IP: Stratfor: "I Love You" and the Problem of Cyberwarfare

[Dave Farber <farber@cis.upenn.edu>]

>From: GLIGOR1@aol.com
>Date: Mon, 15 May 2000 16:09:06 EDT
>
>
>An interesting article to share....
>
>
>
>From: "Bill" <wdimitroff@idirect.com>
>To: <wdimitr@aol.com>
>Subject: Stratfor: "I Love You" and the Problem of Cyberwarfare
>Date: Mon, 15 May 2000 15:15:29 -040
>
>
>Stratfor.com's Global Intelligence Update - 15 May 2000
>
>
>"I Love You" and the Problem of Cyberwarfare
>
>Summary
>
>Last week, officials from the government and the computer industry
>gathered in the wake of the massive denial of service attacks
>against commercial web sites and the outbreak of the "I Love You"
>virus. The real problem the United States and much of the world
>faces is that people are overwhelmingly dependent upon a single
>computer operating system that is exceedingly vulnerable to even
>simple attacks. The PC and the Internet have become indispensable -
>while remaining indefensible.
>
>Analysis
>
>Last week, U.S. government and computer industry officials gathered
>in California for a summit on computer security. The meeting took
>place in the wake of a recent spate of computer viruses and
>attacks, including the massive denial of a service attack,
>apparently launched by a Canadian teenager, and the "I Love You"
>virus, seemingly launched by someone in the Philippines.
>
>It is important to realize that neither of these attacks were
>developed by computer geniuses. The Canadian teenager's ability to
>shut down Amazon.com was perhaps one notch more sophisticated than
>setting an autodialier on a telephone to repeatedly call someone's
>phone, making it impossible for real callers to get through. The "I
>Love You" virus was a simple macro written in a fairly simple
>language, Visual Basic, that took advantage of the lack of security
>on Microsoft's e-mail package. No one is going to be offering
>either of these software creators jobs at the National Security
>Agency.
>
>Some people are taking comfort in this. John Dvorak, a usually
>astute observer of the computing world, wrote in PC Week, "The Love
>Bug Virus is the type of thing that's great for keeping journalists
>busy on a slow news day. I've never seen anything get so much ink.
>The question of the day: Will writing two-bit destructive viruses
>become the way that loners and goofballs get their 15 minutes of
>fame? I suspect this is the case. It certainly beats setting
>oneself up on the school clock tower and picking off fellow
>classmates with a rifle."
>
>Dvorak is of course right - but he's missing his own point. Vitally
>important news is being made. The news is this: It is now possible
>for a comparatively unsophisticated computer programmer to create
>absolute havoc. It is not the hacker's psychological profile that
>is interesting; it is the intellectual profile that is stunning. It
>used to be possible for a brilliant but unstable person to wreak
>havoc. Today, a not particularly bright crackpot can achieve the
>same outcome. And that is the point. There are few brilliant people
>in the world. There are lots of dullards. Based on the ratio of
>fools to geniuses, the likelihood of future attacks increases.
>
>The problem is this: the personal computer and the Internet are
>both revolutionary - and yet, terrifically vulnerable. Both are
>less than a generation old and comparatively primitive, like the
>telephone or automobile early on in their evolution. Yet the
>revolutionary nature of computing today allows all kinds of people
>to do important things in ways once impossible. Everyday people in
>all walks of life and work have become dependent on these systems.
>
>The vulnerability of these systems stems from the simple fact that
>they were never intended to be the center of such dependency. The
>personal computer was developed as a stand-alone system. Unlike
>mainframes with multiple users using multiple accounts, the PC was
>deliberately designed to serve the needs of an individual. The
>entire purpose of the PC was to be a functioning system that
>provided the user unfettered access to his data, programs and even
>operating system. Hence its name. It followed from this that the
>individual was unlikely to seek to harm his own computer or the
>data on it. Security was hardly a priority.
>
>Connectivity between PCs has crept in slowly. Not so long ago,
>people couldn't conceive of a mass market for PCs. As word
>processors and spreadsheets emerged, the usefulness of the PC
>became more apparent. Still, few people in the 1980s imagined that
>one of the PC's primary roles would be that of a communications
>device. At first limited to a handful of military and academic
>users, e-mail usage began to explode in the late 1980s.
>
>Early e-mail had been built around a few academic mainframes. A PC
>user would get a campus account - either on a mainframe or
>minicomputer - in terminal mode, not as a true computer. He would
>dial up to that account via a modem, at 300 or 1200 baud. That
>computer would link to other computers in a crazy quilt pattern
>called Bitnet, which had spun off from ARPAnet (a Defense
>Department initiative). Over time, data files were stored on
>various university mainframes. One of the biggest was at the
>University of Minnesota, with tons of non-graphical information.
>Using this network of computers, the user could hop around the
>world. Out of this primitive connectivity, came the explosion of
>the World Wide Web.
>
>But the PC was never intended for this purpose - it was created for
>a single user. Efficient usage meant that much of the function of
>the operating system was hidden from the user, who really didn't
>need to know what was going on within the system. Also, in the
>interest of ease of use, the different applications became more
>tightly integrated with each other and within the file system. The
>outcome, of course, was the Microsoft-driven computer of today
>where the word processor, spread sheet, e-mail package, web browser
>and file system are intimately connected.
>
>As a result, it is difficult today to figure out exactly what is
>going on inside your own computer. The integration of processes
>obfuscates the operating system. A good example can be found in the
>famous "blue screen of death" that functions like a "service
>engine" light. It tells you that you are in trouble, but doesn't
>tell you why. The inability of the Microsoft Operating System (OS)
>to tell the user what is wrong is a feature, not a bug, as they
>say. The OS frequently doesn't have any idea what has failed. The
>complexity of the system itself makes transparency impossible.
>
>Microsoft triumphed because it provided for the easy exchange of
>files within the PC and between PCs. But that very ease of exchange
>created the current potential crisis. The Microsoft operating
>system took advantage of connectivity opportunities. Once the
>computer became connected, it was no longer under the sole control
>of the owner, whose interest was in protecting his computer and his
>data; instead the owner is now exchanging information with others
>who might have more malicious interests. The structure of the
>Microsoft OS made it extremely difficult to deal with maliciousness
>for two reasons:
>
>1. The increasingly tight integration of the OS with applications
>and links between applications means that malicious imported code
>can migrate rapidly from one part of the system to another. The "I
>Love You" virus, for example, attacked the address book of the
>email system, as well as attacking music and graphics files.
>
>2. The lack of transparency of the operating system makes it
>extremely difficult to create programs that can see what is
>happening inside of the computer in real time, creating shut-offs
>or fail-safes. Current anti-virus software is forced to identify
>known viruses by scanning incoming files. This means that new,
>unknown viruses can't be stopped.
>
>During the denial of service attacks on web sites, no one could
>figure out where attacks came from because a single attacker can
>route attacks through thousands of computers. It is possible to
>plant malicious code on a computer whose mission is not to attack
>the host computer - but to propagate itself to other computers and
>then to begin simply linking to Internet sites, shutting them down
>by sheer overload. Finding these tiny bits of malicious code on a
>server is mind-numbingly difficult. It can be anywhere in the file
>system and called virtually anything. There is some software
>designed to detect this code. But it needs to be installed by
>people who are concerned with damage to other servers - altruism
>that is fairly rare.
>
>A teenage kid can knock out hundreds of corporate systems because
>the foundation of modern computing, the operating system, has been
>in rapid, forced development since the success of MS-DOS. It was
>designed for one user who would treat it right. The hyper-
>connectivity of the Internet exposes it to code delivered by
>others. The Windows operating system was simply not built with this
>in mind. It has served brilliantly as a tool for exchanging
>information.
>
>But its very success has created the menace. The neat macros
>created in a spreadsheet can be made malicious by a teenage kid.
>Interoperability and interconnectivity were created without regard
>to security. And there can be none without transparency. You can't
>be secure if there is no method for knowing what is happening in
>your operating system. It is the perfect environment in which
>viruses can flourish. That is true on the client and the server.
>
>The problem is that we are dependent on these systems for our daily
>work and our daily work can be used to spread harmful programs. If
>a teenager can wreak this havoc, imagine what a concerted effort by
>a well-funded government intelligence agency can do. That, of
>course, is the point. Dependency on the computer and the Internet
>at this primitive stage of development opens us to attack,
>particularly from societies that are not dependent on PCs and the
>internet, but that do possess the intellectual skills needed to
>mount the attack.
>
>One executive of an anti-virus company has suggested that you
>should never open a file from someone you don't know. That is a
>measure of how shallow our defenses are. How can you be sure that
>the person you know hasn't become infected? In fact, how can you be
>sure that the person you know doesn't want to zap you? Some
>companies have solved the problem by prohibiting attachments and
>removing floppy drives. In other words, they have solved the
>problem by losing the capability. The solution is not in policies,
>but in technology. The problem's center of gravity is the operating
>system.
>
>Security requires a complete re-engineering of the operating system
>to permit rapid diagnosis through complete transparency. It will
>not be easy to evolve Windows or NT in this direction. It seems
>that officials may want to deal with this problem. After all, the
>real threat from rogue states won't be nuclear attack, but cyber
>attack. Rogue states won't launch nuclear attack for fear of the
>counterattack. But how do we retaliate against a virus attack? We
>depend on computers. They don't.
>
>
>(c) 2000 WNI, Inc.