Cyberwarfare

Unsophisticated Computer Programmers Can Create Absolute Havoc

"I Love You" and the Problem of Cyberwarfare

Source: Stratfors Global Intelligence Update
http://www.stratfor.com

May 15, 2000

Summary

Last week, officials from the government and the computer industry gathered in the wake of the massive denial of service attacks against commercial web sites and the outbreak of the "I Love You" virus. The real problem the United States and much of the world faces is that people are overwhelmingly dependent upon a single computer operating system that is exceedingly vulnerable to even simple attacks. The PC and the Internet have become indispensable - while remaining indefensible.

Analysis

Last week, U.S. government and computer industry officials gathered in California for a summit on computer security. The meeting took place in the wake of a recent spate of computer viruses and attacks, including the massive denial of a service attack, apparently launched by a Canadian teenager, and the "I Love You" virus, seemingly launched by someone in the Philippines.

It is important to realize that neither of these attacks were developed by computer geniuses. The Canadian teenager’s ability to shut down Amazon.com was perhaps one notch more sophisticated than setting an autodialier on a telephone to repeatedly call someone’s phone, making it impossible for real callers to get through. The "I Love You" virus was a simple macro written in a fairly simple language, Visual Basic, that took advantage of the lack of security on Microsoft’s e-mail package. No one is going to be offering either of these software creators jobs at the National Security Agency.

Some people are taking comfort in this. John Dvorak, a usually astute observer of the computing world, wrote in PC Week, "The Love Bug Virus is the type of thing that’s great for keeping journalists busy on a slow news day. I’ve never seen anything get so much ink. The question of the day: Will writing two-bit destructive viruses become the way that loners and goofballs get their 15 minutes of fame? I suspect this is the case. It certainly beats setting oneself up on the school clock tower and picking off fellow classmates with a rifle."

Dvorak is of course right - but he’s missing his own point. Vitally important news is being made. The news is this: It is now possible for a comparatively unsophisticated computer programmer to create absolute havoc. It is not the hacker’s psychological profile that is interesting; it is the intellectual profile that is stunning. It used to be possible for a brilliant but unstable person to wreak havoc. Today, a not particularly bright crackpot can achieve the same outcome. And that is the point. There are few brilliant people in the world. There are lots of dullards. Based on the ratio of fools to geniuses, the likelihood of future attacks increases.

The problem is this: the personal computer and the Internet are both revolutionary - and yet, terrifically vulnerable. Both are less than a generation old and comparatively primitive, like the telephone or automobile early on in their evolution. Yet the revolutionary nature of computing today allows all kinds of people to do important things in ways once impossible. Everyday people in all walks of life and work have become dependent on these systems.

The vulnerability of these systems stems from the simple fact that they were never intended to be the center of such dependency. The personal computer was developed as a stand-alone system. Unlike mainframes with multiple users using multiple accounts, the PC was deliberately designed to serve the needs of an individual. The entire purpose of the PC was to be a functioning system that provided the user unfettered access to his data, programs and even operating system. Hence its name. It followed from this that the individual was unlikely to seek to harm his own computer or the data on it. Security was hardly a priority.

Connectivity between PCs has crept in slowly. Not so long ago, people couldn’t conceive of a mass market for PCs. As word processors and spreadsheets emerged, the usefulness of the PC became more apparent. Still, few people in the 1980s imagined that one of the PC’s primary roles would be that of a communications device. At first limited to a handful of military and academic users, e-mail usage began to explode in the late 1980s.

Early e-mail had been built around a few academic mainframes. A PC user would get a campus account - either on a mainframe or minicomputer - in terminal mode, not as a true computer. He would dial up to that account via a modem, at 300 or 1200 baud. That computer would link to other computers in a crazy quilt pattern called Bitnet, which had spun off from ARPAnet (a Defense Department initiative). Over time, data files were stored on various university mainframes. One of the biggest was at the University of Minnesota, with tons of non-graphical information. Using this network of computers, the user could hop around the world. Out of this primitive connectivity, came the explosion of the World Wide Web.

But the PC was never intended for this purpose - it was created for a single user. Efficient usage meant that much of the function of the operating system was hidden from the user, who really didn’t need to know what was going on within the system. Also, in the interest of ease of use, the different applications became more tightly integrated with each other and within the file system. The outcome, of course, was the Microsoft-driven computer of today where the word processor, spread sheet, e-mail package, web browser and file system are intimately connected.

As a result, it is difficult today to figure out exactly what is going on inside your own computer. The integration of processes obfuscates the operating system. A good example can be found in the famous "blue screen of death" that functions like a "service engine" light. It tells you that you are in trouble, but doesn’t tell you why. The inability of the Microsoft Operating System (OS) to tell the user what is wrong is a feature, not a bug, as they say. The OS frequently doesn’t have any idea what has failed. The complexity of the system itself makes transparency impossible.

Microsoft triumphed because it provided for the easy exchange of files within the PC and between PCs. But that very ease of exchange created the current potential crisis. The Microsoft operating system took advantage of connectivity opportunities. Once the computer became connected, it was no longer under the sole control of the owner, whose interest was in protecting his computer and his data; instead the owner is now exchanging information with others who might have more malicious interests. The structure of the Microsoft OS made it extremely difficult to deal with maliciousness for two reasons:

1. The increasingly tight integration of the OS with applications and links between applications means that malicious imported code can migrate rapidly from one part of the system to another. The "I Love You" virus, for example, attacked the address book of the email system, as well as attacking music and graphics files.

2. The lack of transparency of the operating system makes it extremely difficult to create programs that can see what is happening inside of the computer in real time, creating shut-offs or fail-safes. Current anti-virus software is forced to identify known viruses by scanning incoming files. This means that new, unknown viruses can’t be stopped.

During the denial of service attacks on web sites, no one could figure out where attacks came from because a single attacker can route attacks through thousands of computers. It is possible to plant malicious code on a computer whose mission is not to attack the host computer - but to propagate itself to other computers and then to begin simply linking to Internet sites, shutting them down by sheer overload. Finding these tiny bits of malicious code on a server is mind-numbingly difficult. It can be anywhere in the file system and called virtually anything. There is some software designed to detect this code. But it needs to be installed by people who are concerned with damage to other servers - altruism that is fairly rare.

A teenage kid can knock out hundreds of corporate systems because the foundation of modern computing, the operating system, has been in rapid, forced development since the success of MS-DOS. It was designed for one user who would treat it right. The hyper-connectivity of the Internet exposes it to code delivered by others. The Windows operating system was simply not built with this in mind. It has served brilliantly as a tool for exchanging information.

But its very success has created the menace. The neat macros created in a spreadsheet can be made malicious by a teenage kid. Interoperability and interconnectivity were created without regard to security. And there can be none without transparency. You can’t be secure if there is no method for knowing what is happening in your operating system. It is the perfect environment in which viruses can flourish. That is true on the client and the server.

The problem is that we are dependent on these systems for our daily work and our daily work can be used to spread harmful programs. If a teenager can wreak this havoc, imagine what a concerted effort by a well-funded government intelligence agency can do. That, of course, is the point. Dependency on the computer and the Internet at this primitive stage of development opens us to attack, particularly from societies that are not dependent on PCs and the internet, but that do possess the intellectual skills needed to mount the attack.

One executive of an anti-virus company has suggested that you should never open a file from someone you don’t know. That is a measure of how shallow our defenses are. How can you be sure that the person you know hasn’t become infected? In fact, how can you be sure that the person you know doesn’t want to zap you? Some companies have solved the problem by prohibiting attachments and removing floppy drives. In other words, they have solved the problem by losing the capability. The solution is not in policies, but in technology. The problem’s center of gravity is the operating system.

Security requires a complete re-engineering of the operating system to permit rapid diagnosis through complete transparency. It will not be easy to evolve Windows or NT in this direction. It seems that officials may want to deal with this problem. After all, the real threat from rogue states won’t be nuclear attack, but cyber attack. Rogue states won’t launch nuclear attack for fear of the counterattack. But how do we retaliate against a virus attack? We depend on computers. They don’t.

(c) 2000 WNI, Inc.

Back To Contents