spoke on the phone from their office about the increasing vulnerabilities of our networked world and about what keeps them awake at night.
Question: Many people know a basic definition of a computer virus: something malicious or perhaps a prank designed to foul up someone’s computer. But what could something like Melissa mean, which spreads so quickly? What types of things might have happened other than crashed e-mail servers had there been malicious intent?
Richard Pethia: Anything you can do, sitting at your computer, an outsider could do without your knowledge in terms of moving files, deleting files. One scenario is the destruction of storage files, destruction of data. Consider another scenario where this virus, as it moves around, does so very quietly. Instead of mailing itself to 50 of your e-mail friends, it sends it to one or two. Now, we’re talking about a low level of activity that wouldn’t cause any suspicion. Inside, this kind of virus is a little time bomb set to go off sometime in the future. You don’t see the problem today or tomorrow, but about three years from now, after this thing has slowly spread around to about 100,000 sites. That’s when the virus takes off and you have this great big simultaneous bang across hundreds of thousands of computer systems across the Internet. Those are the kinds of things that I lose sleep over.
Thomas Longstaff: This follows a trend that’s disturbing. We’ve created applications that have complex abilities to control computers, to run programs without the user ever seeing or controlling what’s going on. We call this “ease of use,” where we make the computer easier to use by hiding more and more of what it does from the people using it. Now, when you get a malicious code, viruses mailed, you don’t have a clue about what’s happening until it does something to create an error, until it begins to act--like, in this case, completely overloading a company’s e-mail server.
Melissa wasn’t just serious because it caused e-mail servers to fail. Here’s the other important element. You are going to use your desktop word processor to type your most sensitive documents, the most sensitive things in your company records. Things that deal with personnel, that deal with future plans. Everything that you want to keep secret. This virus could have posted your secrets on the Internet, on a Web server or sent it to a central location. The imagination abounds with examples of how it could have taken a company’s sensitive data and shipped it around.
Q: And most of the people you’re dealing with may have some idea that something is wrong, but haven’t a clue about what it might be?
RP: What we’ve seen over time is that more and more of the people who contact us are less and less able to understand the technical nuances that we try to explain to them. Many people just don’t understand the technology enough. We actually can’t step them through a solution over the telephone. We have to recommend that they go somewhere and get some good technical help.
This is my pet soap box, by the way. From our perspective, there is a growing gap between systems that are becoming more widely used compared to the number of people who understand how to fix these systems or administer them properly. That gap, for us, means growing vulnerability. That’s at least part of the reason why the number of telephone calls we get each year continues to increase.
Over time, we’ve had an explosion in the use of the computer technology because the industry has done a better and better job of making it easy to use. At the same time, we haven’t provided software and systems that are equally easy to administer, especially from a security standpoint.
Q: There is an increasing sophistication to these attacks, new methods of attacks, new vulnerabilities. What is going on?
RP: Probably many things are going on. One is more of what we have seen in the past in terms of hackers, just more and more of that kind of activity. That’s, in part, because of the wide availability of hacker tool sets that people can use. Even people with minimal skill can practice the craft of breaking into computer systems. So, there is certainly a lot more of what we call noise in the system than there was five years ago. It looks a lot like more people are cruising the network looking for interesting things and accidentally causing some damage.
We’re also seeing more criminal activity on the network, in terms of people trying to do damage. Maybe it was competitive, someone who had a grudge. That’s not vandalism, that’s criminal, someone trying to do damage to a business. As more and more organizations connect to the network, the opportunity is there. Stealing proprietary designs.
TL: With the declining expertise of people on the Internet and in computer knowledge in general, the ability of people to distinguish between nonmalicious roving and malicious crime is becoming negligible. When someone calls the CERT and says, “Well, I’ve been attacked” or “I have these strange behaviors on my machine and it looks like I have an intruder,” it’s frequently the case that we say, “Well, can we go back and find a log of what this intruder did?”
And the caller says, “Well, I don’t even know what a log file is.” [A computer log file can serve as a kind of black-box flight-data recorder, telling investigators what was happening when a problem hit.]
At that point, just trying to lead somebody to even understand whether it’s just a joy ride or a serious criminal act is becoming very difficult. The impact of that kind of attack may never be known.
Q: So, was ExploreZip a more serious threat than Melissa?
TL: Yes and no. Melissa was unique in that it created a new link between the [replication] of the [virus] via e-mail and a payload in an application environment. Explore, on the other hand, created no new mechanisms of import to the security research community. But it was far more dangerous to the individual victims. In that sense, it is certainly a greater threat to the end user than Melissa. This was exactly as we predicted earlier about Melissa’s release, where the mechanisms of Melissa would be used to create more dangerous viruses and worms.
Q: There is a British military officer whose job is to prepare for “information warfare” attacks. I read he gets worried every time an incident occurs that wouldn’t horrify most people: a pager satellite malfunctions, say, or the air traffic control system blanks out over the central U.S. for a few minutes. Every time something like that happened, he had to wonder if the warfare had begun, knowing the country wasn’t ready. Do you have similar worries?
RP: One of the real concerns is death by a million paper cuts. . . . I do an informal survey when I talk to people at conferences and seminars. What I’ve discovered over the last two years is that almost everybody today is connected to the Internet. About 40% are now using the Internet as an integral part of their business. It’s no longer an option. It’s something they depend on.
Almost none of the organizations who are now in that state got there because senior management made a conscious decision to say that they were going to become dependent on the Internet and the technology it takes to get connected.
So, they basically have become dependent on the Internet without ever going through all the steps they would normally take when they make big decisions. They don’t understand the threats. They don’t understand the risks. They don’t have contingency plans in place. They don’t really think about it causing a problem. They could begin to bleed to death without recognizing that it was happening until well along in the process.
TL: Meanwhile, we don’t even have any technology on the horizon that is going to help in this trend. There are no radically new security systems, no new way of protecting ourselves. In the past, it was expensive to protect yourself but you could possibly do it. But we’re rapidly creating a world where we don’t have any way at all of protecting ourselves. As hard as we are working, there are many orders of magnitude more people working to make computing easier and make us more vulnerable, too.
Q: That leads to this idea of creating survivable computer systems that could respond directly to attacks and somehow keep their data and continue to function.
TL: By survivable systems, we mean a whole collection of individual computer systems that might be spread out through a number of different organizations and sites that all work together to accomplish a mission. Could be a Defense Department military mission, a business mission. The threats are basically any kind of accidents, failures, intrusions that can take out critical pieces of that communicating set of machines.
Survivability is the ability of this complicated network to recognize when bad things are happening to it, automatically take steps to ensure that the mission will continue and to recover, regardless of the source or kind of the problem or attack.
Q: But the technology doesn’t exist.
TL: Pieces of this technology exist, but good solutions don’t exist yet. We have a lot of history on how to make some parts of the computers systems reliable. We have information on how to develop better software. We’re looking at how you can structure it so that the overall set can survive.
Q: You folks mentioned Level 9 events. What is a Level 10?
RP: A Level 10 is something that moves with the speed of a Melissa but has a much more malicious payload than Melissa had. A Melissa virus that had been doing damage. As Tom said, there was a possibility that it could have caused sensitive information to leak out over the Web. If Melissa had been engineered differently, it could have created a lot of leaks of sensitive information.
TL: To me, a Level 10 is any major thing like Melissa that, on a wide scale, I’m talking worldwide, erodes our confidence completely in using the network. Makes people afraid to use the technology because of what might happen. A Melissa virus that spreads slowly for 10 months and suddenly starts shipping sensitive information out onto the Internet from computers all over the world. The fear of using a machine after that would be great enough to completely erode confidence in using a networked computer.
RP: If you ever hear of a Level 10, give us a call.*
