The recent Anna Kournikova email-borne worm proved New Zealand companies are still vulnerable to viruses, despite all the warnings. Are companies not learning from their security mistakes? What should they be doing to protect against viruses, hacking and other dangers? Darren Greenwood investigates.
A pretty face once again proved too strong a lure for many email users — and in turn their sometime online guardians in the IT department.
Yet when the Anna K virus hit in February, promising a picture of the Russian tennis player Anna Kournikova, it seemed to cause less widespread damage than previous IT plagues. IS administrators at many New Zealand sites appeared to have learned from the Love Bug worm and had either applied Microsoft’s patch for Outlook Express, which changes the mail client’s default from running Visual Basic Script automatically, or simply disabled VBS on PCs where it was not considered necessary.
Certainly, local organisations were again infected — this time these included the Medical Association, the Human Rights Commission, communications firm Brave New World, recruitment agency Lacey Lee, online job advertising company Adcorp and IT distributor Asnet — but the worm’s lack of a destructive payload meant the main penalty for firms infected was time lost in cleaning up and contacting those who had been automatically emailed as a result of the infection.
Many companies know, to their annoyance, embarrassment and cost, that the results can be much more serious.
Last year the Love Bug caused an estimated $6.7 billion of damage worldwide in just two weeks and penetrated various organisations, including two New Zealand government departments (Education and Fisheries), media company INL and IT distributor Axon Computertime. Computerworld publisher IDG Communications was also affected — losing image files on infected PCs. (Due to some foresight, these files were backed up.)
Earlier this month, UK-based content filtering company MessageLabs warned that government departments and companies would collapse this year under the weight of malicious email attachments. Its research indicates that virus incidents are increasing by more than 200% a year, while general email increases by just 62%.
MessageLabs bases its figures on scanning 50 million of its customers’ emails between January 2000 and February 2001. The firm says the results are “disturbing.” Firms are not increasing their antivirus (AV) protection as well as they should and there are already too many viruses for traditional AV software to cope with.
AV vendors could do more
Arjen de Landgraaf of Co-Logic believes AV software vendors are too reactive — mainly offering remedies after viruses have struck and damage is done. He likens this to your house already having burnt down and the fire brigade arriving with a fire extinguisher.
Undiscovered viruses cause the most damage and AV suppliers may serve their customers first before informing others, allowing millions of dollars of damage to users of other AV software.
The Dutch-born former KPMG consultant and programming lecturer says fighting viruses still means looking for ways to improve the scanning for known signatures.
“Preparing for future virus wars means taking another look at the less popular virus control approaches, such as behaviour blocking, access controls and sandboxes. New technologies must also be developed to scan encrypted and compressed email attachments for malicious code.
“Relying too much on weapons that served us well in the past has resulted in tremendous damage. It’s time for users to demand that AV vendors provide more comprehensive solutions, using innovative, well-rounded and complete, easily-implemented, low-cost methods.” There is far more to IT security than just protecting from new generation viruses, he says.
IT managers need to assess security
In regard to overall IT security, De Landgraaf believes IT managers have an attitude of “utter arrogance” in claiming their systems are safe.
He even believes if security systems are shown to be poorly protected, bosses should be able to sue IT managers “just as you can sue your finance manager for fraud”.
If IT chiefs really want to find out how vulnerable their systems are they could call on someone like Tony Kryzyzewski, who terms himself a “white” hacker.
“My favourite pastime is scaring the socks off IT managers. Most people are totally unaware of how insecure their networks are, and assume with the basics done, they cannot be attacked. But I once took out Microsoft NT in under a minute. It drives home how easy it is to do,” he says.
Kryzyzewski has worked in IT for 22 years and previously ran BICC Communications. For eight years, he has headed Kaon Technologies in Auckland, which designs and builds specialist networks, corporate firewalls and virtual private network solutions.
Robert Oldham, an information systems chief at a small South Island local council, is a Kaon convert after seeing Kryzyzewski in action. His place of work has 50 desktops and an IT department of three. It had no problems with e-security, but did have concerns over the right patches being used.
Last winter, Kaon spent three days at its offices, first giving an overview of the systems, then “embarrassingly pulling it apart” with “different layered searches” on the second day, before finally recommending fixes.
“We did everything Microsoft told us to do, but he came in and it was bloody embarrassing and belittling because he does it with complete ease,” says Oldham.
Pip Scrivener, IS manager of Manukau City-based Genesis Power, says his firm had no security problems, but called in Kaon to benchmark its systems.
“He did a good job and we made changes, improvements and updates,” Scrivener says.
Kryzyzewski says IT managers need to understand their technology, assess associated risks and evaluate security response. The they need to work out costs relevant to the risk; if the risk of attack is low with little potential damage, e-security measures like his may not be necessary. But if a firm is at great risk from costly attacks, e-security is essential, he says.
Kryzyzewski says even firewalls aren’t sufficient, as people often put “holes” in them to make them more convenient to run services.
And few firms have security policies. Kryzyzewski uses a range of software tools that are in the public domain to explore the environment of an organisation. Hacking, the deliberate unauthorised access into information systems, often uses port scanning to see what services are on a machine. For each port that is open, Kryzyzewski then explores for weaknesses using automated tools.
“If NT hasn’t been configured correctly, it will happily surrender the password. Once you have the password file, you use a crack program that de-encrypts the password file and presents them in plain text. Most IT managers’ jaws drop when they see that.”
DDOS attack danger
De Landgraaf warns of increasing numbers of distributed denial of service attacks, calling them “software bombs”.
“Denial of service or distributed denial of service [DoS or DDoS] attacks exploit vulnerabilities that allow the planting of small programs in multiple systems located around the internet. These programs, when triggered either by a time setting or a command sent from another system, will direct all their traffic at a single target system. Even if this system has no vulnerabilities, the sheer amount of traffic, sometimes malformed, can cause this system to slow to a halt, therefore ‘denying’ any regular traffic access,” he says.
The US is considering laws making companies liable for the damage done if they have insufficient security installed to prevent them being compromised and used as part of a DDOS attack.
De Landgraaf also sees software as part of the problem, highlighting the book The Software Conspiracy: Why Companies Put Out Faulty Software, by Mark Minasi, which advises on fighting back against “bugs”.
“Software companies sell whizz-bang features, while skimping on quality control,” de Landgraaf says.
“Marketing departments want dazzling features and a short design process, while programmers want time to create superior products. Mostly marketing wins out. Moreover, the computer industry press rarely criticise software companies, who provide essential advertising revenue,” he says.
Minasi claims 15% of code released for commercial use is still faulty. Windows NT has 1.5 million lines of code and many vulnerabilities. By comparison, Windows 2000 has around 3 million lines of code, so the problem is amplified. Already many IT security vulnerabilities for it have been published, says de Landgraaf.
He brands software vendors “the actual real root cause of IT security vulnerabilities”, saying patches can open up new or even older holes, emphasising that testing is insufficient.
“For a software publisher, releasing a patch that fixes a security hole means negative publicity, as it does not instil confidence in the quality of the product. Therefore, many vendors try to keep it quiet and embed the patches within scheduled releases. However, the hacker community is often the first to find security vulnerabilities,” he says.
Patching it over
Unsurprisingly, Microsoft argues it is one vendor which can and does patch things up successfully. Earlier this month, the company released a patch for a discovered security flaw on Internet Explorer 5.01 and 5.5 that allows hackers to run programs on another user’s computer.
However, de Landgraaf says even after the patch is applied a hole still exists “that allows the name of a downloaded file to be easily ‘spoofed’ in the download dialogue box. Users can be persuaded into opening an ‘innocent’ file type [such as a text file] that is really malicious active content,” he says.
De Landgraaf says Microsoft should “get real” and release another patch. He says the only solution is to turn off Internet Explorer, then “reinstall IE from scratch, install the latest patch [q290108] and turn off Windows Script handling using the normal Windows Explorer. However, don’t use the internet, as Microsoft’s website is not safe. Further, uninstall Windows Media Player 6.x and/or Macromedia’s Shockwave Flash plug-in.”
“And by the way, from now on send all your email using only text format. Ban HTML, don’t ban Microsoft,” de Landgraaf advises.
However, Microsoft New Zealand technical marketing manager Terry Allen says the patch was quickly supplied after Microsoft was alerted to the flaw. Nobody had yet exploited the security hole, says Allen, and the patch issued would close it. Those with different forms of Explorer should install a new version of Explorer and use the patch.
Allen says security is a process, not a product, as people are always trying to hack software systems. “It is very naive to say you can write software and it will be perfect for eternity,” he says. Security is about having a responsive policy in place and Microsoft produces patches quickly.
“Windows 2000 has enjoyed more significant reliability than previous versions. That’s the view of Forrester and Gartner. Software is getting more robust and we expect this to continue, including with Windows XP and Office XP,” says Allen.
Allen advises people to install good antivirus software on their systems. “We always recommend end-users check Windows Update. There are other benefits of Windows Update, for example, new versions of Media Player.”
Companies also need to regularly check for updates and patches, since the Melissa virus infected some even after the patch was available, showing their “poor processes”.