Low-Cost Defenses Against Curbing Computer Worms

Thanks to an ingenious new strategy devised by researchers at University of California, Davis and Intel Corporation, computer network administrators might soon be able to mount effective, low-cost defenses against self-propagating infectious programs known as worms.

Many computers are already equipped with software that can detect when another computer is attempting to attack it. Yet the software usually cannot identify newly-minted worms that do not share features with earlier marauders. When network managers detect suspicious activity, they face a major dilemma, said Senthil Cheetancheri, who led efforts to develop the strategy. “The question is, ‘Should I shut down the network and risk losing business for a couple of hours for what could be a false alarm, or should I keep it running and risk getting infected?’”

Cheetancheri, a graduate student in the Computer Security Laboratory at UC Davis when he did the work, has shown that the conundrum can be overcome by enabling computers to share information about anomalous activity. As signals come in from other machines in the network, each computer compiles the data to continually calculate the probability that a worm attack is underway. “One suspicious activity in a network with 100 computers can’t tell you much,” he said. “But when you see half a dozen activities and counting, you know that something’s happening.”

The second part of the strategy is an algorithm that weighs the cost of a computer being disconnected from the network against the cost of it being infected by a worm. Results of this ongoing process depend on the calculated probability of an attack, and vary from computer to computer depending on what the machine is used for. The algorithm triggers a toggle to disconnect the computer whenever the cost of infection outweighs the benefit of staying online, and vice versa.

The computer used by a person working with online sales, for example, might be disconnected only when the threat of an attack is virtually certain; the benefit she provides by continuing to work during false alarms far outweighs the cost of infection. On the other hand, a computer used by a copy writer who can complete various tasks offline might disconnect whenever the probability of an attack rises above even a very low level.

The study is published in “Recent Advances in Intrusion Detection, 2008,” the proceedings of a symposium that was held in Cambridge, Mass., in September, 2008.

Other contributors to the study are John-Mark Agosta with Intel Corporation; Jeff Rowe, research scientist in the UC Davis Computer Security Laboratory; and UC Davis computer science professors Karl Levitt and Felix Wu.

Could Remote Drug Delivery Devices Be Hacked?

Electronic implants that dispense medicines automatically or via a wireless medical network are on the horizon. Australian and US researchers warn of the security risks.

Many computers are already equipped with software that can detect when another computer is attempting to attack it. Yet the software usually cannot identify newly-minted worms that do not share features with earlier marauders. When network managers detect suspicious activity, they face a major dilemma, said Senthil Cheetancheri, who led efforts to develop the strategy. “The question is, ‘Should I shut down the network and risk losing business for a couple of hours for what could be a false alarm, or should I keep it running and risk getting infected?’”

Cheetancheri, a graduate student in the Computer Security Laboratory at UC Davis when he did the work, has shown that the conundrum can be overcome by enabling computers to share information about anomalous activity. As signals come in from other machines in the network, each computer compiles the data to continually calculate the probability that a worm attack is underway. “One suspicious activity in a network with 100 computers can’t tell you much,” he said. “But when you see half a dozen activities and counting, you know that something’s happening.”

The second part of the strategy is an algorithm that weighs the cost of a computer being disconnected from the network against the cost of it being infected by a worm. Results of this ongoing process depend on the calculated probability of an attack, and vary from computer to computer depending on what the machine is used for. The algorithm triggers a toggle to disconnect the computer whenever the cost of infection outweighs the benefit of staying online, and vice versa.

The computer used by a person working with online sales, for example, might be disconnected only when the threat of an attack is virtually certain; the benefit she provides by continuing to work during false alarms far outweighs the cost of infection. On the other hand, a computer used by a copy writer who can complete various tasks offline might disconnect whenever the probability of an attack rises above even a very low level.

The study is published in “Recent Advances in Intrusion Detection, 2008,” the proceedings of a symposium that was held in Cambridge, Mass., in September, 2008.

Other contributors to the study are John-Mark Agosta with Intel Corporation; Jeff Rowe, research scientist in the UC Davis Computer Security Laboratory; and UC Davis computer science professors Karl Levitt and Felix Wu.

Fighting Tomorrow’s Hackers

One of the themes of Dan Brown’s The Da Vinci Code is the need to keep vital and sensitive information secure. Today, we take it for granted that most of our information is safe because it’s encrypted. Every time we use a credit card, transfer money from our checking accounts — or even chat on a cell phone — our personal information is protected by a cryptographic system.

But the development of quantum computers threatens to shatter the security of current cryptographic systems used by businesses and banks around the world.

“We need to develop a new encryption system now, before our current systems — such as RSA — becomes instantly obsolete with the advent of the first quantum computer,” says Prof. Oded Regev at Tel Aviv University’s Blavatnik School of Computer Science. To accomplish that, Prof. Regev has proposed the first safe and efficient system believed to be secure against the massive computational power of quantum computers and backed by a mathematical proof of security.

Secure for Centuries

Prof. Regev stresses it is imperative that a new cryptographic system be developed and implemented as soon as possible. One reason is that current information, encrypted with RSA, could be retroactively hacked in the future, once quantum computers are available. That means that bank and other financial information, medical records, and even digital signatures could instantly become visible.

“You don’t want this information to remain secure for just 5 or 10 years until quantum computers are built,” says Prof. Regev. “You want it to be safe for the next century. We need to develop alternatives to RSA now, before it’s too late.”

New Cryptographic System

Cryptographic systems are used to transmit secure information such as bank and online transactions, and typically rely on the assumption that the factoring problem is difficult to solve. As a simplified example, if the number 3088433 were transmitted, an eavesdropper wouldn’t be able to tell that the number is derived from the factors 1583 and 1951. “Quantum computers can ‘magically’ break all of these factoring-based cryptographic systems, something that would take billions of years for current computers to accomplish,” Prof. Regev explains.

The current gold standard in encryption is the universally used RSA cryptosystem, which will be instantly broken once quantum computers are a reality — an event predicted to happen as early as the next decade. To replace RSA in this new reality, Prof. Regev combined ideas from quantum computation with the research of other leaders in the field to create a system that is efficient enough to be practical for real-world applications.

Prof. Regev’s work was first announced in the ACM Symposium on Theory of Computing and will appear in the Journal of the Association for Computing Machinery. His work has now become the foundation for several other cryptographic systems developed by researchers from Stanford Research Institute, Stanford University, and MIT. Its potential real-world applications are extensive, ranging from banking transactions to eBay and other online auctions to digital signatures that can remain secure for centuries.

Good Code, Bad Computations (Return Oriented Programming)

If you want to make sure your computer or server is not tricked into undertaking malicious or undesirable behavior, it’s not enough to keep bad code out of the system.

Two graduate students from UC San Diego’s computer science department—Erik Buchanan and Ryan Roemer (picture)—have just published work showing that the process of building bad programs from good code using “return-oriented programming” can be automated and that this vulnerability applies to RISC computer architectures and not just the x86 architecture (which includes the vast majority of personal computers).

Last year, UC San Diego computer science professor Hovav Shacham formally described how return-oriented programming could be used to force computers with the x86 architecture to behave maliciously without introducing any bad code into the system. However, the attack required painstaking construction by hand and appeared to rely a unique quirk of the x86 design.

This new automation and generalization work from graduate students and professors from UC San Diego’s Jacobs School of Engineering will be presented on October 28 at ACM’s Conference on Communications and Computer Security (CCS) 2008, one of the premier academic computer security conferences.

“Most computer security defenses are based on the notion that preventing the introduction of malicious code is sufficient to protect a computer. This assumption is at the core of trusted computing, anti-virus software, and various defenses like Intel and AMD’s no execute protections. There is a subtle fallacy in the logic, however: simply keeping out bad code is not sufficient to keep out bad computation,” said UC San Diego computer science professor Stefan Savage, an author on the CCS 2008 paper.

Return-oriented Programming

Return-oriented programming exploits start out like more familiar attacks on computers. The attacker takes advantage of a programming error in the target system to overwrite the runtime stack and divert program execution away from the path intended by the system’s designers. But instead of injecting outside code—the approach used in traditional malicious exploits—return-oriented programming enables attackers to create any kind of nasty computation or program by using just the existing code.

“You can create any kind of malicious program you can imagine—Turing complete functionality,” said Shacham.

For example, a user’s Web browser could be subverted to record passwords typed by the user or to send spam e-mail to all address book contacts, using only the code that makes up the browser itself.

“There is value in showing just how big of a potential problem return-oriented programming may turn out to be,” said computer science graduate student Erik Buchanan.

The term “return-oriented programming” describes the fact that the “good” instructions that can be strung together in order to build malicious programs need to end with a return command. The graduate students showed that the process of building these malicious programs from good code can be largely automated by grouping sets of instructions into “gadgets” and then abstracting much of the tedious work behind a programming language and compiler.

Imagine taking a 700 page book, picking and choosing words and phrases in no particular order and then assembling a 50 page story that has nothing to do with the original book. Return-oriented programming allows you to do something similar. Here the 700 page book is the code that makes up the system being attacked—for example, the standard C-language library libc—and the story is the malicious program the attacker wishes to have executed.

“We found that return-oriented programming poses a much more general vulnerability than people initially thought,” said computer science graduate student Ryan Roemer. He and Buchanan chose to study return-oriented programming for a class project after they heard Shacham outline a series of open questions in a guest lecture he gave in Savage’s computer security course last winter.

Living with Return-Oriented Programming

“The threat posed by return-oriented programming, across all architectures and systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious computation by preventing the execution of malicious code,” the authors write in their CCS 2008 paper.

For instance, Intel and AMD have implemented security functionality into their chips (NX/XD) that prevents code from being executed from certain memory regions. Operating systems in turn use these features to prevent input data from being executed as code (e.g., Microsoft’s Data Execution Prevention feature introduced in Windows XP SP2). The new research from UC San Diego, however, highlights an entire class of exploits that would not be stopped by these security measures since no malicious code is actually executed. Instead, the stack is “hijacked” and forced to run good code in bad ways.

“We have demonstrated that return-oriented exploits are practical to write, as the complexity of gadget combination is abstracted behind a programming language and compiler. Finally, we argue that this approach provides a simple bypass for the vast majority of exploitation mitigations in use today,” the computer scientists write.

The authors outline a series of approaches to combat return-oriented programming. Eliminating vulnerabilities permitting control flow manipulation remains a high priority—as it has for 20 years. Other possibilities: hardware and software support for further constraining control flow and addressing the power of the return-oriented approach itself.

“Finally, if the approaches fail, we may be forced to abandon the convenient model that code is statically either good or bad, and instead focus on dynamically distinguishing whether a particular execution stream exhibits good or bad behavior,” the authors write.

Danger…

You have installed a new self-updating antivirus program, have the latest firewall, and you do not open any dodgy looking e-mail messages. You think you are reasonably safe from a lot of the harmful content on the Internet. Unfortunately, you are not.

On top of the newer and deadlier versions of the same kind of threats that are out there, there is now a new type of danger altogether — “click-jacking.”

At the Hack-in-the-Box security conference (HITBSecConf) 2008 here last week, click-jacking was the focus of a keynote speech by the founder and chief technology officer of WhiteHat Security, Jeremiah Grossman.

“Think of any button on any website that you can click on,” said Grossman. “Now consider that an attack can invisibly hover over these buttons and below a user’s mouse, so that when the user clicks on something he sees, he is actually clicking on something the attacker wants him or her to.”

An attacker, for example, can make you click on an “activate webcam” button when you intended to click the “news” button, he explained.

This means that a home user’s web browser can be covertly infiltrated with shadow buttons that lie invisibly over legitimate buttons.

According to Grossman, the “bad guy” hacker can access a web browser this way through the existing Java script or Flash player and it is relatively easy. Exact details on how this is done are confidential for security reasons.

“We have only known about this for a very short period of time; it is still unclear if there are any effective defences against this newfound threat,” he said.

Grossman recommends making sure the web browser security features are installed and up to date, especially with the more popular web browsers.

“If you want to use a popular web browser, you have to install every security add-on you can find. The less popular web browsers are less likely to be targeted by attackers. In any case, I would recommend you unplug or tape-up your webcam lens and disable or mute your microphone,” he said.

Grossman said that is it unclear what the web browser companies themselves can do about click-jacking right now. “Given that it is a very new type of threat, not much is known right now. We are looking into it,” he added.

HITBSecConf is Asia’s largest network security conference and is organised by Hack In The Box (M) Sdn Bhd; the event is in its sixth year.

That HITBSecConf is expanding year after year underscores how critical network security as a subject matter has become in Malaysia, said Dhillon Andrew Kannabhiran, founder and CEO of Hack In The Box, when announcing this year’s conference last month.

He had also said that it shows IT decision makers in local organisations and network security professionals worldwide acknowledge the value that HITBSecConf offers in terms of hands-on training, deep technical information, and insights into security trends.

The event is endorsed by the Malaysian Communications and Multimedia Commission; Malaysian Administrative Modernisation and Management Planning Unit; Malaysian National Computer Confederation; and Multimedia Development Corporation.

Cyber-Threats’ Reality

WAR, crime and terrorism are traditional concepts that occur in the physical domain. The only difference between those concepts and ­cyberwar, cybercrime and cyber-terrorism is the “cyber” prefix.

Cyberwar refers to warfare in cyberspace and includes ­cyber-attacks against a nation state and critical communication network. Cyber-terrorism refers to the use of cyberspace to commit terrorism. It is generally understood to mean unlawful attacks and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government or its people to further political or social objectives.

Cybercrime or crime in cyberspace has been much experienced by many parties where the motive is more of computer-related crimes and monetary gain is the focus.

What is a threat?

From the information security perspective, a threat is defined as the potential to cause an unwanted incident in which an asset, system or organisation may be harmed.

There are three sources of threats: Intentional, accidental and environmental. Some examples of intentional threats are those that use malicious software or illegal software. Accidental threats can be seen as service failure, human design error or hardware failure.

Meanwhile, examples of ­environmental threats are ­earthquakes, thunderstorms or lightning. All these threats cannot be totally eliminated, but can be reduced through the establishment of effective measures to curb such threats within each organisation.

Threats however, if not properly controlled, can create an unwanted impact on security, socio-economy and human lives.

Cheap method

The dimension of warfare can be categorised as conventional, space and cyber-warfare. Conventional warfare and space warfare are expensive whereas cyber-warfare is cheap. It is also accessible to many groups and individuals.

Cyber-warfare enables asymmetric warfare, where individuals have the abilities and capabilities to cause damage to a nation state.

Access to a personal computer with an Internet connection can create as much damage as traditio­nal weapons. It is attractive to many because it is cheap in relation to the cost of developing, maintaining and using advanced military capabilities.

The sophistication of an attacker’s tools and techniques is becoming more powerful and requires less technical knowledge nowadays.

Furthermore, all of these tools are available on the Internet, which is more user-friendly, at a very ­minimal cost and in many instances, are free of charge.

There are known threats which have limited capabilities and marginal opportunities with high risks of being detected. There are also emerging threats which have many capabilities and broad ­opportunities and provide low risks of detection. These are the ­dilemmas that we face today.

Case studies

Below are several case studies of cyberthreats reported outside Malaysia:

· Cyberattacks experienced by the Japanese government.

It was reported that the Japanese government’s computers were under attack on August 4, 2004. Eight Japanese government ­agencies’ computer networks were disrupted almost simultaneously, similar to what is known as barrage jamming in telecommunication terms.

Those networks experienced denial-of-service attacks whereby the affected networks were not accessible for a few hours.

· Hackers clogging up the US customs’ computers for hours.

This case was reported in August 2005 where viruses attacked the US Customs and Border Protection system for several hours. Several thousands of people were affected.

The viruses left a grave impact on the computers at airports in Miami, New York, San Francisco, Los Angeles, Houston and Dallas.

· Cyberattacks on Estonia

In May 2007, Estonia was under cyberattack for three weeks. The attacks paralysed Internet ­communications targeting the government, banking, media and police websites.

Huge economic losses were incurred as online transactions were disrupted. · Cyber-warfare between Russia and Georgia

Russia’s invasion of Georgia in August had moved into cyberspace as the Russians managed to siege and gain direct routing intended for Georgia.

It was reported that the Russians intercepted the network traffic to Georgia and redirected the route to their servers. Many of Georgia’s Internet servers were under their command and control.

Local attack

In 2001, Malaysia’s Internet ­infrastructure was attacked by the Code Red worm. This was a classic example of infrastructure attack in which the worm spread very fast and brought our national ­communication network to a ­standstill.

It was reported that the relevant agencies took three months to ­eradicate this worm and the ­estimated minimum losses was RM22mil, not inclusive of the losses to the business fraternity and other sectors as well.

Other incidents of cyberattacks were caused by the Blaster and Naachi worms in 2003. The incident started with the propagation of the Blaster worm through the scanning of vulnerable machines via the network, followed by Naachi worms.

These worms exploited the vulnerability found in the Windows NT, 2000 and XP software. The ­estimated cost to eradicate this worm was about RM31mil, not including lost productivity and the cost of lost opportunity.

Modern warfare

Today, cyberspace is the new war frontier whenever there are conflicts between countries.

The popular method of a ­cyberattack is the defacement of websites. Web defacement is a malicious activity whereby a website is “vandalised.”

Often the hacker replaces the site’s content with a specific ­political or social message. The hacker may even erase all the contents from the site by relying on known security ­vulnerabilities to access the site’s content.

The US-China conflict in May 2001, which resulted from an ­incident where a Chinese fighter was lost at sea after colliding with a US naval reconnaissance plane, is a good example to illustrate this scenario.

End word

In conclusion, cyber-threats are the problems of today and the future. They need to be addressed in a comprehensive manner. In dealing with cyber-threats, a country cannot stand alone. There is a need to have strategic alliances to deal with threats and vulnerabilities in the cyberworld.

Co-ordination and collaboration from all parties is important in order to enhance the security of Malaysia’s cyberspace.

Space Station Laptops Catch Virus

Malware has managed to get off the planet and onto the International Space Station, NASA confirmed last week. And it’s not the first time that a worm or virus has stowed away on a trip into orbit.

The attack code, which space news site SpaceRef.com identified Monday as “W32.Gammima.AG,” infected at least one of the laptops used on the station, an international effort headlined by the U.S. and Russia.

NASA spokesman Kelly Humphries declined to identify the malware, saying only that anti-virus software detected a worm on July 25.

The first public report of malware about the ISS was logged earlier this month, on Aug. 11. In NASA’s daily status report on the station that day, the agency said. Sergey Volkov, the International Space Station (ISS) commander, was “working on the Russian RSS-2 laptop” and “ran digital photo flash cards from stowage through a virus check with the Norton AntiVirus application.”

A week later, on Aug. 21 Volkov “checked another Russian laptop, today RSK-1, for software virus by scanning its hard drives and a photo disk.”

The next day, Volkov transmitted antivirus scanning results from the laptop to Earth, and American astronaut Greg Chamitoff scanned another computer for possible infection. NASA also said in Friday’s report that all laptops on board the ISS were being loaded with anti-virus software.

“All A31p laptops onboard are currently being loaded with [the] latest [Norton AntiVirus] software and updated definition files for increased protection,” said NASA.

W32.Gammima.AG, the name Symantec Corp., maker of Norton AntiVirus, gives the malware, is a year-old Windows worm designed to steal information from players of 10 different online games, some of them specific to the Chinese market. Among the games: ZhengTu, HuangYi Online and Rohan.

The worm also plants a rootkit on the infected system, and transmits hijacked data to a remote server.

Today, Humphries said that the worm poses no threat. “It was never a threat to any command-and-control or operations computer,” he said. He refused to detail how the malware snuck aboard, citing “IT security issues,” but other sources, including SpaceRef.com, speculated that it might have stowed away on a laptop or a flash card.

In fact, the Aug. 11 ISS log entry hinted at digital camera storage cards as a suspect.

“There have been other incidents,” confirmed Humphries, who works at the Johnson Space Center in Houston, Tex. “I don’t know when the first one was, but the station will have been in orbit for 10 years [come] November.”

“If there is any good news at all, it’s that the malware was designed to steal usernames and passwords from computer game players, not something that orbiting astronauts are likely to be spending a lot of time doing,” said Graham Cluley, a senior technology consultant with Sophos Plc., in a post to that company’s blog today. “After all, with a view like that who needs to play the likes of World of Warcraft?”