Saturday, October 23, 2010

Of Satellites and Zombies and Recurring Security Themes

I recently came across some archival security wordage while writing a whitepaper about satellite Internet service. Because it still seems relevant, I thought I would reprint it. But first, some background on satellite Internet. America's telecom companies are fending off demands for universal broadband service requirements by telling politicians that satellite Internet is broadband. It most certainly is not.

Satellite Internet does provide an “always on” connection that is faster than dialup, but one problem with this service is that you have to turn off those automatic software updates that sometimes patch security holes in applications and operating systems (this is because of tight bandwidth caps, as low as 300 megabytes a day, with penalties for going over your limit). So you have these “always on” connections that are not getting patched promptly.

A few years back in the history of computer security it emerged that "always on computing" in the form of consumer computing devices connected to high speed Internet connections created the potential for large-scale attacks on corporate and government systems through compromised hosts (zombies) organized into malicious networks (botnets) by criminal hackers or cyber-terrorists. A prime strategy for turning personal computing devices into zombies is to exploit software vulnerabilities before they are fixed or “patched” by users downloading and installing updates.

Software companies responded to this threat by developing automated distribution systems for security updates. Turning off these automated patching systems increases the risk that consumer Internet devices will be compromised and used in botnet attacks. This threat appears in government reports as early as 2004 (National Infrastructure Advisory Council, Hardening the Internet: Final report and Recommendations by the Council, October, 2004).

I know that it was openly discussed during FTC hearings on computer security in 2002 because I was part of the discussion. The Consumer Information Security Workshop, held May 21-22, 2002, in Washington was addressed by Dick Clarke, then the President's special advisor on cyber security issues and chair of the President's commission on critical infrastructure protection. At that time he was formulating the national strategy for cyber security, a multi-pronged strategy to improve the security of government agencies, businesses and consumers.

(Before his appointment as special advisor to the President, Clarke served as national coordinator for security infrastructure protection and counter-terrorism on the National Security Council. As national coordinator, he led the U.S. government's efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction and international organized crimes. In the George H. W. Bush Administration, Clarke was the assistant secretary of state for political military affairs. In that capacity, he coordinated State Department support for Desert Storm and led efforts to create post war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff.)

So here's what Clarke said about the 2002 FTC Consumer Information Security Workshop:

"We see this two-day workshop as part of the national outreach effort that we are making as we develop the national strategy to secure cyberspace. How can the home user, without knowing it, hurt other people? Tim mentioned distributed denial of service attacks, and we've seen that happen already. This is not a theoretical possibility where the home user, without knowing it, has their computer attacked. A part of their computer is then covertly taken over by an automated program, and it sits waiting for instructions or it sits waiting for a time, and then when that time comes, it launches what's called a distributed denial of service attack, firing messages out many times a second, and it does it in concert with hundreds or thousands of other computers, and those messages from all of those computers are aimed at one site on the Internet. The effect can be that the site closes down under the volume, that the routers and the servers crash under the wave.

"...In point of fact, denial of service attacks occur every day. There are hundreds a month aimed at all sorts of different sites all over the Internet and all over the world, and many of them are happening because the home consumer hasn't been told how to prevent his or her computer from becoming a zombie. Many people don't even know when their computer has become a zombie."

Later, the same FTC workshop heard from Tatiana Gau, Vice President of Integrity Assurance at America Online about "one of the approaches that we took earlier this year with the National Cyber Security Alliance."

This was a Call to Action that went like this:

"As a citizen of the United States it is your duty to do your part in trying to protect the nation's infrastructure. Yes, there's other elements that need to play a role in protecting our nation's infrastructure, but you as a consumer need to make sure that you don't unwittingly become the mechanism through which an organized group or a disorganized group could, in fact, attack a government web site or some other system in our country by having your computer become a robot simply because you had a password that was too easy to guess."

So, here we are, eight years later. The average consumer is probably a little better informed about cyber security than they were back then, but not much. And America's telecomm companies are trying to avoid serving rural areas by touting an "always on" consumer Internet service that arguably has a higher risk profile than cable, DSL, or fiber optic. Good job we're less reliant on computers these wait, we're a lot more reliant, pity we're not a lot more aware of the risks.