The Future of Malicious Code

May 2002

The Future of Malicious Code

Predictions on blended threats, e-mail exploits, social engineering and more.

BY David Harley

I may seem to be ignoring Daniel Delbert McCracken's advice not to make predictions about computing that can be checked in my lifetime. I'm not as crazy as all that: I haven't completely migrated from Moore's Law to Old Moore's Almanac. However, based on today's trends, I'll venture some educated (if somewhat reluctant) guesses about the immediate future of malicious code.

Authors of malware generally aren't the moody, inscrutable genies or geniuses of popular imagination, and they have to work with the same application, OS and hardware limitations that we do. Technical details change. Epidemiological patterns change. But the broad issues remain constant.

Recently, AV vendors have made a big deal out of "blended" or "convergent" threats. In the wake of Code Red and Nimda, blended threats remain everybody's pick as the most likely malware threat for the coming year. However, as bad as these were, it should be noted that the author of Code Red didn't invent the IIS exploit used in the attack. And for everyone's talk about Nimda being a "new" type of attack, it's actually a direct descendent of the 1988 Morris worm. Like Nimda, Morris exploited a number of vulnerabilities, arguably to even more dramatic effect. It's a shorter step than some would have us believe from the "file-and-boot" multipartite viruses to the multipolar worm. But I'm getting ahead of myself.

In general, the malware author has to exploit one of three broad classes of vulnerability: software, "liveware" or hybrid. Some threats--self-launching worms and embedded scripts, for instance--are software-only: they require no human activity beyond, perhaps, incautious configuration. Some threats--many Trojan horses, e-mail worms and so on--achieve their aims by psychologically manipulating the victim (liveware) into running unsafe code. Other threats employ a mixture of these techniques--for instance, when a user is tricked into turning off protective measures. I'll discuss examples of each of these types and hazard a guess or two about the future directions they may take.

Software-Only Exploits

Malware that exploits only software comprises a small, but significant group. Examples include Code Red (but not its successors), KaK and BubbleBoy. Other threats fully rely on bugs and weaknesses in legitimate software, such as overflows and arbitrary execution of code in an inappropriate context.

Susceptibility to input buffer overflows--such as those to which unpatched versions of IIS are vulnerable--has been big news in recent months. Indeed, vulnerabilities in Web services might have been the most bruited issue of 2001. Recent attacks on IIS included not only Code Red's single-point attack and Nimda's multivector mode of replication, but also attempts by Linux and Solaris worms to take advantage of vulnerabilities on remote machines.

The susceptibility of remote systems to exploitation by nonnative programs isn't new. A computer vandal may try to escalate his access privileges on a remote system using Telnet or FTP by methods that don't depend on the application's platform. Distributed denial-of-service (DDoS) attacks are by no means reliant upon the target and victim systems sharing a common operating system.

One thing that has changed, however, is that the distinction between servers and client machines has become more blurred as server and workstation OSes have converged to allow multiple processes and connections. Thus, when Code Red and its siblings cut swathes through corporate networks, it wasn't only heavyweight IIS servers that broadcast probes, but desktop and laptop machines, too.

Since the server and workstation versions of modern OSes often run the same versions of exactly the same applications and utilities, they tend to share the same vulnerabilities. It seems likely, then, that we'll see two continuing trends. First, desktops and laptops running the same services as heavyweight servers will in many instances be affected by malware in the same way. This risk is exacerbated by the fact that the user of a client machine may not be as scrupulous as sysadmins about access control. Second, servers running Windows OSes will be more vulnerable to malware currently associated with desktops. We've already seen the effects of this convergence: viruses that use poorly configured network shares as an entry point.

Other overflow problems--e.g., format string and heap overflows--continue to present problems with nonviral attacks. That said, there's no reason why they couldn't be one of the bases of a viral attack. A virus or worm is, after all, only a program with the particular quality of replication: its attack points and incidental functionality can be whatever its author chooses.

A related but different type of vulnerability is represented by allowing code to be executed arbitrarily and inappropriately. A dramatic (and still frequently seen) example is JS/Kak, which takes advantage of a bug in earlier/unpatched versions of IE/Outlook, allowing two ActiveX controls to run at a level of trust. The scriptlet.typelib and Eyedog vulnerabilities have been known and patchable for several years, but are by no means the only way of forcing the execution of untrusted code without the end user's knowledge.

Recent postings on NTBugtraq (www.ntbugtraq.com) and elsewhere have demonstrated how the Windows Media Player can be used to bypass Outlook 2002 security settings to execute JavaScript and ActiveX code embedded in HTML mail. Ideas and exploits published on such lists often lead directly to attempts to implement them in the "real" world. Attacks that bypass the need to trick victims into launching them are particularly attractive to black hats, as are any exploits that don't have to be carried in an identifiable (and therefore filterable) file. It's reasonable to expect that the bad guys will continue to try to exploit known (and hitherto unknown) vulnerabilities that bypass generic filtering methods.

Another trend we've seen in the last year involves viruses that (intentionally or otherwise) take advantage of poor handling of MIME boundaries or uuencode headers, allowing client software to execute code inappropriately when it masquerades as a "safe" data type.

Attachments, Social Engineering and IM

Malicious programs have one characteristic in common (apart from malicious intent): They're all programs, and there's no way a program can have its intended direct effect unless it's executed.

Note the use of the term "direct effect." It's certainly possible for software that isn't executed or even "real" to have an indirect effect. For instance, a dummy burglar alarm can be as effective a deterrent as the real thing, and a virus hoax can cause more of a nuisance than a real virus. There are a number of programs that live in the twilight zone between Trojans and joke programs: Web scripts that pop up a fake virus alert, or programs that pretend to be trashing a victim's system, for instance.

Hopefully, most people wouldn't execute a program that arrived with a message saying, "Virus enclosed. Please click here to infect." Probably not many more would click on an attachment that has no explanatory message. Worms with no significant message have been known to creep into the wild, but nowadays people are usually a little more suspicious of e-mail attachments--especially when they're from complete strangers. We should not, however, forget that some virus authors have made use of spam-like spoofing of e-mail headers, not only to direct leaked data to fixed e-mail addresses from which they may be harvested later, but in some cases to hide the identity of the victim in whose name it was dispatched, so that they can't be warned.

To persuade the victim to step into the trap, the malware author has to find a "hook" to catch the victim's interest. By far the most popular social engineering technique today is to "validate" infected mail by making it appear to originate from an infected system belonging to a previous victim. Secondary (potential) victims become exposed to the virus code in the form of e-mail addresses in the Outlook Address Book or in a cached Web page. In other words, the writer attempts to make the mail look genuine by making a very weak tie appear like a strong personal link, using a message general enough to catch the attention of a high proportion of potential victims.

Some virus writers have shown a surprising aptitude for psychological manipulation. LoveLetter's mechanism, by which the worm is passed off as a love letter, is a good example. Subsequent versions included a fake invoice (who wouldn't want to check a bill for unrecognized services?) and even an "antivirus program."

E-mail is not the only natural habitat for social engineers, however. In the immediate future, attachments will be less popular with virus writers as organizations block more and more attachments at the gateway. At the same time, malware authors are trying to circumvent such filtering by using increasingly obscure file types, or by packaging common executable types inside zip files.

Meanwhile, the number of attacks on users of Internet Relay Chat (IRC) and instant messaging (IM) continues to rise. These attacks consist of attempts to trick the unwary into downloading and executing automated agent software that allows remote systems to use target systems as attack platforms for DDoS attacks against other systems, or as a target for backdoors and Trojans (see "Combating Nonviral Malware").

We've also seen a rise in attacks coming through home users and small businesses. Such attacks are still predominantly viral, but it's likely that other threats, such as orchestrated DDoS attacks, will increasingly come via this route, especially as DSL and cable modem connections become more common, and entry-level operating environments become more sophisticated.

Hybrid Exploits

It's increasingly rare for a virus to rely purely on software exploits or on social engineering. It's far more common for them to be based on combinations of the two. However, the current catchphrase "blended threat" also applies to combination threats. We've already seen worms that drop parasitic viruses (file viruses), destructive Trojans, password stealers, backdoors, RATs (remote access Trojans) and even rootkits (Trojanized applications that replace legitimate system tools). We'll certainly see more variations on the convergence theme, and further blurring of the distinctions between worms, viruses and Trojans.

It's also likely that we'll see more attempts at multiplatform attacks, though probably not so much in terms of fat binaries that work on any number of incompatible platforms. More likely are single-platform threats (including threats that work on several Windows flavors) with payloads that impact other platforms: Windows-originated worms that use Apache exploits, for instance, or Linux worms that drop .exe Trojans. It's reasonable to assume that any platform in wide use will attract at least low-spread proof-of-concept malware.

It's also likely we'll see more worms and viruses that use spam techniques--not only the exploitation of unprotected mail relays to maximize spread, but the sort of verbal hook that is intended to persuade the recipient to explore further. Indeed, one clear trend is the continued use of social engineering to trick victims into opening malicious files. As filtering by file type and policy-based solutions are adopted by the rest of the corporate world--and perhaps at the ISP level--exploits based on e-mail-embedded scripts, fileless network probes and other attachment-free techniques will be sought and used where possible.

But these are easy guesses, based on constantly recurring patterns and the assumption that malware authors will continue to combine known attacks with new exploits. Somewhere down the line lurks the "Next Big Thing," the next WM/Concept, the next Code Red, the next Nimda, the hitherto unexploited technical vulnerability that we haven't thought of yet. In fact, AV researchers quite often spend time on closed mailing lists discussing "nightmare scenarios," and it's quite possible that the Next Big Thing has already been identified, but not discussed publicly. Whether this will be enough to attenuate its impact is beyond the scope of my crystal ball. However, past experience suggests that it can take quite a while for AV vendors to make major changes to their methodology to counter new, left-field threats.

DAVID HARLEY (macvirus@dircon.co.uk) manages the U.K.'s NHS Information Authority's Threat Assessment Centre, and is the national virus management technical lead within the NHS. He also is coauthor of Viruses Revealed (Osborne/ McGraw-Hill, 2001).

The Digital Threat: United States National Security and Computers
Matthew G. Devost

The Digital Revolution

"The medium, or process, of our time - electronic technology - is reshaping and restructuring patterns of social interdependence and every aspect of our personal life. It is forcing us to reconsider and re-evaluate practically every thought, every action, and every institution formerly taken for granted."[1]

When researchers at the U.S. Defense Department Advanced Research Projects Agency (ARPA) began linking computers together in the hopes of establishing a network to share data that would survive a nuclear attack, they never imagined that their labor would result in the worldwide network known as the Internet. The Internet, commonly referred to as the Information Superhighway, now connects millions of computers and is growing at exponential rates. Access to the Internet was originally limited to large universities and military bases, but new technology enables millions of people using personal home computers to access the Internet through telephone lines.

One of the most well known aspects of the Internet is Electronic Mail or e-mail. E-mail allows a user at one site to send electronic messages to any other site in the world. The message usually arrives at its destination in less than an hour. The ability to log onto a machine thousands of miles away in order to run programs is another basic capability of the Internet. This is accomplished using the Telnet command which connects the user with the remote machine. However, a valid account or permission to use the remote machine is required otherwise access is denied.

Another Internet utility, the File Transfer Protocol (ftp) allows users to log onto remote machines and obtain files at very fast speeds, allowing the retrieval of large files like the entire Encyclopedia Britannica from across the country in just one or two seconds[2]

Access to networking capabilities has already created a new industry. There are companies that have created points of access to the Internet and market this service to the general public for a fee.

The Digital Threat

These networked computer systems share one common interface: information. There are three categories of information on the Internet: (1) military information, which deals with actual military developments, top secret operations, intelligence, systems control, correspondence between high ranking officials, troop files, credit ratings, general troop activities and lower level correspondence; (2) business information which consists of business records, bank transactions, individual credit records, business systems, and Wall Street transactions; (3) personal information which includes personal systems, files and correspondence between individuals. An attack or threat on lower levels of information is more of an inconvenience than a national security threat. Replacement costs may be high for this type of information, but the costs are not nearly as high as military or business information. A successful attack on just a few business information systems could cause a severe lag in the American economy. Robert Steele notes that "It costs a billion dollars and takes six weeks to recover from a one day bank failure and we have them all the time."[3] If Wall Street suddenly closed down, or if bank transactions suddenly disappeared the United States would lose hundreds of billions of dollars. A potential attack on military information, especially that which is classified, poses a national threat from a strategic standpoint. What if, during a war, the enemy was able to get information on troop movements or discover flaws in one of our weapons systems? Or if the Soviet's had been able to access information on the Strategic Defense Initiative during the Cold War? What if one fourth of all the computer systems in America stopped working one day?

The Hacker Threat

Who has the capability to attack such systems and how do they keep from getting caught? The computer hacker was originally someone who spent years creating and exploring the new technology of computer networks. Today the term hacker has come to mean two different things. Once they were computer enthusiasts with an urge to learn more about the inner workings of the technology. When their predictions about where the industry was headed came true, some of them eventually became rich. As these original hackers created a community on the electronic frontier they realized the value of their creations and decided that access to information should cost money. Eventually they saw the need to secure the product of their labor.[4] Security became a concept applicable to computer systems and the information they contain. Walls went up, password protection became a standard and certain areas were placed off limits to a large portion of the computer community. Thus, the second generation of hackers were greeted with locked doors and forced to explore the inner workings of computer systems covertly, like underground explorers of a resource-rich cave. They became skilled manipulators of information systems, but they never abused them, nor did they use their skills for illegal means. However, along with this second generation of hackers arose a new breed who chose to use technology for their own benefit. The media does not distinguish between curious second generation hackers and this new breed. These new hackers see information as a power force all its own that longs to be free. They often liberate it by illegal means, copying information files they are not supposed to have then using these files as a commodity to trade for more information. This is the digital underground and "forbidden knowledge is their basic currency."[5] In the digital world where the digital underground exists, the distinction between crime and curiosity becomes blurred, and only society can decide where to draw the line between the two.

The members of the digital underground are good at what they do, and their skills are available to outside parties for a price. They assume aliases and congregate on underground systems around the world, bragging about their hacker prowess and sharing information with each other. Often they are motivated by personal greed or pride. Sometimes they are motivated by anger or ideology, striking at the system, the big corporations, or each other. They form groups and gangs like the Legion of Doom and the German Chaos Computer Club. Most of them are alienated individuals, intelligent kids labeled as underachievers. Their only friends are this new found technology and the people who are as interested in it as they are. A hacker named Mentor describes his experience in the world of the digital underground:

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me....And then it happened...a door opened to a world...rushing through the phone line like heroin through an addicts veins, and electronic pulse is sent out, a refuge from day-to-day incompetencies is sought...a board is found. This is it...this is where I belong...I know everyone here...even if I've never met them, may never hear from them again...I know you all...This is our world now...the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore...and you call us criminals. We seek after knowledge...and you call us criminals. We exist without skin color, without nationality, without religious bias...and you call us criminals. You build atomic weapons, you wage wars, you murder, cheat and lie to us and try to make believe that it's for our own good, yet we're the criminals. Yes I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something you will never forgive me for.[6]

This digital underground exists with an inclination against the system, mostly because the system categorizes them as criminals for doing something they love. Those in the digital underground like to demonstrate the position of power from which they operate. They do in fact outsmart the system every day, by gaining access to the systems they want, often for free. They are not inclined to do damage unless provoked or offered something in exchange like recognition or money. Mostly, they are just curious, rebellious teenagers caught in the digital age. They use the system to show their power; they demand respect. If you don't give it to them, they will scare it out of you by demonstrating their capabilities. A few years ago, Harpers magazine hosted an electronic forum to discuss the legality of computer hacking. It attracted a diversified array of individuals including privacy advocates, hackers and computer security professionals. Two of the participants in the forum, John Perry Barlow (ex lyricist for the Grateful Dead) and Phiber Optik (a young hacker) became engaged in debate during which Barlow referred to hackers as an offbreed of skateboarders. An inferiorated Phiber Optik left the forum and ten minutes later responded to Barlow's accusation by uploading a complete listing of Barlow's credit history. Barlow said of the incident: "I've been in redneck bars wearing shoulder length curls, police custody while on acid, and Harlem after midnight, but no one has ever put the spook in me quite as that Phiber Optik did at that moment. To a middle-class American, one's credit rating has become nearly identical to his freedom."[7] It is essential that we recognize the motives of the hackers in order to offer a better understanding of their intentions. They are looking for a place to play and learn. That place exists on the wires, off limits. So they take without asking. While their curiosity does not pose an immediate threat to our society, it has potential. The KGB found someone with that potential in Germany just a few years back.

The Hacker Spy

Perhaps the best publicized account of a hacker breaking into U.S. military computer systems took place in 1986 when Cliff Stoll at the Lawrence Berkeley Laboratory (LBL) discovered a German hacker using the university's computer to access sensitive databases. Stoll's adventure began when he found a seventy-five cent error in the LBL accounting system that tracks system usage and then bills the correct party. By exploring the accounting software, Stoll found that a user named Hunter had used seventy-five cents worth of computing time in the last month. Stoll also discovered that Hunter did not have a valid billing address, so he had not been properly charged. Through much work, Stoll discovered that Hunter was in fact a computer intruder, a hacker using LBL's system to access other systems. In most cases the user would have been shut out, but Stoll an astronomer by trade, not a computer security expert, decided to try and track the activity of the hacker.[8]

When Stoll first discovered that the hacker was accessing military computers, no one believed him. The people in charge of maintaining these sensitive systems did not know, nor did they believe that a hacker had entered their system. Stoll had a even harder time trying to convince law enforcement agencies that this was indeed a crime worthy of having the hacker's call traced. This one hacker attempted to break into many military computer installations including the Redstone Missile Command in Alabama, the Jet Propulsion Laboratory in Pasadena, and the Anniston Army Depot. In many of the cases the hacker successfully gained full access of the system and searched for keywords like stealth, nuclear, White Sands and SDI.[9] When he found the files he copied them to his home computer.

The search for the hacker continued for almost a year, and the activity was eventually traced to a West German citizen named Markus Hess. Hess, a member of the hacker group called the German Chaos Computer Club, used the pseudonym Pengo among his colleagues and was known as one of the best hackers in the Hannover area. On February 15, 1990, Hess and two colleagues were convicted of espionage for selling secrets to the KGB.[10]

Surely one must look at this case as a threat to U.S. national security, especially in the context of the Cold War. Gone are the days of searching for Ivans in elite factions of the U.S. military. Now any twenty year old German drug addict can accomplish the same thing from an apartment in West Germany. The networking of computers gives him the means, and the lax security of the United States in protecting their computer systems allows him to compromise U.S. national security. The United States learned a lesson from this experience and responded to this possible threat with legislation.

The Computer Security Act

The United States Congress passed a law titled the Computer Security Act of 1987 which required federal agencies to identify systems that contain sensitive information and to develop plans to safeguard them. Agencies were required to (1) identify all developmental and operational systems with sensitive information, (2) develop and submit to NIST and NSA for advice and comment a security and privacy plan for each system identified, and (3) establish computer security training programs.

Finally, the United States was taking the threat of national security posed by computer access seriously. The Computer Security Act was a step in the right direction, but holes still exist. In 1990, the General Accounting Office examined the response and implementation of the act. The GAO reports that as of January 1990, only 38 percent of the 145 planned controls had been implemented.[11] The GAO report makes the following conclusion:

The government faces new levels of risk in information security because of increased use of networks and computer literacy and a greater dependence on information technology overall. As a result, effective computer security programs are more critical than ever in safeguarding the systems that provide essential government services.[12]

With only a 38 percent compliance more needs to be done if the United States is to seriously protect its valuable informational assets. Instead of concentrating on making the systems more secure, the government chose to focus on the intruders of these systems. Time, energy and money that should have been spent discovering and fixing security bugs was instead used to design and implement an attack on the hackers themselves. This was an attack that focused only on domestic hackers and did little to thwart the threat to United States national security. The result: Operation Sundevil.

Operation Sundevil

Law enforcement agencies had already begun to focus their attack on the digital underground when Operation Sundevil was initiated, but it was by far the largest clamp down on computer crime in the United States. The focus of Operation Sundevil was the hackers' system of information distribution which consisted of hundreds of underground computer systems that housed information on how to break into computer systems, files stolen from major U.S. corporations, and files that contained credit card access numbers used to commit credit fraud. Around forty-two computers were seized along with 23,000 floppy disks of information during the May 7, 8, and 9, 1990 raids.[13]

Across the United States teenagers and their parents awoke to Secret Service revolvers pointed at their heads, followed shortly by a search of their house and the confiscation of anything that looked remotely electronic. Misinformation led to a few mistakes as well. Perhaps the most publicized of these was the raid on Steve Jackson Games. Jackson owned a small company that ran a bulletin board system that allowed his game players to call in and ask questions, arrange meetings, etc. Jackson also unknowingly employed a computer hacker. The Secret Service tied the two together and as a result Steve Jackson Games was raided and all their computer equipment was seized and never returned. This greatly effected Jackson's business and he nearly went bankrupt. Jackson recently won a law suit against the Secret Service in the amount of $52,000 plus legal fees.[14]

The United States has a vested interest in preventing computer crime and fraud, and Operation Sundevil was surely a huge attack on such crimes, but it was greatly misdirected. While teenage hackers were arrested and tried, U.S. military systems and business systems remained open to attack. Hackers will always exist and the only true way to stop them is to plug the holes they use to gain access to systems. The solution lies not in ignoring domestic computer crime, but in giving a higher priority to increasing computer security. During the Gulf War, that lesson would prove true again.

Hacker Attacks During the Gulf War

The United States inability to protect its computer systems was reinforced by attacks on Department of Defense computer systems during the war with Iraq. Testimony before a Senate committee confirmed that between April and May of 1991, computer hackers from the Netherlands penetrated 34 Department of Defense computer sites. Here are few highlights from the report.

At many of the sites, the hackers had access to unclassified, sensitive information on such topics as (1) military personnel--personnel performance reports, travel information, and personal reductions; (2) logistics - descriptions of the type and quantity of equipment being moved; and (3) weapons system development data. Although the information is unclassified, it can be highly sensitive, particularly during times of international conflict. For example, information from at least one system, which was successfully penetrated at several sites, directly supported Operation Desert Storm/Shield. In addition, according to one DOD official, personnel information can be used to target employees who may be willing to sell classified information.[15]

It is highly disturbing that U.S. soldiers put their lives on the line to fight a war for a country that cannot even protect the sensitive information related to their activities, let alone personal data that could be used against their families. What is most distressing about the reports is its conclusion that the hackers exploited known security holes to gain access to a majority of these systems. The United States government knew that these security holes were there, yet it did nothing to fix them. The report also indicates that the hackers "modified and copied military information"[16] ,and concluded that many of the sites were warned of their vulnerability but failed to realize the implications. The report ended with a warning of things to come: "Without the proper resources and attention, these weaknesses will continue to exist and be exploited, thus undermining the integrity and confidentiality of government information."[17]

Limited research in the media coverage of this event did lead to one source who reported what had happened, Geraldo Rivera. The national security of our nation is at stake and it takes Geraldo to inform the public. It would appear that the United States would prefer that the public not know about such weaknesses. Big businesses, too, have a vested interest in keeping such attacks on their systems secret. After all, who wants to put their money in a bank, when they know that one day it may disappear due to computer vulnerability? It is like asking people to put their money in a bank that doesn't lock its door at night.

So far, this essay has only touched upon one aspect of computer vulnerability: computer intrusion. The second form of computer vulnerability to be examined here deals with programmed attacks on computer systems with the intent to do as much damage as possible. This is the world of the computer virus, trojan horse and worm.

Virii, Trojan Horses and Worms

Virii, trojan horses and worms have huge destructive potential. Perhaps the greatest threat of the three is the computer virus, a program which has the ability to attach itself to legitimate files and then propagate, spreading much like an infectious disease from computer to computer as files are exchanged between them. The more interactivity your computer has with other computers the higher the chance of it contracting a virus. The virus continues to hide itself until a certain criteria is met. These criteria change from virus to virus, but some of the most deadly are virii that wait a certain length of time before initiating their destructive capabilities. This insures that the virus has had enough time to copy itself to many systems, thus increasing its damage potential. Once the criteria are met, the virus attacks your system in one of many ways: by erasing files, destroying hard disk drives, or corrupting databases.

Imagine a virus that spreads to a bank computer and then randomly modifies numbers within the database, or simply causes the bank's computers to shut down. The potential for damage is enormous, but it is mostly monetary damage. Now imagine that same virus attacks a hospital computer system. Human lives are at stake, making that virus a tool of murder no less dangerous than a loaded weapon. Virii are very difficult to protect against because a copy of the virus is often needed to create a vaccine or program to detect it. We do not usually find copies of the virus until they have caused damage. It has been estimated the cost of removing the virii infections over the next five years will be over $1.5 billion - not taking into account the value of the data that will be destroyed.[18] There are already many documented cases of companies losing millions of dollars in business and thousands of hours of computing time due to virii attacks.[19] That number will only increase in the future.

By 1992 there were over 1,500 catalogued viruses in the West, with that number expected to have doubled by the end of 1993.[20] One of the most popular was the Michaelangelo virus that received news coverage on all the major networks. What many Americans don't understand is that Michaelangelo is just one of many potential attackers of their computer systems. In Bulgaria, companies have set up virus factories producing more virii than the anti-virus industry can combat. How should the U.S. deal with such companies whose only concern is to produce destructive software? This is one of the many questions we must ask ourselves when creating policies to ensure safe computing in future years.

The trojan horse derives its name from the famous attack on the city of Troy, and operates much like the trojan horse of ancient times. A trojan horse is a program that pretends to be something else but is really a program of destruction. The program tricks the user into running it by proclaiming to perform some useful function, however, once initiated it can be as destructive as a virus. Trojan horses are less of a danger because they are easily destroyed, you simply delete the program, and they contain no means of copying themselves independently.

The worm operates much like a virus, but is capable of travel along a network on its own. Perhaps the best known worm was the one created by Robert Morris, the son of an NSA official. Morris created a worm to seek out sites on the Internet by traveling along its many connections and copying itself onto remote computers. Morris's worm was not created to damage any systems and was relatively harmless, but he made an error in creating the program. This error caused the worm to begin propagating itself at exponential rates, slowing down Internet sites and causing communications to come to a standstill. The reaction among Internet users and system administrators was mass hysteria. The following are some highlights of the events as they unfolded over the course of twelve hours.

5:00 p.m. - Morris launches his worm onto the Internet.
8:00 p.m. - System operators at a computer system across the nation begin noticing that something is slowing their computer system down.
2:38 a.m. - The virus has spread onto many systems including the Lawrence Livermore National Laboratory, NASA Ames Laboratory, Los Alamos National Laboratory, and the Department of Defense's Milnet network.
- A worried system operator releases the following message onto the Internet. "We are currently under attack by a computer virus."
5:00 a.m. - An estimated 6,200 computers have been infected in the course of 12 hours. System operators begin breaking network connections to protect their systems. Later calculations revealed that only around 2000 computers had been attacked.

Days later, system operators were still cleaning and containing the Internet worm which had caused over one million dollars in damage.[21] More importantly the vulnerability of the networking system was exposed, and it took a major incident to bring this about. Morris was convicted for the damage initiated by his worm and sentenced to three year's probation, a $10,000 fine and four hundred hours of community service.[22] Though Morris's actions were indeed illegal, he did manage to bring into the spotlight the issue of computer security. If one college student could do so much damage by accident, what could a nation or terrorist group do on purpose?

Creating a Computer Security Agency

The above anecdotes illustrate just a few of the many issues in computer crime that demonstrate a weakness in our national security. Computer crime is an issue that has been avoided for the most part by the government of the United States. What little action taken has been either wrongly focused or stagnated by political bureaucracies. What else would explain a 38 percent compliance with a national act that is supposed to improve our national security? This issue must be put into perspective. Would the United States accept such limited compliance on other issues of national security? During times of war would the U.S. military establish a communications channel that was 38 percent secure? What if a report from the Department of Defense cited that our nuclear missiles would reach their targets 38 percent of the time? Would you invest your money in a bank that complied with only 38% of the minimum security standards suggested by the government? Under any other circumstances these numbers would be unacceptable, why are they accepted for computer security?

There are several key problems in the U.S. approach to computer crime. First, efforts for the most part are uncoordinated and ineffective, with too many law enforcement agencies claiming jurisdiction over computer crime issues. The Secret Service deals with computer crime cases that entail some aspect of fraud. The Federal Bureau of Investigation handles domestic aspects of computer crime like theft of services, the creation of virii, and illegal intrusion. The National Security Agency deals with national security issues like encryption and communications that originate from other countries.[23] While these agencies should continue with these objectives, consideration should be given to a new agency for the digital age.

This agency should focus on aspects of computer security in the military, business and private sectors. For simplicity, this proposed agency will be referred to as the Computer Security Agency (CSA). The prime objective of the CSA would be to oversee the operation of all sensitive computer systems and to insure that all known security bugs are fixed shortly after they are discovered. Secondary objectives would be to promote and establish security objectives for businesses and private citizens.

The CSA would collect data on security holes in several ways. First, it would monitor the publications of the digital underground. Hackers produce several electronic and paper publications that discuss issues concerning their movement, as well as ways to enter into secure systems. Many federal agencies are using these publications as sources of information already, but it is not in a coordinated effort, and often holes discussed in these journals go unchanged for months, allowing more hackers to enter into the systems. Unfortunately the United States government has chosen to initiate an attack on these publications, instead of addressing the security holes they describe. For example, a few years ago, the editor of the popular digital publication entitled Phrack, had his computer system seized and was brought up on charges for publishing an edited version of an AT& T file. The U.S. later dropped the charges when evidence was discovered that the file which AT& T claimed was worth $70,00, was available to the public for $10.00.

Recently the United States Congress has conducted an attack on one of the hacker print journals, arguing that it should be banned as a threat to national security. The threat to national security comes not from the publication or the people who read it, but from the government that fails to correct security holes. First Amendment rights cannot be abandoned in an effort to improve national security. By focusing on this issue instead of others the United States only reinforces the fact that it has been incapable of, or unwilling to show direction and initiative towards digital issues. The world of cyberspace[24] is a new playing field, and those inherent ideals used to regulate activity in the physical world must be abandoned for new broader set of ideals that promise to expand, not hinder, our electronic capabilities, that do not tread on the rights of the citizens who chose to dwell in these electronic communities.

Another objective of the proposed CSA would be to establish a central site for the collection and distribution of information that addresses the security concerns of businesses and universities. For relatively little cost the CSA could connect a host computer to the Internet that would provide a forum for computer security issues. In accordance with this forum the CSA could work closely with those businesses that are interested in securing the integrity of their computer systems. The CSA should also turn to another group for assistance: the digital underground.

Hackers as a National Resource

The digital underground should be viewed as an asset. They use illegal means to fulfill their curiosity about the workings of computer technology because the system has denied them other means of accessing the digital realm they love. Harvard Law professor Laurence H. Tribe even advocates that access to technology may be a required goal of democratic society. He states:

It's true that certain technologies may become socially indispensable -- so that equal or at least minimal access to basic computer power, for example, might be as significant a constitutional goal as equal or minimal access to the franchise, or to dispute resolution through the judicial system, or to elementary and secondary education. But all this means (or should mean) is that the Constitution's constraints on government must at times take the form of imposing "affirmative duties": to assure access rather than merely enforcing "negative prohibitions" against designated sorts of invasion or intrusion.[25]

There is such a thing as the patriotic hacker who is loyal to the ideals of the nation. For example, when news of Stoll's German hacker selling U.S. secrets to the KGB hit the underground many hackers responded with hatred towards the guy who had associated their movement with national espionage and threats to national security. They were willing to use their abilities to combat this problem, and were even willing to target Soviet computers for the Central Intelligence Agency. An interesting story about hacker contributions to society is the story of Michael Synergy and his quest for presidential credit information. Synergy decided one day that it would be interesting to look at the credit history of then President Ronald Reagan. He easily found the information he was looking for and noticed that 63 other people had requested the same information that day. In his explorations he also noticed that a group of about 700 Americans all appeared to hold one credit card, even though they had no personal credit history. Synergy soon realized that he had stumbled upon the names and addresses of people in the U.S. government's Witness Protection Program. A good citizen, he informed the FBI of his discoveries and the breach of security in the Witness Protection Program.[26]

One of the basic benefits to United States national security is the lack of a coherent movement among the members of the digital underground. Hackers are by nature individualistic. They lack a common bond that allows them to focus their energies on one target. If there is a target of the hacker movement it is corporate America, especially the telephone companies. These corporations have arisen as a target because hackers rely on their service to access cyberspace, which can be a very expensive proposition for an unemployed teenager. The United States government has a vested interest in not providing them with another target, especially if that target is the government itself. The United States should accept the hackers and give them recognition for the service they provide in finding security holes in computer systems.

The United States should not discontinue efforts to stop credit fraud and other computer activities that are surely criminal. Instead the United States should allow the hackers to conditionally roam the realm of cyberspace. These conditions would include the following: (1) If computer access is gained, the security hole should be immediately reported to the CSA and should not be given to anyone else, and (2) information files should not be examined, modified or stolen from the site. In return the United States simply offers to give the hackers recognition for their accomplishments, feeding their competitive egos. Why should the United States government trust hackers? No trust is necessary, we are not offering the hackers anything that they don't already have, except recognition for their ability to discover security flaws. The hackers will remain on the networks regardless of what policy the United States follows concerning their activity, we are simply giving them the forum they need to meet people with similar interests on a legitimate basis, rather than a secret one. Robert Steele argues, "If someone gets into a system, that is not a violation of law, it is poor engineering. When we catch a hacker, rather than learn from him, we kick him in the teeth. When the Israelis catch a hacker, they give him a job working for the Mosad."[27]

Many U.S. corporations already trust the hackers to identify security weaknesses in their computer systems. The Legion of Doom, the most notorious group of hackers in the U.S., briefly entered the computer security business with the formation of their company called Comsec Security. Bruce Sterling reports, "The Legion boys are now digital guns for hire. If you're a well-heeled company, and you can cough up enough per diem and air-fare, the most notorious computer hackers in America will show up right on your doorstep and put your digital house in order - guaranteed."[28] Some argue that this is simply extortion, but individuals are not saying "pay up or else we will enter your system", they are offering to use their skills to protect you from other electronic intruders.

Hackers can be used as an asset to secure the United States' digital house, and every effort should be made not to alienate them from the newly emerging digital world. In the same Congressional hearing where his publication was branded as manual for computer crime, Emmanuel Goldstein made the following remarks about access to technology and computer crime:

This represents a fundamental change in our society's outlook. Technology as a way of life, not just another way to make money. After all, we encourage people to read books even if they can't pay for them because to our society literacy is a very important goal. I believe technological literacy is becoming increasingly important. But you cannot have literacy of any kind without having access.... If we continue to make access to technology difficult, bureaucratic, and illogical, then there will also be more computer crime. The reason being that if you treat someone like a criminal they will begin to act like one.[29]

However, this represents only one threat to national security, the computer intruder. The CSA would also deal with problems such as virii, trojan horses and worms. Another function of the CSA would be to act as central site for information about new virii as well as providing, for free, programs to combat them. This would anger many software companies because it would hurt their business, but again protection from virii should not be made a purchasable commodity, at least not at the base level. Charging for a service that some people cannot afford ensures that some people will be unable to protect their system from computer virii which only helps spread their destruction to other computers.

The CSA would also be responsible for training government agencies on proper security techniques and ensuring that such preventions are being taken. The largest security hole in computer systems is the human factor. A whole book has been written devoted to this aspect of computer crime.[30] If you place a computer in a locked room with no outside connections you have a secure computer, give one person access and security is reduced. Give another person access and security is reduced even further. Now the two people can be used against each other with methods of social engineering. Consider the following true anecdote where a hacker named Susan demonstrates her social engineering skills:

As Susan later told the story, a team of military brass...from three services sat at a long conference table with a computer terminal, a modem, and a telephone. When Susan entered the room, they handed her a sealed envelope containing the name of computer system and told her to use any abilities or resources that she had to get into that system. Without missing a beat, she logged on to an easily accessible military computer directory to find out where the system was. Once she found the system in the directory, she could see what operating system it ran and the name of the officer in charge of that machine. Next, she called the base and put her knowledge of military terminology to work to find out who the commanding officer was at the SCIF, a secret compartmentalized information facility. Oh yes, Major Hastings. She was chatty, even kittenish. Casually, she told the person she was talking to that she couldn't think of Major Hasting's secretary's name. "Oh" came the reply. "You mean Specialist Buchanan." With that, she called the data center and switching from nonchalant to authoritative, said, "This is Specialist Buchanan calling on behalf of Major Hastings. He's been trying to access his account on the system and hasn't been able to get through and he'd like to know why" ...Within twenty minutes she had what she later claimed was classified information up on the screen. Susan argued "I don't care how many millions of dollars you spend on hardware, if you don't have people trained properly I'm going to get in if I want to get in."[31]

There are fundamental security measures that can be taught to system users to ensure that the security of the system is not compromised. The CSA would work toward ensuring that scenarios like the one illustrated above are not regular occurrences.

The Schwartau Scenario

Are the nation's computers really in as much danger as this paper suggests? In 1991, writer Winn Schwartau released a fictional novel that addresses the threat to our national security that is inherent with our laxidasical computer security. Schwartau argues that the reason he chose to tell the tale in the fictional format was "necessitated by a need to reach the largest possible audience."[32] That is because the fictional events in Schwartau's novel could easily become reality. Schwartau outlines a perfect attack on the infrastructure of the United States based on the weakness of our computer systems.[33] In Schwartau's novel the attacker is a Japanese businessman seeking revenge for the United States attack on Hiroshima. In reality this attack could be undertaken by any coalition with the proper resources. The United States could be brought to its knees by an attack on its computers and telecommunications systems.

Computers and the International Community

Another difficult question that must be answered: what to do with nations that abide by different laws concerning computer crimes? The hackers that attacked the Department of Defense computers during the Gulf War were Dutch, because at the time hacking was legal there. How should the United States deal with such attacks? If the arguments made here were policy, there would be no need to address this issue. The Dutch hackers used known security holes to enter the computer systems, and one of the main objectives of the CSA is to ensure that such holes are fixed to prevent further attacks. It takes a lot more skill and ingenuity to break into a computer system if all known security holes have been effectively patched. You must actually hack the system to find new security holes which requires a great deal of time and the more time you spend on a secure computer system the more likely the chance of someone noticing your unauthorized presence. If an attack on the U.S. information infrastructure is initiated by another country's government it should be considered an act of war.

On the virus front there is little the United States can do to prevent the proliferation of virii in other countries. Attempts could be made to regulate all software coming from countries like Bulgaria into the United States, but that would be very difficult since files can be transferred over phone lines. This represents a severe threat to computer operations, but the fact is that all aspects of computer crime cannot be controlled, just as the drug problem within the United States cannot be controlled. The best means available to combat these problems includes educating people about virus threats, and providing some forms of protection for free.

Conclusion: The Challenge of the Digital Age

The digital age promises to change many aspects of our society. Mitchell Kapor writes:

Life in cyberspace is more egalitarian than elitist, more decentralized than hierarchical...it serves individuals and communities, not mass audiences. We might think of cyberspace as shaping up exactly like Thomas Jefferson would have wanted: founded on the primacy of individual liberty and commitment to pluralism, diversity, and community.[34]

As a society we have much to learn about ourselves through this new medium of communication. A recently released book deals with aspects of electronic communities, and the virtual world of cyberspace.[35] As a nation the United States must make sure that the structure it is building has a strong foundation and that weaknesses in that structure are not used to destroy it. It is a difficult task, because the constitutionally guaranteed rights of citizens cannot be infringed upon in the process. However, it is a task we must undertake. These are issues we must address. By not addressing these issues now the future of our country is being jeopardized. A handful of concerned citizens attempt to bring issues surrounding cyberspace to our attention everyday. Some of these issues concern national security, others concern individual privacy. Cyberspace has empowered the average person to explore and question the structure of our society and those that benefit from the way it is operated. Fundamental issues arise from hacker explorations. We must chose as a nation how to deal with these issues. Recent efforts in cloning produced a human fetus. The scientists that achieved this remarkable feat, immediately halted research arguing that a public debate must arise to deal with the ethical and moral issues surrounding this technology. They argued that before experimentation in cloning continued, we must decide as a society which direction that the new technology will go, what ends we hope to achieve, and what the limits on its use should be. A similar debate on the issues of cyberspace must take place. There is no need to stop the technology, but we must decide which direction we want the technology to go, what rules will govern its use. We must do this now, before the technology starts dictating the rules to us, before it is too late to make changes in the basic structure of cyberspace without destroying the whole concept.

Notes

1 Wired Magazine (1993). Introduction. Volume One, Issue One.
2 Big Dummies Guide to the Internet [Online]. Available FTP: ftp.eff.org Directory: pub File: bigdummy.txt
3 Steele, Robert D. (1994). Hackers and Crackers: Using and Abusing the Networks. Presentation at the Fourth Annual Conference on Computers, Freedom and Privacy, Chicago, IL.
4 For a more detailed introduction to the hacker movement read Steven Levy's Hackers: Heroes of the Computer Revolution. New York: Dell Publishing. 1984
5 Sterling, Bruce (1992). The Hacker Crackdown: Law and Disorder on the Electronic Frontier. New York: Bantam Books. Pg 59
6 Phrack, Volume One, Issue 7, Phile 3.
7 Phrack Volume Four, Issue 40
8 Stoll, Clifford (1989). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. New York: Doubleday.
9 Hafner, Katie, & Markoff, John (1991). Cyberpunk: Outlaws & Hackers on the Computer Frontier. New York: Simon & Schuster. Pg 172
10 Denning, Peter J. (1991). Computers Under Attack: Intruders, Worms & Viruses. New York: A.C.M. Press. Pg 183
11 United States General Accounting Office. (1990). Report on Implementation of Computer Security Act. Washington, D.C. : U.S. Government Printing Office.
12 United States General Accounting Office. (1990). Report on Implementation of Computer Security Act. Washington, D.C. : U.S. Government Printing Office.
13 Sterling, pg 158
14 Nathan, Paco Xander. (1993, May/June). Jackson Wins, Feds Lose. Wired Magazine, pg 20.
15 Brock, Jack L. (1991). Testimony in Hackers Penetrate D.O.D. Computer Systems: Hearings before the Subcommittee on Government Information & Regulation, Committee on Governmental Affairs, United States Senate, November 20 , 1991.
16 Hearing Testimony before Subcommittee on Government Information and Regulation, pg 25
17 Hearing Testimony before Subcommittee on Government Information and Regulation, pg 29
18 Mungo and Clough, pg 107
19 Mungo, Paul, & Clough, Bryan (1992). Approaching Zero: The Extra-ordinary Underworld of Hackers, Phreakers, Virus Writers & Keyboard Criminals. New York: Random House.
20 Mungo and Clough, pg 108
21 Mungo and Clough, pg 98
22 Hafner and Markoff, pg 345
23 Most recently the NSA has been dealing with issues of encryption based around the RSA algorithm that provides better standards of encryption that the government approved Data Encryption Standard. Recently a movement has originated in the digital world to ensure encryption capabilities fall in the hands of private citizens to protect their right to privacy. The government has proposed a system were citizens must register the keys to their encryption system with the government so that they may be used where federal warrants call for monitoring of communications. This conflict promises to be one of the hot issues of the next year, and the future of electronic communications rests heavily on its outcome.
24 The term cyberspace has varying definitions. It was original coined by William Gibson in his novel Neuromancer to define that place inside the computer where electronic communications/activities take place. Gibson describes it as "A conceptual hallucination experienced daily by billions of legitimate operators, in every nation...A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in nonspace of the mind, clusters and constellations of data. Like city lights, receding." Though we have yet to achieve this graphical representation of data that Gibson envisioned, data and its electronic place of residence are still referred to as cyberspace. More recently, John Barlow stated that "Cyberspace is where you are when you are talking on the telephone." For more information about the concepts and terms of the digital age, read Mondo 2000: A User's Guide to the New Edge, published by HarperPerennial.
25 Tribe, Laurence H. (1991) The Constitution in Cyberspace Paper presented at the First Annual Conference on Computers, Freedom and Privacy Conference, Burlingame, CA.
26 Mungo and Clough pg 57
27 Steele, Robert D. (1994). Hackers and Crackers Using and Abusing the Networks. Presentation at the Fourth Annual Conference on Computers, Freedom and Privacy, Chicago, IL.
28 Phrack Volume Three, Issue 33, Phile 10
29 Goldstein, Emmanuel. (1993) Testimony before House Subcommittee on Telecommunications and Finance. Washington, D.C.
30 Van Duyn, J. (1985). The Human Factor in Computer Crime. Princeton, NJ.: Petrocelli Books
31 Hafner and Markoff, pg 60-61
32 Schwartau, Winn (1991). Terminal Compromise. U.S.A.: Inter.Pact Press. Pg 0.
33 Schwartau is currently working on a non-fictional computer security book entitled "Information Warfare: How to Wage and Win War in Cyberspace."
34 Kapor, Mitchell. (1993, July/August) Where is the Digital Highway Really Heading? The Case for a Jeffersonian Information Policy. Wired Magazine , pg 53-59.
35 The book is entitled Virtual Communities by Howard Rheingold. Though I have yet to read this book, I have read his book Virtual Reality, and it was very well written and informative.