Wednesday, March 29, 2006

Cat and Mouse

Anonymous (a frequent commenter on my blog) asked a good question regarding my blog post on patching a critical secruity flaw in Microsoft IE. I thought I'd answer it in a new post...

This game of cat and mouse in security can't go on forever. (Or can it?) What do you see as the future of software security? Do you see a point where a single elegant solution will address most, if not all, exploits?

No, the game won't go on forever--at some point the Sun will explode.

To think that the current state of insecurity is anomolous, and that the prior period of relative quiet was more normal, is backward. During the initial 6 years of internet growth the criminals hadn't yet organized, studied, and employed state of the art technology for developing and sharing exploits. That honeymoon is over. Exposure to cyber fraud, looting and mayhem is the normal state of affairs for a world in which the internet plays such a pervasive role.

Things that could could happen before the sun explodes to curb innovative and dangerous computer attacks:

(i) single world government that effectively tracks and prosecutes computer crimes everywhere

(ii) technical stagnation, in which new technologies are NOT regularly deployed

(iii) destruction or obsolescence of the internet.

I'm not holding by breath.

Sure, we will eventually tame any given vector of attack (e.g. email virus, spam, port scan, SQL injection, etc.) at least down to a nuisance level through a combination of technology, legislation/prosecution, profiling (which barely exists today), education and behavioral change.

(For a nice analogy to this phenomenon, read Earth Abides, in which humanity mostly dies off, and the earth offers up a fresh playground in which species compete for dominance. One by one new species explode to the point of over-population, and just as quickly die off in the face of predators and competitors.)

But criminals, embued with human ingenuity, will always plot new vectors, as I demonstrated to my wife here. You can wish it will stop, but you might as well also wish for world peace, an afterlife, or 18 consecutive birdies.


  1. The computer just don't contract viruses like we humans do. Most often they contract all kinds of bad stuff because the owner is not paying attention.

    If the puppet is acting weird the handler is to blame most often than not.

  2. Anonymous2:12 PM

    When I read comment yesterday, I was struck not by the first part of the question, but the second. Why haven't security solutions to this "cat and mouse" game become more streamlined? Why is there such a conglomeration of imperfect solutions--which only encourages more exploits? I will grant you that many of the companies, yours included apparently, are effective against certain kinds of attacks. But where is the omnibus solution? Is this the holy grail of security?


  3. Anonymous2:27 PM

    Why are there just so many doggone solutions that deal with parts of the security problem? As someone who has to manage them all, this is a real pain in the neck. Believe me, I have no doubt that the exploits are gonna continue and get much worse. I just wish someone would make my life easier. JS

  4. I'd like to make a comment on (i)... Does it really need to be an Orwellian world government? What if some really, really, smart people could figure out how remove anonymity from the internet?

    If I am a major US financial institution, I could simply block everyone outside the US, and then track each individual person. It would be like robbing a bank with your passport glued to your forhead. Some crazies will still do it, but we can catch them, and this is now an expected and manageable threat.

    Its a great way to solve many problems, everything from online child porn to click fraud.

    Hows that for an elevator pitch? ;)


  5. Removng anonymity would help but:

    -- when you do that, you are removing an interesting facet of the internet (i.e. anonymity) that, absent criminal activity, offers value to people. It's always easy toecure an asset by limiting its use. Eliminating email, for example, would go a long way toward curbing email viruses!

    -- Even so, it's just another defense that will ultimately be counter-attacked. The bank robber will forge a fake passport to paste to his forehead. Or he will cover up the real passport, or shut off the lights so no one can see it, or destroy the video archive of the robbery so there's no record of the passport, or.... you get the idea.

    -- The world government (not necessarily Orwellian) is necessary to regulate money flow and to prosecute criminals. As long the bad guys and their money enjoy safe havens, they will continue to hack away at our savings.

    I'm not dismissing the security value of an anonymity-buster. I'm just saying that it is not the *comprehensive* answer to internet fraud. (In more ways than one) I don't believe in a Holy Grail.

  6. David:
    first a silly point: you do not need world government but rather world governance to track down cyber criminals. International governance clearly does exist in many forms, but obviously its reaches are not (yet?) widespread enough to be global and catch/deter cyber criminals.

    Second the reason why cyber crime is so rampant is because it is so easy. According to MSFT, 70% of computers don't even have ant-virus software installed... and of the 30% that do how many have current anti-virus signature dbs... or worse , don't even have a software firewall installed (XP SP2)... or worse yet are using an unsupported operating system like Windows 98v1. I saw a pitch from Intel last year that suggested something like 40% of computers used in corporate American are running EOL operating systems.

    If everyone was ran fully patched versions of their operating system and applications with hardware firewalls and current anti-virus software security would be much harder to breach and likely a much smaller problem.

  7. Anonymous5:55 PM

    I know you used the sun's explosion as a metaphor meaning "will continue as long as we are around". However, it is interesting to me that this is what would jump to your mind -- having read your viewpoints on your religion (with which I mostly agree) -- I would have thought that the doomsday scenario that would come first to your mind is self-annihilation through religious fanaticism. That is, instead of saying "until the sun explodes", you could have said "until humanity destroys itself over their flavor of mythology". Or, is it that you hope that Thomas Jefferson is right, and that "The day will come when the mystical generation of Jesus, by the Supreme Being as his father, in the womb of a virgin, will be classed with the fable of the generation of Minerva in the brain of Jupiter" will apply to all religious mythologies?

  8. Andrew,

    What do you think the bad guys will do once everyone has properly configured his XP-SP2 firewall and AV client--go back to medical school and volunteer their services in the African bush? They will simply migrate to other vulnerabilities, like the ones recently (and routinely) announced by Microsoft.

    Besides, many security problems, like phishing, have no technical solutions (other than massively overhauling our operating systems and network protocols).

  9. Agree with David... in fact diversity of hardware and software is better security collectively. Just imagine if Unix servers where most critical data is stored were as easily vulnerable.I am a little worried that the inudstry seems to be standardizing on Intel hardware. Of course on an individual level the best bet is to use protection against viruses (software and otherwise).

  10. Anonymous9:21 PM

    > like phishing, have no technical solutions

    That is not true! For example, there are products that allow you to implement Web logins based on a whitelist. That means no more phishing.

    There are other technologies coming up that will reduce, if not eliminate, phishing even without the use of a whitelist.

  11. Anonymous,

    You're still my most loyal reader!

    Whitelists are way too hard to keep up to date, given the volatility in URLs and IP addresses. Without 100% coverage, the user learns to bypass the white list.

    More importantly, your view of phishing is too narrow. Use your imagination, as the criminals do. For example, I saw one phishing attack that would baffle your white list login tool...

    A phisher copied a discount camera site, changing only the name and the prices (he reduced them by 15%). His new online camera store (without the cameras) bid high for Google keywords like Camera. Lots of Google users clicked on the ad, shopped the store, and loved the low prices. On the checkout page, they freely offered up their names, addresses, telephone numbers, email addresses and credit card numbers.

    (The users also established login accounts, and you can bet that half of them used the same password as their online bank accounts, which are easy enough to find when 70% of the online US population keeps cash or stock at the same dozen institutions.)

    Then the phisher set up a newly named camera store the next day, and used the bogus credentials to pay for more keywords!

  12. David:
    to clarify, I did not write that security problems would go away completely, rather that it would be a smaller problem. If everyone used up to date software, than naturally hacking/worm attacks would be limited to zero day threats. Currently zero day threats represent a very small (less than 1%?) number of attacks. Zero day attacks would probably increase under these circumstances but their shelf life would be greatly reduced. Thus, script kiddies would be much less effective. What percentage of attackers are really elite hackers that can write their own zero day exploits?

    Certainly problems related to users downloading attachments with viruses and phishing will continue to be problems as long as cyber criminals can profit from them.

  13. Anonymous9:39 AM

    Great post and great comments. Nice to hear a voice that does not propogate the duel myths that the security industry is consolidating and Microsoft Vista is going to fix security once and for all.

    The problem with those two ideas, that journalists have latched on to, is that when believed by executives and investors it hurts the fight against the criminals.

    The reason the security space is different than airlines, autos, and ERP, is that the threats evolve. The firewall of today cannot stop the hacker of tomorrow.



  14. Anonymous9:02 PM

    > You're still my most loyal reader!

    Thanks to your content.

    > Sure, we will eventually tame any given vector of attack

    I agree and it will happen sooner that most of us expect.

    > But criminals, embued with human ingenuity, will always plot new vectors

    While what you are saying the correct, there are not really than many attack vectors. Web accounts for >80% of the attacks. E-mail, IM etc. combine for the remaining 20%. Like it or not, web access is the beast to tame.

    Andy> There seems to be two broad areas of problems. User security issues and System related issues.

    Very well said. God know how many people I have met that get lost in buzz words and are unable to break down any given security problem into these two catagories.

  15. AS long as there´s access to information... it will be eventually abused.

    A conceptual issue, like "who will keep an eye on the keepers?".

    I wonder how new means of transfer would change the issue. Specially when sci fi options are around the corner... *cough* RedTacton *cough*

  16. Anonymous1:20 AM

    It is impossible to stop crime so why should it be possible to stop crime on the Internet? no world government will do that because of human nature. As long as poeple will use money there will ne thiefs. If people switch to a cashless system fraudsters will concentrate on stealing your SNN and credit card numbers.