The Trojan Horse.

1999 is a pivotal year for malicious software ( malware) such as viruses, worms, and Trojan horses. Although the problem is not new, Internet growth and weak system security have evidently increased the risks.

Viruses and worms survive by moving from computer to computer. Prior to the Internet, computers (and viruses!) communicated relatively slowly, mostly through floppy disks and bulletin boards. Antivirus programs were initially fairly effective at blocking known types of malware entering personal computers, especially when there were only a handful of viruses. But now there are over 10,000 virus types; with e-mail and Internet connectivity, the opportunities and speed of propagation have increased dramatically.

Things have changed, as in the Melissa virus, the Worm.ExploreZip worm, and their inevitable variants, which arrive via e-mail and use e-mail software features to replicate themselves across the network. They mail themselves to people known to the infected host, enticing the recipients to open or run them. They propagate almost instantaneously. Antiviral software cannot possibly keep up. And e-mail is everywhere. It runs over Internet connections that block everything else. It tunnels through firewalls. Everyone uses it.

Melissa uses features in Microsoft Word (with variants using Excel) to automatically e-mail itself to others, and Melissa and Worm.ExploreZip make use of the automatic mail features of Microsoft Outlook. Microsoft is certainly to blame for creating the powerful macro capabilities of Word and Excel, blurring the distinction between executable files (which can be dangerous) and data files (which hitherto seemed safe). They will be to blame when Outlook 2000, which supports HTML, makes it possible for users to be attacked by HTML-based malware simply by opening e-mail. DOS set the security state-of-the-art back 25 years, and MS has continued that legacy to this day. They certainly have a lot to answer for, but the real cause is more subtle.

It's easy to point fingers, including at virus creators or at the media for publicity begetting further malware. But a basic problem is the permissive nature of the Internet and computers attached to it. As long as a program has the ability to do anything on the computer it is running, malware will be incredibly dangerous. Just as firewalls protect different computers on the same network, we're going to need something to protect different processes running on the same computer.

This malware cannot be stopped at the firewall, because e-mail tunnels it through a firewall, and then pops up on the inside and does damage. Thus far, the examples have been mild, but they represent a proof of concept. The effectiveness of firewalls will diminish as we open up more services (e-mail, Web, etc.), as we add increasingly complex applications on the internal net, and as misusers catch on. This "tunnel-inside-and-play" technique will only get worse.

Another problem is rich content. We know we have to make Internet applications (sendmail, rlogin) more secure. Melissa exploits security problems in Microsoft Word, others exploit Excel. Suddenly, these are network applications. Has anyone bothered to check for buffer overflow bugs in pdf viewers? Now, we must.

Antivirus software can't help much. If Melissa can infect 1.2 million computers in the hours before a fix is released, that's a lot of damage. What if the code took pains to hide itself, so that a virus remained hidden? What if a worm just targeted an individual; it would delete itself off any computer whose userID didn't match a certain reference? How long would it take before that one was discovered? What if it e-mailed a copy of the user's login script (most contain passwords) to an anonymous e-mail box before self-erasing? What if it automatically encrypted outgoing copies of itself with PGP or S/MIME? Or signed itself? (Signing keys are often left lying around.) What about Back Orifice for NT? Even a few minutes' thought yields some pretty scary possibilities.

It's impossible to push the problem off onto users with "do you trust this message/macro/application?" confirmations. Sure, it's unwise to run executables from strangers, but both Melissa and Worm.ExploreZip arrive pretending to be friends and associates of the recipient. Worm.ExploreZip even replied to real subject lines. Users can't make good security decisions under ideal conditions; they don't stand a chance against malware capable of social engineering.

What we're seeing is the convergence of several problems: the inadequate security in personal-computer operating systems, the permissiveness of networks, interconnections between applications on modern operating systems, e-mail as a vector to tunnel through network defenses and as a means to spread extremely rapidly, and the traditional naivete of users. Simple patches are inadequate. A large distributed system communicating at the speed of light is going to have to accept the reality of infections at the speed of light. Unless security is designed into the system from the bottom up, we're constantly going to be swimming against a strong tide.

Types And Sources Of Network Threats

Denial-of-Service

DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they're very easy to launch, difficult (sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker, without also refusing legitimate requests for service. The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests, much less any legitimate requests.

What is networks ?

NETWORK SECURITY

Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become ``wired'', an increasing number of people need to understand the basics of security in a networked world. This document is written with the basic computer user and information systems manager in mind, explaining the concepts needed to read through the hype in the marketplace and understand risks and how to deal with them.

Some history of networking is included, as well as an introduction to TCP/ IP and internet working . We go on to consider risk management, network threats, firewalls, and more special-purpose secure networking devices.

This is not intended to be a ``frequently asked questions'' reference, nor is it a ``hands-on'' document describing how to accomplish specific functionality.

It is hoped that the reader will have a wider perspective on security in general, and better understand how to reduce and manage risk personally, at home, and in the workplace.

Some of the Basics of Network Security

• A network'' has been defined as any set of interlinking lines resembling a net, a network of roads Parallel an interconnected system, a network of alliances.'' This definition suits our purpose well: a computer network is simply a system of interconnected computers. How they're connected is irrelevant, and as we'll soon see, there are a number of ways to do this.

• TCP/IP (Transport Control Protocol/Internet Protocol) is the language of the Internet. Anything that can learn to "speak TCP/IP'' can play on the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the network.