IP: A MUST READ -- a comment on viruses etc from Gene Spafford - a real security expert

[Dave Farber <farber@cis.upenn.edu>]

>
>Date: Sat, 20 May 2000 12:11:05 -0500
>To: farber@cis.upenn.edu
>From: Gene Spafford <spaf@cerias.purdue.edu>
>Subject: For IP
>
>Jim Warren's post prompts me to send this out.   I wrote this last week 
>for our campus security mailing list (I am the campus ISSO, among other 
>things).
>
>  (This has been edited somewhat from the original.)
>
>>Several of you have taken me to task for my comments about Microsoft 
>>software quality.  I don't say these things to bash MS -- I say them 
>>based on over a dozen years of experience and research in infosec 
>>issues.  Quite simply, Microsoft is the vendor that is putting arbitrary 
>>scripting commands into their email clients and servers, Microsoft 
>>products are ones that continue to exhibit security flaws and problems 
>>known to researchers for decades, and it is Microsoft's design decisions 
>>and products that result in problems such as Melissa, the "love bug," and 
>>a myriad of computer viruses. Couple this with the nearly total Windows 
>>population in some environments, and we have an extremely volatile situation.
>>
>>Ask any biologist, doctor, historian, or agricultural specialist: what 
>>happens when you introduce a severe contagion into a monoculture 
>>population with little natural resistance? You get pandemic -- widespread 
>>infection and damage. Whether it is measles and smallpox killing 
>>something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay 
>>of the American forest, or ILOVEYOU in Outlook damaging files on machines 
>>worldwide, the result is a massive and quick-spreading epidemic.
>>
>>Analyze statistics from anti-virus researchers, companies, and on-line 
>>documents.  You will find that there are currently about 60,000 
>>recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but 
>>traditional viruses).  Of these (as of this week):
>>   * slightly less than 52,000 are viruses for DOS/Window/NT platforms
>>      - about 6000 of these are Word macro viruses
>>      - about 150-200 of these are known to be widespread "in the wild"
>>      - in 1999, approximately 650 new viruses were reported each month 
>> (more than 20 a day)
>>   * 680 are for the Amiga
>>   * A few hundred are for Javascript, Hypercard, Perl, and other 
>> scripting languages.  Few of these can spread beyond a few machines 
>> without active support of the users
>>   * 150 are for the Atari
>>   * 31 are native to the Macintosh, and only two of them are known to 
>> exist anymore
>>   * 2 or 3 are viruses native to OS/2
>>   * About 5 are for Linux/Unix/etc, but none have been found in quantity 
>> "in the wild", nor would they be likely to spread very far if they were "loose"
>>   * None are for BeOS, ErOS, or other small-population systems.
>>
>>So, over 85% of all the known viruses are for Microsoft platforms (nearly 
>>all the self-propagating worms are as well). The rate of new reports -- 
>>especially for macro viruses -- means that pattern-based virus detectors 
>>can never be up-to-date and provide 100% protection. (Note: I'm not 
>>trying to draw grand conclusions here about the reasons for this skew, 
>>but simply point out where the overwhelming threat is.)  Fast-spreading, 
>>self-propagating worms using Outlook move so quickly that they are likely 
>>to be upon us before an anti-virus vendor can even get a copy to analyze.
>>
>>The situation is made worse by Microsoft trying to minimize the scope of 
>>the problem and claim that they aren't responsible in any way. The MS 
>>spin doctors are even attempting to blame the users! (One MS executive 
>>even claimed that we should beat our users to prevent problems such as 
>>the "love bug": <http://www.digitalmass.com/columns/software/0508.html>). 
>>Microsoft employees and apologists are attempting to claim that these are 
>>problems that every software platform has, as if this somehow makes the 
>>gaping vulnerabilities less of a problem. This is simply not true -- you 
>>can't construct a "Melissa" or "love bug" worm without Outlook and MS 
>>Windows scripting host.
>>
>>So, we need to do what we can ourselves to help our situation. What 
>>should you, as Purdue system and security administrators, consider doing?
>>
>>#1 is to make sure your anti-malware software is up-to-date to detect 
>>older, known viruses. We have site licenses for various NAI products if 
>>you don't have something installed yet. Also, install Tripwire if you are 
>>using NT or Unix boxes (we have this site-licensed, too). The use of 
>>Tripwire will help detect new, as-yet undetected viruses (after the fact, 
>>unfortunately) and also help in clean-up of damage by giving a snapshot 
>>of altered files and registry settings. (It also provides intrusion 
>>detection in addition to the change detection involved in detecting viruses.)
>>
>>#2 is to ensure that your users understand good anti-malware practices. 
>>This can't stop all future problems, but it may help limit their spread. 
>>In particular, get users to cut and paste text in email rather than 
>>attach Word documents. If they need to send a file of some kind, then 
>>have them use ftp rather than embed the files in email. On the receiving 
>>side, users should simply reject any executable content rather than 
>>depend on virus screening.
>>
>>#3, perform regular, comprehensive backups of all systems. If you do not 
>>perform regular, full backups of any systems, notify those users and 
>>ensure that they understand the procedures (and importance) to do it 
>>themselves. Files deleted by buggy software, viruses, worms, crashes or 
>>simple mistakes cannot always be recreated. Backups are critical for 
>>recovery. (Be sure to test your backups periodically to ensure they work!)
>>
>>#4, be certain your systems are up-to-date on patches and security fixes, 
>>no matter what kind of platform you may be using.
>>
>>#5 If you use Outlook, disable the Windows scripting host feature (see 
>>article at the URL given above). Alternatively, think about switching 
>>your users from Outlook to some other email client (e.g., Eudora). For 
>>this to work, however, you need to de-install Outlook rather than simply 
>>install something alongside it. (There was at least one case on campus 
>>where someone using Eudora on Windows saved the ILOVEYOU code to disk and 
>>started it, and it then activated Outlook to use the global address book 
>>to mail copies to other users.)
>>
>>#6, if your users are using Internet Explore, be certain they have their 
>>security settings on the highest level for all zones unless you *know* it 
>>is safe to use a lower setting. Also, in the security settings, disable 
>>ActiveX if at all possible -- ActiveX supports threats that cannot be 
>>defended against. In all WWW browsers users should be careful about 
>>enabling Javascript and Java, with Java being safer than Javascript in 
>>up-to-date browsers.
>>
>>#7, When acquiring new systems, think carefully if you really need 
>>Windows/Word, or whether an alternative is available that is more 
>>resistant to attack. This is especially a concern if you don't have staff 
>>or expertise to be constantly dealing with security concerns. For 
>>instance, if you are only seeking a machine to run a WWW server, then a 
>>Mac makes a robust server with an almost non-existent history of security 
>>problems. In fact, last year the US Army replaced their NT-based WWW 
>>servers after repeated security problems and they have not had a single 
>>security incident since! Similarly, you can run Excel and Word on a Mac, 
>>and using StarOffice on a Unix box you can deal with the same files. 
>>There are also other word processing programs (e.g., Framemaker, 
>>AppleWorks, others) and spreadsheet systems. Windows and Office are not 
>>the only choices.
>>
>>The key here is to think about total cost of operation and the needed 
>>core functionality. When you put a machine in service there may be the 
>>up-front cost of the box and the software, and in this regard a Wintel 
>>box seems the best choice. But add in the time spent applying security 
>>patches, strengthening the default installation, responding to (and 
>>cleaning up after) break-ins and malware incidents, and the time spent 
>>staring at blue screens -- time for you and your staff is valuable, as is 
>>the loss of productive work time by your users. Yes, Windows runs 
>>thousands more programs than does Unix or a Mac -- but do you ever need 
>>those in a work or lab environment? Most are games, or are versions of 
>>software you don't need or already have in another form.  Consider 
>>carefully what you want: buying a system because it runs programs you 
>>will never use and that may cost more over its lifetime to operate is not 
>>a bargain.
>>
>>This is not intended to suggest that Microsoft is the source of all evil, 
>>or that you should run out and replace all your Windows boxes with 
>>something else.   There are good people working for MS -- and several of 
>>them are former students and colleagues. The university (and the world 
>>around us) would come to a very abrupt halt if we didn't have MS products 
>>for everyday use.  Furthermore, other vendor products are hardly bug-free 
>>-- we continue to see security advisories for Solaris, HP-UX, Linux, and 
>>others. But the number of security problems for MS products and the near 
>>ubiquity of MS platforms in many environments means that we need to be 
>>especially concerned about this as a potential problem area.  (See 
>><http://www.securityfocus.com/frames/?content=/vdb/stats.html> for some 
>>interesting numbers supporting this.)
>>
>>Several security experts, myself included, are convinced that we have 
>>seen only the tip of the iceberg as far as new worm/virus code is 
>>concerned. Being aware of alternatives and threats is the first step in 
>>protecting ourselves. Trying to reduce the "monoculture" environment and 
>>replace the most vulnerable members of the population is simply one step 
>>towards protecting our environment against future threats.
>>
>>You *do* have choices, and if only enough people exercised their choices 
>>we might find *all* the vendors paying a little more attention to security.