worm cure is a hard act
TRANSCRIPT
Network Security February 200512
INTERNET WORM
Grudge spendAll spending on security is a grudgespend. One way to make it relevant andkeep it uppermost in staff minds is to tiethe security of the enterprise to paypackets — at all levels. If securitybreaches hurt individual pockets, per-suading the owners of those pockets toaccept training that reduces the likeli-hood of such breaches should not be aproblem.
Many system and network profession-als are extraordinarily busy in their dailywork, and persuading them to take thenecessary time to attend training cansometimes be hard. This may be a resultof organizational pressures; network pro-fessionals are less likely to spend timeaway from the coalface if on their returnthey are expected to deal with a higherworkload. For example, network admin-istrators are highly unlikely to attend aone-day training course if they thenhave to stand in for the corporate helpdesk that you are about to scrap.
As stated above, you should train onlywhen the course provides a return oninvestment or avoids a cost of equal orgreat value. Of particular interest to theexperienced network administration staff should be those courses that con-tain up to the date and novel attack
vectors, and that are taught by recog-nized experts. A more generic course infirewall technology may help a neophytefirewall administrator.
Consolidated knowledgeSecurity training should never occur in avacuum, and indeed companies shouldseek to promote knock-on effects.Sending just one person on a trainingcourse can greatly increase the securityawareness of an organization, if that per-son then has an obligation to dissemi-nate his or her new-found knowledge
throughout the organization. The dis-semination process can either be formalthrough planned events or informalthrough meetings over coffee. Theimportant bit is that it gets done, partlyto increase average skills levels, and alsoto consolidate the new knowledge in thetrainee.
Arguing for and defending assignedtraining budgets can be tough. But provided the enterprise is committed to best practice, and you can finddecent courses you should be able towin the argument. One thing is for certain though; when it comes to com-puter security, ignorance is certainlynot bliss.
About the authorMichael Kemp is an experienced technicalauthor and consultant specialising in theinformation security arena. He is a wide-ly published author and has preparednumerous courses, articles and papers fora diverse range of IT related companiesand periodicals. Currently, he is employedby NGS Software Ltd where he has beeninvolved in a range of security and documentation projects. He holds a degreein Information and Communications and is currently studying for CISSP certification.
Upgrading the hardware and softwareof the corporate PC pool is probablythe most loathed task in the IT depart-ment. Properly done, it involves testgroups, regression issues, configurationcontrol, careful planning, overtime andrisk, not to mention pacifying grumpyusers who lose their umbilical cords fora few minutes.
Ideally, enterprises base their decisionto upgrade on a thorough cost benefitanalysis. But with security researchers
discovering vulnerabilities daily and ven-dors sending out regular patches, thedangers of delaying upgrades are numer-ous and obvious.
Mark Cox, head of the securityresponse team at Linux vendor Red Hat,is responsible for limiting Red Hat cus-tomers’ exposure should they choose notto upgrade regularly. "We know [enter-prises] can't always upgrade or evenupgrade quickly. They don't want to doit every day or for everything that comes
out, particularly things that have aminor impact. So how should we reducethe impact, and how should we protectthem in the interim?" he asks.
Non-executable bits One answer comes from microprocessormanufacturers. They have introduced anon-execution flag, sometimes known asNX, which distinguishes between sec-tions of memory based on whether theyrun code or hold data. Without the flag,memory is a blank sheet and programsare free to overwrite data with code andcode with data. Faults happen whenprograms clash over the same bits ofmemory, whether by design or accident,and open the system to abuse.
William Knight
Hands up everyone who looks forward to upgrading all the desktopPCs in your company. No surprises there, then.
Worm cure is a hard act
“An employee
who is sent on
a training
course should
be obliged to
disseminate
the new
knowledge”
February 2005 Network Security13
INTERNET WORM
But the NX flag changes the land-scape. In particular it stops a damagingclass of malware, the worm, whichexploits a buffer overflow to deliver itspayload. Analyst firm Gartner reckons"The main vulnerability to buffer over-flow attacks can be explicitly preventedin hardware."
AMD's brand of NX, the EnhancedVirus Protection or EVP, is available on AMD 64-bit processors; Intel'sExecute Disable Bit function was introduced on the Itanium processorfamily in 2001.
Dave Everitt, AMD’s product managerfor Europe, points to a two-prongeddefence. Support is needed in the hard-ware, he says, and then, at a minimum,vendors must recompile their operatingsystems and regression-test them beforerelease.
This takes time. Only recently havemainstream OS (operating system) ven-dors released versions that take advan-tage of the new hardware. But NX func-tionality is now available on MicrosoftWindows Server 2003 with Service Pack1, Microsoft Windows XP with ServicePack 2 (SP2), SUSE Linux 9.2 and RedHat Enterprise Linux 3 update 3.
Everitt says mobile computing andgaming as well as tougher enterpriserequirements are driving securityimprovements. "[NX] is really importantfor mobile network access," he says. "Ata hotspot you have no idea of the host’svirus policy; you could be downloadinganything. And who knows what could
be downloaded from an online gaminglink."
Red Hat's Enterprise Linux v3.3 usesthe non-executing bit and also includesExec-Shield, which delivers similar pro-tection for non-NX processors usingsoftware. This feature was added specifi-cally to protect legacy systems for com-panies who have put off upgrades.
Red Hat’s original intention was to putExec-Shield into Enterprise Linux v4,but it was so effective Red Hat moved itup. "We looked at all the [buffer over-flow] exploits over a year and all of themwould have been blocked. That's why weaccelerated it," says Cox.
Complicity and legality Exploiting a buffer overflow is a techni-cal challenge but by no means impossi-ble. Programmers are largely to blamefor leaving holes in applications throughshoddy testing, poor technique or simplemistakes, but an unchecked buffer isactually the default condition for someprogramming languages. According toGartner, overflow continues to be aningrained feature of most software devel-opment.
Top of malware that exploits bufferoverflows is the Internet worm (see Boxon next page) that uses it to self-replicatewithout the need for user interaction. AnInternet worm can travel the world inminutes, tearing open servers and inflict-ing arbitrary damage.
Generally speaking, software vendorsare determined to increase user protec-tion since most exploits come from spe-cific coding errors. Despite the “shrink-wrap” licence conditions users sign, liti-gation looms if vendors aren’t seen to doeverything they can to reduce risks tousers.
Currently, the law on this matter isuncertain and lacking precedent. Butvendors operating in the USA face theo-retical risk, as Jon Fell, partner and tech-nology expert at law firm PinsentMasons, explains. "While there havebeen no cases to decide this question,there is certainly a risk that an innocentparty who fails to take steps to keephackers from entering their systems
could be found negligent if throughthem hackers caused disruption to otherparties."
Fell says that under Welsh and Englishlaw there is not yet a clear legal require-ment to keep systems sufficiently securethat they cannot be used to cause damageto third parties. "This means that even abusiness whose lax security has allowed ahacker to launch attacks via its systemsmay escape liability for any damage thehacker causes to innocent parties."
A changing environment While the law is still catching up, thearms race with hackers escalates. Apromising method involves changing thememory footprint of a system to preventharmful code from running. Cox saysthat worms often rely on knowing wherein memory, known as an offset, they arelocated. To jump back into the stack youneed to know the offsets. This is possiblebecause any one operating system alwaysloads its components into memory at thesame addresses.
"At the moment, all the machines lookthe same," says Fell. “But if executablesare loaded randomly and the operatingsystem looks different on each launch,knowing the offsets is impossible andtherefore writing a worm becomesextremely difficult.”
The advantage of changing the mem-ory map has not been lost on Gartner.It suggests Microsoft used it in ServicePack 2 for XP. "Recompilation bringsanother benefit,” it said recently.“Microsoft carries software modulesunchanged across many versions andgenerations of Windows. It is this consistency that allows the worms toattack Windows NT, 2000, XP andServer 2003 in one outbreak. SP2 forces a recompilation and restructuringof almost every Windows component.This restructuring changes the "shape"of the code, and worms written for older versions will not work onSP2."
Recompilation renders existingexploits obsolete but does not stop newworms. Cox explains how Red Hat hasused a feature known as PIE (Position
“The main
vulnerability to
buffer overflow
attacks can be
...prevented in
hardware”
Independent Executables) to stop wormspast and future. Because the wormdepends on the memory address of itsown code to begin execution, loadingthe operating system differently eachtime it boots can stop it.
The starting point of the worm’s pay-load is random; this makes it difficult totake advantage of a buffer overflow. "It[a worm] has to be a lot cleverer," Coxsays. "It's likely to crash the programwith a wrong address, and when restart-ed the exploit chance is lost."
Replacing older computers with NX-enabled systems may reduce the need forvirus-related repairs and may cut outsoftware patches for buffer overflowattacks. IT managers would welcomethis, especially as there seems to be noserious downside to these techniques.Cox warns of minor performance degra-dation with NX enabled hardware, butthe promise of worm resistant computersseems sound.
Perhaps that is why Gartner is so enthusiastic about the NX concept."Short of installing host-based intrusion prevention at every desktop (at
a potentially non-trivial cost), NX sup-port is one of the few opportunities tomake a significant difference in disrupt-ing worms’ DNA." Gartner is 90% cer-tain that by 2009, NX-enabledMicrosoft XP, SP2 systems will not prop-agate buffer overflow worms at all.
But while the Internet worm maybecome an historical curiosity, it seems certain hackers are working on a fitter replacement. "The worm isdead; long live the worm," they cry. But let us hope the worm turns onthem instead.
BLUETOOTH
Network Security February 200514
As developers become more comfortablecreating Bluetooth-enabled applicationsand the price of Bluetooth radio trans-ceivers continues to fall, Bluetooth isbecoming the de facto standard forshort-range networking. Some maycomplain that there are faults in theexisting Bluetooth protocol, but withmillions of radios in the hands of con-sumers, it is nevertheless a force to bereckoned with.
From a security standpoint the ITindustry is still getting to grips withBluetooth. Few security researchers ven-ture into the Bluetooth arena, and themarket has given many Bluetooth-specific security products a lukewarmreception.
That said, a number of recent eventsmay help drive Bluetooth security to theforefront of IT security in the comingyear.
Long distance interceptionBluetooth was designed to enable per-sonal area networking (PAN). PANs aretypically made up of devices on or neara person such as a cell phone, head-phone, laptop, or even snowboardingjackets. Due to the close proximity ofthe devices, Bluetooth is generally con-sidered a short-distance protocol.
However, this is not necessarily true.While many Bluetooth devices operateat only one milliwatt, some, such as theLinksys BT100 Bluetooth dongle, oper-ate at 30 milliwatts. This is the samepower output as most WiFi devices. Thismakes these devices easily accessible at100 meters or more.
Further, with relatively inexpensiveequipment, an attacker can access aBluetooth device at a much greaterrange.
Bruce Potter
The Bluetooth short-range network technology continues to enjoyrapid adoption in a variety of information devices. But provenexploitable vulnerabilities mean that the window of opportunity forattacks is opening.
Bluetooth attacks start to bite
Worms and buffer overflows
Robert Morris, at the time a Cornell University student, released the first internetworm, sometimes called the Great Worm, on 8 November 1988. It was a smallpiece of C code that exploited a buffer overflow and replicated itself across thenascent internet, infecting over 6000 computers.
The idea was reportedly suggested by his father, a US National Security Agencyanalyst, who was worried about the (then-theoretical) security threat posed byunchecked buffers.
Executable code (a program) is set out as a list of instructions in one long con-tiguous area of computer memory. This is akin to writing the instructions on along scroll of paper. On this scroll, there are areas for commands that tell the com-puter what to do, and areas to store user-specific data and results.
Sometimes, if the space for user input is too small, just as with filling in theboxes on a preprinted banking form, it's possible to keep writing until the instruc-tions themselves have been written over.
When a worm invades memory it fills the boxes with its code. So when com-puter tries to run the original instructions it executes the worm code which thentakes control of the system and copies itself to infect other computers.