http://www.wired.com/news/technology/0,1282,36200,00.html
by Michelle Finley
3:00 a.m. May. 9, 2000 PDT
Computer viruses seem to be an incurable fact of life. But so far,
like the common cold, they appear suddenly, cause a few days of work
stoppage, and fade into the annals of Internet history.
But the little boogers are becoming nastier. While Melissa only
clogged up email networks, the Love Bug destroyed data.
And as we move toward a future of smart devices, cars with on-board
PCs, and net-connected household appliances, perhaps the next virus
will strike closer to home.
Security experts believe the day is coming when standard computers
won't be the only targets of viral attacks.
Any device that takes its operating configuration from a piece of
software is susceptible to the malicious tinkering of its base code,
says Scott Shreve, director of NSOC Development Network Security
Technologies.
"When high-level applications are granted low-level security controls,
then anything is possible," adds Christian Smith, a network
penetration engineer at Network Security Technologies.
Hackers agree.
"Virus writers are attracted to challenges, but they also want their
work to have an impact," said RadwOrk, who defines himself as a
"neutral" hacker, and points out that "hacker" and "virus writer" are
"a totally different species of beast."
RadwOrk believes that as smart devices come into general use, they
will definitely be hit with various plagues.
"I know there are some people who would certainly respond to the
challenge of wreaking havoc on these new machines just to see what
would happen," he said.
Obviously, if every wired household will need to hire a network
security consultant to keep their smart TV and intelligent toasters
safe from viruses, implementing the "always connected" future will
present some practical problems.
Randy Antler, senior software engineer at Discover Music, offers a
cynical example.
"Imagine if you just drove off the lot of the 'Microsoft Car
Dealership' in your brand-new electric vehicle with integrated GPS,
DVD player, Windows 2001, etc.," Antler said. "If all of these devices
are tied together by Windows 2001, using something like VBScript, one
can only imagine the mayhem that could ensue if you opened a malicious
email while driving."
The good news is that a "universal virus" -- one that could take down
Palm devices, pocket PCs, your car, and your toaster all in one fell
swoop -- is unlikely.
Realistically, said Antler, the only way such a "universal virus"
could be constructed is if all of the devices in question implement a
common interpreted language to support "extensions" to the device.
Most computer languages must be translated -- compiled -- from human
readable source code into machine-readable instructions. This limits
how many computers are vulnerable to virus programs because the virus
must be compiled for the particular computer that is being targeted.
But Antler points out that with so-called "interpreted" programming
languages such as PERL, VBScript, JavaScript, and others, no
compilation step is required. The computer, in a sense, directly
understands the scripting language and either executes the
instructions directly or compiles the program on the fly in order to
execute the instructions.
"It is only when the same interpreted language is made available to
programmers (both evil and otherwise) on multiple different computer
platforms that such 'universal' viruses can be created," Antler said.
"In addition, as these interpreted languages are used to tie different
programs together, the danger can be greatly exacerbated."
Tanya Candia, vice president of worldwide marketing at F-Secure, says
she fully expects that handheld devices will soon become targets for
malicious code in the near future. And she sees a particular danger
looming for wireless devices.
"The new wireless devices represent, in some cases, a marriage of two
technologies: the computer world and the phone world," Candia said.
"Whereas the phone world understands such security issues as
identification and authentication, it is not savvy when it comes to
content security -- the expertise of the computer world.
"When these devices are enhanced to have capability to be upgraded by
the user or if the users can add additional software to the system
over the network or via another mechanism, these devices will become
vulnerable for (viral) types of attacks."
Candia believes that the worst thing to do is to take the attitude
that it can't happen here. "We would be proven wrong," she said.
"Any system that involves memory and intelligence can be a target for
a hacker," she said. "As we become more wired, and depend more on
computer systems, however small, to manage aspects of our life, we
must expect that we must increase our vigilance and, in a sense, our
paranoia."
The experts all agree that the problem centers on software developers
who continue to concentrate on building easy-use features into these
devices instead of making sure that they are secure. Typically,
systems that are harder to use, like UNIX, also are safer from outside
attack.
Sendmail CTO Eric Allman says that end-users have to start demanding
built-in security. He believes that as long as consumers favor
easy-use and highly integrated features to the detriment of security,
the vendors will continue to deliver risky features.
"Many companies won't put groupware directly on the Internet because
of security and performance concerns. Instead, they use something like
Sendmail, which was designed for Internet use, as the gateway between
the groupware and the network," Allman said. "This may be the right
model: Let each program do what it does well."
But Allman thinks that vendors also have to start taking
responsibility for the security of their products. Java, for example,
has a clearly defined security model, he said.
"Sun thought about security in advance, rather than adding it on as an
afterthought," Allman said. "They should be applauded for this
foresight."
Java's security is based on isolating any data that could be dangerous
in a "sandbox" partition. This sets limits on the areas of the
computer that the possible virus could attack.
In contrast, Microsoft uses a "trust" model, relying on individual
users to set their own limits. But many users are not informed about
security issues and leave their MS programs set to the very trusting
default.
So raise those shields, keep the home firewalls burning, and make sure
your intelligent devices are smart enough not to trust incoming
external data.
Because as Mike Chisina, a hardware engineer at Network Security
Technologies, says: "Science fiction is now. How long will it be
before someone can turn our computers against us?
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Tue May 9 12:03 CDT 2000