October 05, 2007

Storm Worm signals major new shift: a Sophisticated Enemy

I didn't spot it when Peter Gutmann called it the world's biggest supercomputer (I thought he was talking about a game or something ...). Now John Robb pointed to Bruce Schneier who has just published a summary. Here's my paraphrasing:

  • Patience ...
  • Separation of Roles ...
  • Redundant Roles ...
  • No damage to host ...
  • p2p communications to control nodes ...
  • morphing of standard signatures (DNS, code) ...
  • probing (in military recon terms) past standard defences ...
  • knowledge of the victim's weaknesses ...
  • suppression of the enemy's recon ...

Bruce Schneier reports that the anti-virus companies are pretty much powerless, and runs through a series of possible defences. I can think of a few too, and I'm sure you can as well. No doubt the world's security experts (cough) will spend a lot of time on this question.

But, step back. Look at the big picture. We've seen all these things before. Those serious architects in our world (you know who you are) have even built these systems before.

But: we've never seen the combination of these tactics in an attack .

This speaks to a new level of sophistication in the enemy. In the past, all the elements were basic. Better than script kiddie, but in that area. What we had was industrialisation of the phishing industry, a few years back, which spoke to an increasing level of capital and management involved.

Now we have some serious architects involved. This is in line with the great successes of computer science: Unix, the Internet, Skype all achieved this level of sophistication in engineering, with real results. I tried with Ricardo, Lynn&Anne tried with x9.59. Others as well, like James and the Digicash crew. Mojo, Bittorrent and the p2p crowd tried it too.

So we have a new result: the enemy now has architects as good as our best.

As a side-issue, well predicted, we can also see the efforts of the less-well architected groups shown for what they are. Takedown is the best strategy that the security-shy banks have against phishing, and that's pretty much a dead duck against the above enemy. (Banks with security goals have moved to SMS authentication of transactions, sometimes known as two channel, and that will still work.)

But that's a mere throwaway for the users. Back to the atomic discussion of architecture. This is an awesome result. In warfare, one of the dictums is, "know yourself and win half your battles. Know your enemy and win 99 of 100 battles."

For the first time in Internet history, we now have a situation where the enemy knows us, and is equal to our best. Plus, he's got the capital and infrastructure to build the best tools against us.

Where are we? If the takedown philosophy is any good data point, we might know ourselves but we know little about the enemy. But, even if we know ourselves, we don't know our weaknesses, and our strengths are useless.

What's to be done? Bruce Schneier said:

Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest.

As I suggested in last year's roundup, we were approaching this decision. Start re-writing, Microsoft. For sake of fairness, I'd expect that Linux and Apple will have a smaller version of the same problem, as the 1970s design of Unix is also a bit out-dated for this job.

Posted by iang at October 5, 2007 07:07 AM | TrackBack

It's not just the system architecture that is at fault, but program architecture: how any program can potentially be turned into "anyprogram" by using memory management bugs to overwrite return addresses or function pointers. Anything that uses the C program architecture is vulnerable (OpenBSD's CVE-2007-1365).

And all of this has been known for a long time. When I started studying computer science, two of the recurring themes were the running joke that all the COBOL programs would stop working in the year 2000 (modern programmers, such as those then being educated, would not create such bugs) and that Pascal and Ada were the programming languages of the future, because C was notoriously messy and unsafe.

Posted by: Felix at October 5, 2007 10:00 AM


Blanu called it! Notice the Wayback Machine timestamp:




Posted by: Curious Yellow at October 5, 2007 01:54 PM


One of the *dicta* of war, courtsey Sun Zi's Art of War is actually more like

"He who knows the other side and knows himself will not be defeated in a hundred battles"

Note the absence of the 'enemy' and a 'win'... Seems a lot more appropriate this way doesn't it?

Courtesy, translation by Chow-Hou Wee, ISBN 0-13-100137-X

Posted by: Anonymous Coward at October 13, 2007 07:14 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.