BlackHat 2002: The White House and Free Software Will Guide the Industry
For the first time since the September 11th attacks, one of the foremost computer security conventions took place: BlackHat 2002 in Las Vegas, Nevada. The American government embraced the occasion as an opportunity to show the new direction they want to take for dealing with security in cyberspace. Their new approach involves cooperation with the industry, because the next major strike of terrorism very well could be through cyberspace. And any attack on our society could be severe. Fortunately, a lot of progress is being made in the field of security, and a lot of that innovation is coming from the Open Source and Free Software communities. When it comes to issues of security, however, many governments have yet to find a good way to deal with free and open-source software.
Richard Clarke, Special Advisor to the President for Cyberspace Security, keynoted on behalf of the White House. He began by expressing the idea that with all of the luxury around us, people tend to forget that America is a country at war. War is being fought, even if the battlefield happens to be far away or in cyberspace. In terms of this war, according to Clarke, the main question is "Why do we always start working on an issue after something has happened?" As an example, he stated that is was only after the bombing at Pearl Harbor that America entered WWII, but they won. Another example he offered is the race in the 1950s and 1960s to be the first country to put a man on the moon. America's interest and work in the area started after Yuri Gagarin's trip to space. Clarke said that these battles were won by the US because "afterwards, we're the best".
Then the events of September 11th happened, and security suddenly became a widely used term. Clarke said that on September 18, 2002, a strategic plan will be presented. The 2,800-page document has been contributed to by every industry except healthcare. Because the participating industries are subject to change continuously, the document will be updated periodically. Perhaps the most important section of the document is the one about cyberspace, because "everybody depends on it".
Clarke added that the Nimda virus alone created over $3 billion worth of damage. The virus managed to hit Wall Street, because many administrators never made an effort to upgrade systems, afraid of the unforeseen consequences of such an upgrade. When talking about these kinds of attacks, Clarke said he prefers to speak about cyber-security, because the security necessary goes beyond the Internet. This type of security now falls to the new Department of Homeland Security because "someone has to be responsible".
Clarke also said that a lot of work has to be done by the IT industry. The White House is concerned about the ever increasing number of bugs in software products, and they want to see this resolved. The government's involvement will be in the form of "walk and talk". Regulating the industry is not the aim, not specifically because the government doesn't want to regulate the IT industry, but simply because "it takes a year to get regulation passed by the FCC".
As for self-regulation by the IT industry, that often takes the form of not disclosing vulnerabilities, which Clarke believes is irresponsible. His belief clearly bypasses the fact that often the same bug is discovered at multiple places; in addition, some IIS-bugs have been open for three or four months without a patch coming out. In the meantime, millions of web servers are vulnerable.
In the same speech, Clarke also highlighted that the Federal Government couldn't prevent a judge from ordering the Department of Interior to close all of its external datalinks, because they were so insecure that it was simply unacceptable.
Clarke then stated that the Office of Homeland Security is working with the National Institute for Standards to deliver software tests. The tests will cost between $100,000 and $1,000,000 US, however, making them available only to larger companies. Clarke suggested that smaller companies and open-source projects should find some type of sponsorship to facilitate the testing. When I asked about this during a later press conference, Clarke reluctantly admitted that this sponsorship might be hard or even impossible to arrange. Once the test is taken, though, it should ensure a certain level of security. Clarke further said he expects that if something is found to be significantly more secure than the current solution, the US will switch to that other technology.
In addition to product manufacturers, many IPSs also don't deliver security to their users. Out of all the cable companies, phone companies and ISPs in the US, only one ISP delivers a firewall to customers; the others think it is too expensive. In the Netherlands, only XS4All delivers a firewall, antivirus software and PGP, and they have done so for years. They also can notify users if they seem to be infected with viruses or if there is evidence that a user's account has been compromised.
But relying on third parties may not always be the best solution. Linux-loving people, in particular, tend to do a lot of security work for themselves. When setting up their network, they might install an Intrusion Detection System (IDS) to detect attacks, but with some added intelligence one can install a Gateway IDS. This technology goes beyond detection and will disarm well-known attacks by stopping suspected packets, which can be recognized by a fingerprint. Setting up a Gateway IDS reduces the number of successful intrusions on a system, and it also reduces the number of alerts sent to a security administrator.
For an example of a Gateway IDS, look at Hogwash, which is based on Snort. The coolest feature of Hogwash is it's able to rewrite attacks--not to make them happen, but to fool the attacker, because drop or reject of the IP-packet takes place. For instance, an attack called with /usr/bin/exploit would be changed to /usr/bni/exploit, making it fail. Any good script kiddie thinks that the exploit got through (no dropped or bounced packets), but the exploit doesn't do its job.
Hogwash obviously increases security, but it also has the side effect of allowing you to run older software if there is a reason for it. Say, for instance, you want to stick with PHP 2 because you don't want to rewrite your application in PHP 3. One of the developers, Jed Haile, tried such a move at Def Con 9 on a unpatched Red Hat 6.2 box, and he promised that a successful attacker would get to keep the box. Nobody managed to crack the machine. Currently Hogwash seems to be pretty mature and will be integrated into Snort.
One other security option is the famous HoneyNet Project. This project aims to obtain information on the way hacking works through an open-source intelligence organization. The project builds a network environment where systems are monitored (as invisibly as possible), waiting for an attack. The network is built mostly with systems that are not hardened. With ping-sweeps going on all the time, the first attack will take place within a few days and the learning process begins. As the system serves no other purpose than waiting for attacks, anyone connecting to it is clearly looking to do something illegal.
According to Richard Salgado, DA for the Department of Justice, however, this way of working might have legal consequences. For example, what if an attacker damages other machines on the Internet using a HoneyNet? A civil suit might have success, because the machine was waiting to be hacked--deliberate neglect. But it's also criminally disputable: who's responsible if child pornography turns up on a HoneyNet?
Furthermore, watching network traffic might be illegal according to the US Wiretap Act. HoneyNets are meant to be broken into, and watching the traffic is not meant to protect your system. It doesn't constitute consent of two parties (required in certain states in the US). In that sense then, logging might be illegal.
Fortunately, there is a clause that might help out: computer trespasser exception. This rule states that the protection of The Wiretap Act is no longer valid if you're working illegally. The HoneyNet Project doesn't ask people to break in, it simply let's it happen; this may be valid.
One other remarkable part of BlackHat was Ofir Arkin's presentation about VoIP. This industry is currently pushing the open SIP protocol. However, by spoofing with a simple IP packet, Ofir showed how easily connections could be dropped and control of IP-based switches taken over. So the protocol will need some redesigning before any product based on that standard will pass the security tests of the US government. During his research, Arkin also discovered 19 vulnerabilities in the Pingtel IP phone. Most issues have been resolved since their discovery, and some were discarded as not a problem. That some of the issues were so apparent suggests that a security review was not done properly, if at all. Ofir fears that Pingtel might not be the only IP telephony provider that doesn't make security a top priority.
He may be right. During a security session at the Voice-on-the-Net conference, I heard nothing else beyond how to tunnel voice past firewalls that turn out to be inconvenient and disallow VoIP traffic. I never received an answer to my question about how an IT manager who recently invested several thousands of dollars to get the security right in the first place would feel about the tunneling. Jeff Pulver also has identified security issues as the main danger to IP telephony.
Given the technologies currently on the market, it clearly seems that open source is leading the industry when it comes to security. If that's the case, it's remarkable that the Department of Homeland Security hasn't solved the issue with extreme efforts to classify open-source software as secure. The Department of Homeland Security has to reconsider their position if they want to avoid frustrating cybersecurity instead of helping it out. Considering that California is planning to push free software in a way similar to Peru, this issue deserves even more attention.
Overall, BlackHat 2002 offered some new tools and some good talks. Several returning visitors thought there should be less 101-level talks in order to keep the conference level up. Personally I felt there was a good mix of both 101 and new, advanced material.
These days, the security industry should be the only one growing. The unconfirmed word that @Stake Security has been laying off people due to the lack of work, however, doesn't comfort at all. One thing is clear: free software is currently leading the industry with innovation, whereas many commercial companies are leading the industry with marketing.
Brenno J.S.A.A.F. de Winter is president of De Winter Information Solutions in the Netherlands.