Jayant Gandhi

Defense in a Virtual WorldProtecting Ourselves in the Age of Cyber Threats

Cyber-attacks pose a very real threat to everyone who uses the Internet; not only

individuals, but corporations and governments as well. Accountability is not as easily

determined as it is in the physical world as it is nearly impossible to trace back an attack to its

source. The Internet’s ability to transcend borders turns this security issue into an international

one. So how can the international community effectively deal with the threat of cyber-attacks?

International cooperation to strengthen current security software is the best option in the

short-run. Internet security was designed as an afterthought. The Internet was not designed

with security in mind and this apparent in the tools used to protect it. Firewalls and anti-virus

software are incomplete because of their reliance on quickly out of date malware libraries. The

only solution to this is to take a more active role. The private sector began to hire hackers to

attack their software with the goal of using the data collected from the attacks to strengthen

the vulnerabilities they exploited. This method eventually spread of individual companies to

industry-wide events. The only true solution is to rebuild the Internet with security in mind; a

task being undertaken by the National Science Foundation. The best solution for the short-

term, however, is to increase international cooperation in a fashion similar to how private

corporations have been cooperating to continually test the Internet for security vulnerabilities

and repairing them before hackers exploit them.

0

Security in the Virtual World

Since the introduction of the Internet, cyber-attacks have been a constant threat to

those who wish to use the Internet. Unlike attacks in the physical world, these virtual attacks

are nearly impossible to trace back to their sources so normal methods of deterrence are not

effective. An attacker has little or nothing to lose by initiating an attack. In the virtual world,

there is always an incentive to be the first to attack.

This poses a dilemma for states. States cannot threaten retaliation because of the

difficulty in tracking where an attack came from; therefore any form of deterrence akin to the

strategy of Mutual Assured Destruction would not work. Similarly, a state cannot always be on

the offensive because this would most likely cause more trouble for the state than good and

increase the likelihood that they could be detected. Building an effective defense is the only

way to protect oneself.

This problem becomes magnified by the international nature of the Internet. By

transcending borders, the security threats posed by cyber-attacks have developed into an

international issue. The cyber-attacks on Estonia in 2007 and the Stuxnet worm in Iran

demonstrate that these attacks in the virtual world can have very real effects (whether that is

by consuming the resources of an entire government for a time, or sabotaging equipment used

in nuclear facilities). So how can the international community effectively deal with the threat of

cyber-attacks?

The Internet was not designed with safety in mind and its own evolution has led to

several features that can be exploited by hackers. They benefit from nearly perfect anonymity

1

and can turn the very thing that makes the Internet so beneficial (increased interconnectivity)

against their target. This has led us to a very precarious position in internet security.

All the security systems that we have in place now have been retrofitted. This leads to a

plethora of internal flaws that can only be fixed by constant updating. Firewalls and anti-

malware software (the two leading security measures) rely on extensive libraries of known

malware and are not good at dealing with evolving attacks. The problem is most hackers are

constantly evolving their malware in order to circumvent the security software. Security experts

are perpetually left one step behind as they rush to identify and protect against the latest virus.

In all this commotion, private companies have been left to fend for themselves. Where

as a physical attack causing massive damage would be (hopefully) stop by the protection of the

state in which that company resides, there exists no such protection in the virtual realm. A few

companies responded to this absence by banding together and holding annual security

conferences whose goal is to hack these companies’ software in an attempt to locate all holes

in security. This has gone a long way to improving internet security because this level of

cooperation has given security experts the edge they needed to catch up with hackers.

There have also been talks of a complete overhaul of the Internet itself. The National

Science Foundation (NSF) has proposed building a new internet from scratch with their Future

Internet Design (FIND) program. Eliminating the security problems inherent to the Internet

would be a great victory for cyber-safety, but there are still concerns. Will this new internet

work as efficiently as the current one does? Will it open the door for new bigger problems?

These are questions that need to be addressed before this idea can be effectively implemented.

2

In the short term, however, the best hope for internet security lies in the cooperation of

the international community. If the international community can mimic what private

corporations have already begun doing, it would go a long way to ameliorating the state of

internet security. By increasing the amount of information and resources shared by security

experts they stand a better chance at identifying and disarming threats before they get out of

hand.

Malware 101

So how do hackers threaten the security of the Internet? They use malware. Short for

malicious software, malware is the principle tool for anyone wishing to execute an effective

cyber-attack. This ‘bad’ software finds its way onto a victim’s computer and then executes its

programmed directive. The results can be as benign as causing unwanted advertisements to

open up in one’s web browser, or they can cause a complete system failure, forcing the user to

wipe their hard drive.

These pieces of coding are readily available online for a price and recent advancements

in programming are making them more and more user friendly, so the world of malware is no

longer restricted to veteran programmers. Malware also comes in many varieties, enabling

hackers to pick and choose the specific characteristics of the malware they need to meet their

needs.i

Of these types, the most common are viruses, worms, and Trojan horses. Each of these

has its own strengths and weaknesses and has the potential to inflict considerable damage. All

three are designed to make their way onto a victim’s computer undetected and then complete

their mission.

3

Viruses are perhaps the most well known of the different types of malware; this is

because they are usually the most obvious. Viruses are not standalone programs. They require

a complete piece of software to ‘piggy-back’ on and user interaction to allow them access to

the computer (usually inadvertently). A user can download viruses from fake emails sent by the

virus that trick the user into opening them or from websites that are hosting them. In a 2008

analysis of 4.5 million URLs, Google found that 700,000 of them were possible hosts for

malware. Another study added that only about 20% of these websites were intentional hosts. ii

Once infected, the original software now becomes a tool for the virus; every time it is

activated the virus runs as well. When the virus runs it not only causes whatever damage it was

intended to do, but also attaches itself to other programs in order to replicate, making it that

much harder to find and stop. It will then seek to spread to other computers. Normally this is

achieved by hijacking a user’s email account or any other program that uses network access.

The other most common form of malware is the worm. The Stuxnet worm is a famous

recent example of a worm and a good example of the nature of worms. Unlike viruses, worms

are independent pieces of software. They do not attach themselves to programs within the

victim’s computer, but rather locate specific security holes in a network and copy itself from

computer to computer. For this reason worms are considered self-replicating rather than self-

propagating.

Worms can spread incredibly fast once they have gained access to a network. In 2001, a

worm called Code Red infected over 250,000 systems in just 9 hours.iii Once dispersed, a worm

then unleashes its payload. In the 2010 Stuxnet attack, this meant executing a program

overrode the previous program that monitored the frequency of the Iranian centrifuges and

4

caused them to rotate at modulating frequencies. Because of their fast rate of diffusion and

efficiency at executing their directive, worms are often used to create large botnets1 that are

then used in Distributed Denial of Service attacks (DDoS). However, it is this fast expansion that

reveals one of a worm’s weaknesses. In the process of replication, it uses a large portion of the

computer’s processing power and the networks bandwidth, briefly exposing itself to a vigilant

network administrator. iv

While viruses and worms sneak onto a computer by exploiting security holes in software

and networks, Trojans horses take the more direct approach. This type of malware claims to be

a useful piece of software. An unsuspecting user would then download or install the Trojan

horse thinking it is a desired piece of software. Unfortunately, once activated the Trojan horse

reveals itself as malware and causes the intended damage (e.g. wiping the victim’s hard drive).

The major drawback of Trojan horses (from the hacker’s perspective) is that they rely

completely on user interaction and have no way to replicate themselves. This limits their

applications tremendously and requires greater creativity to entice users to download the

Trojan horse. Conversely, they are harder to detect until they have already cause significant

damage over a number of systems making them more visible.

No matter how a computer becomes infected by malware the intended goals usually fall

into three categories. (1) They can damage the computer by erasing information or inserting

faulty code. This can lead to a fatal error, forcing the victim to erase their hard drive. (2) They

can gather information from the computer and send it to another location. This is normally

done in preparation for a larger attack to check for the weakest spots in the computer’s

1 Botnets are hidden networks of computers that can be controlled by the hacker that creates them. Once a computer becomes part of a botnet it will follow any commands issued by the master computer.

5

security. (3) They can give commands directly to the computer, which could lead to physical

and/or economic damage or turn the computer into a zombie2. All three have the potential to

inflict great harm not only to individual users, as was formerly the case, but also to large

companies and even government networks.

How the Internet Has Helped Hackers

The Internet has been an incredible boon to hackers. When the internet was being

designed, very little thought was given to security; the idea of malware as a major problem

seemed farfetched. At the time, most viruses were used in harmless pranks between computer

scientists and worms were a legitimate tool for performing system maintenance.v Any actual

malware that existed was more of a nuisance than a threat. However, as the Internet spread

and the number of users increased, the opportunity to profit by turning these formerly benign

forms of software into tools of aggression became a big enough incentive for hackers to invest

in developing and evolving more malware.

The first and most important flaw of the Internet is its support for anonymity. This has

allowed hackers to operate with virtually no repercussions. IP addresses3 were not meant to be

used to locate specific people, they were only meant to facilitate communication between two

computers by giving them a way to identify each other in networks with multiple computers.

Since the introduction of malware into widespread use, security firms have been working with

Internet Service Providers (ISPs) to trace attacks back to an individual by way of IP address.

2 A zombie is the term used for a computer that is a part of a botnet.3 An IP address (short for Internet Protocol Address) is the numerical label assigned to any device connecting to the internet used to identify that device and enable online applications to interact with it by giving it a virtual location (address).

6

At first this seemed like a promising method for bringing cyber-criminals to justice,

however, hackers were one step ahead and learned how to spoof IP addresses. There are many

websites that allow for CGI proxies (or Common Gateway Interface proxies) that allow users to

access websites from a server other than the one provided by their ISP. Hackers can also now

use programs that hide their IP address by creating an encrypted network of relays between

the user and the target computer.vi Darknets4 are another way to avoid IP address tracing. A

hacker using a darknet will display an IP address that does not appear in the ISP’s lists making it

impossible to trace using regular IP address tracing.

Peer-to-Peer (P2P) networks have also proven useful to hackers. These networks were

originally developed to facilitate file-sharing between peers. There is no need to connect with a

server as each member equally sends and receives data. Unlike in a server-client system, a P2P

network will not fail if one member does. It increases in capacity as more devices join and is

much cheaper to run as it does not require a system administrator like a server-client network.

The problem with this feature of the Internet arises when extra overlay networks are added. A

P2P network functions as an overlay network on top of the regular IP network, but, when more

of these networks are created and information is routed through them in such a way as to

obscure the identities of the members, a darknet is created.

Another flaw in the design of the Internet is the lack of authentication. Vinton Cerf, co-

inventor of the TCP/IP protocol5, said in an interview with FORA.TV that one of the things he

would change about the Internet would be the inclusion of authentication at various levels that

4 Darknets are private networks formed by using the peer to peer (P2P) communication system between computers effectively circumnavigating the need for IP address sharing.5 Transmission Control Protocol/Internet Protocol – The TCP sets up the connection of data transfer between host and receiver while the IP is responsible for actually delivering the data to the desired address.

7

would help a user tell who they are communicating with.vii Currently the only forms of

authentication available have been developed separate from the Internet (the most prevalent

being firewalls) and therefore have their limitations.

This lack of authentication leaves security completely in the hands of software

developers who often overlook minute details that could be exploited by a clever hacker.

Viruses are expressly designed to attach themselves to software through these weaknesses. In

this vacuum of security, developers have had to create retrofitted systems for protecting

computers from malware attacks. These methods are forced to work from outside the structure

of the Internet and this puts them at a disadvantage to the malware the exploits that very

structure.

Current Internet Security

One of the salient features of the internet security industry is that it is constantly

changing; it has to be in order to keep up with the ever evolving malware. The major aspect

that has not changed, however, are the two main methods for dealing with and defending

against malware: firewalls and anti-virus software. The reason for this constancy is partly due to

the fact that these methods have been effective, but their effectiveness is only relative to the

alternatives and not an absolute measurement.

Both firewalls and anti-virus software are not perfect solutions. Most internet users

have some form of anti-virus software installed on their computers now and it is nearly

impossible to find an internet connection that does not have even the most primitive firewall

set up. The fact that malware attacks still occur frequently shows how this is an incomplete

solution.

8

Firewalls are the strongest form of protection available. A firewall can be set up in an

office environment where there is a large internal network which is then connected to the

Internet or in a home environment where computers are usually have more direct internet

access. They work by controlling the flow of traffic to and from the Internet. This is done in one

of three ways. A firewall uses either (1) packet6 filtering which analyzes packets against a library

of filters; (2) proxy service which sends the information to a requesting system that

authenticates the data; or (3) stateful inspection, a method that only looks for key parts of the

packet to compare against a database of unwanted information.viii

In theory, a firewall can be 100% effective and block all malware and unwanted content,

but this would also bring internet use to a halt by blocking all content. The only way to use a

firewall then is to balance between allowing and stopping traffic. This can be done to varying

degrees of security, but even the most well balanced firewalls often fall short. A November

2011 study conducted by Larry Suto (a security industry expert) found that a properly set up

firewall can block about 79% of attacks.ix

Anti-virus software is not designed to prevent malware for entering a computer, but

rather provides a method of dealing with it once infected. It achieves this by monitoring all the

files on the computer in order to detect any signs of malware. This type of software relies

heavily on virus dictionaries in order to compare the files to a list of known viruses. When a

virus is detected it can delete, quarantine, or attempt to repair the file.x

There is also a suspicious behavior approach that more recent anti-virus software uses

as it does not require a virus dictionary. This helps protect against unknown and new viruses.

6 Packets are small bits of information and are how data is sent over the Internet.

9

This method monitors the behavior of all programs and looks for any program doing something

unusual, such as writing an executable program. It will then alert the user and ask for

permission to run the program. The problem is that this happens with great frequency so users

get desensitized to the warnings and often just click allow without thinking. Malware also

evolved to outsmart this system and often hides its processes from plain site (especially in the

case of worms, which operate within the holes in network security).xi

Anti-virus software is also very costly and often viewed as causing more problems than

they solve. The virus dictionary requires constant updating not only on the part of the security

firm, but also on the part of the user (a task that more often than not goes neglected). The

suspicious behavior detection has caused much complaint as it slows down overall computer

speed by forcing these checks even on perfectly good software. A recent survey of different

anti-virus programs found that seventeen were unable to detect over 48% of the malware on

the computer.xii

With a clear dependence on up to date information on malware, firewalls and anti-virus

software are will always lag behind the latest malware. It is true that these security measures

can never fully fortify a network from malware attacks because of this lag, but detection rates

of malware have been steadily increasing. This is due in large part to new strategies being

implemented by security firms. The goal is to preempt the hackers by finding vulnerabilities

before they can.

Cooperation in the Private Sector

In contrast to physical crimes where someone can be held accountable for the damage

they cause, cyber-crimes cannot be effectively prosecuted. This fact has left the private sector

10

with little to no protection from world governments. If a bomb were to go off causing millions

of dollars worth of damage there would be a full criminal investigation and hopefully an arrest.

In all likelihood the attack would be stopped by the police or some other security firm. If,

similarly, a cyber-attack were to cause millions of dollars worth of damage and investigation

would ensue, but with little hope for a resolution. There are no cyber-police to turn to and

states are currently not equipped to deal with cyber-threats on a large scale.

In this vacuum of security, the private sector came up with its own innovative solution:

employ the hackers that have been creating malware to help defend against it. At first it may

seem counterintuitive to hire your enemy, but, for the most part, hackers do what they do for

fun or to make money rather than inflict wanton damage. Most hackers would jump at the

opportunity to be paid legally for their services.

The logic behind this move was to employ these hackers, now called ‘security

researchers’, in what is called ‘penetration testing’ in order to expose vulnerabilities of new

software before it can be exploited by other hackers. This strategy was originally adopted by

individual companies, but once its success was understood it grew into larger events spanning

multiple software companies. The largest of which is the annual PWN2OWN contest held at the

CanSecWest security conference where a cash prize is offered for each program successfully

hacked.

The information gathered at these events has proven to be incredibly valuable. After the

most recent PWN2OWN contest in March 2011 Google quickly released a patch7 for their

Chrome web browser that fixed a vulnerability that was rated, by Google, as a high severity

7 Patches are pieces of code added to software to fix a problem.

11

weakness.xiii Many other companies have benefitted from these contests as well, such as Apple,

Microsoft, and Blackberry. These events also led towards the creation of applications that can

achieve similar ends.

Dynamic Application Security Testing (DAST) mimics the effects of the PWN2OWN

contest by intentionally attacking web applications and then by patching the discovered

vulnerabilities. DAST systems are divided between two applications: the attacker and the

patcher. If used in conjunction with properly balanced firewalls it can increase effectiveness by

up to 19%.xiv These applications are no substitute for living people who can discover clever ways

to circumvent software security in a way that the applications’ programming cannot.

Hiring hackers to work as ‘security researchers’ has definitely proven to be a wise

decision, but what was even more beneficial was the cooperation between corporations that

allowed for the large scale vulnerability testing that occurs at these security conferences. An

individual company can only do so much, but by pooling resources they can gather much more

information and share it to reduce the overall vulnerability of our software.

Lessons for the International Community

The success of these conferences at leveling the playing field between hackers and

security experts can be shared by the international community if they implement their own

similar initiative. Contrary to most things in the tech industry, in this case, bigger is better.

The more sharing of information that can be achieved between security experts, the

better the chance of preempting the next cyber-attack. The Organization for Economic

Cooperation and Development (OECD) has called for an “Anti-Malware Partnership” between

nations in order to discover more vulnerabilities quicker.xv Recently, NATO has revised its policy

12

on cyber defense, stressing the need for “a coordinated approach to cyber defense across the

Alliance with a focus on preventing cyber attacks and building resilience.”xvi NATO’s

development of a policy on cyber defense shows how this is no longer an issue that can be

addressed by individual companies or even individual states.

A key component of the creation of this international regime is the campaign to increase

awareness of cyber-threats that must follow. NATO has noted the importance of educating and

training specialists in cyber defense as evidenced by the creation of the Cooperative Cyber

Defense Centre of Excellence (CCDCoE) in Tallinn, Estonia (created shortly after the attacks on

Estonia in 2007).xvii But it is just as important, if not more so, to raise awareness of the dangers

of cyber attacks amongst the general populace.

Many types of attacks are executed using botnets or involve, in some way, the

computers of innocent people who have no idea that their computers are infected. If people

are educated in ways to protect themselves from becoming the tool of a cyber criminal or

terrorist, it would greatly diminish the capabilities of hackers.

An international regime is the best way to get this information to as many internet users

as possible as quickly as possible. No company is going to be willing to pay for expensive

awareness campaigns. Governments that are not under the threat of attack will not expend

much effort educating their populace so other countries might be safer. However, an

international institution devoted to cyber security would definitely be able to affect meaningful

change.

13

Internet 2.0?

All the solutions mentioned thus far have been nothing more than bandages applied to

a broken piece of infrastructure. None of them address the core problem: the Internet itself.

But is it possible to overhaul the Internet entirely? This is a question that the National Science

Foundation (NSF) is presently addressing.

The NSF Future Internet Design (FIND) program is tasked with researching how a more

perfect internet can be built from scratch. One of the specific problems FIND is aiming to

resolve is how to design a more fundamentally secure internet.xviii After a recent evaluation of

the programmer by five external researchers, FIND has placed security at the top of the list. The

program is determined not to let security be an add-on as it is now. To ensure this the

evaluating panel suggested the use of Red team tactics8.xix

Any potential successor to the Internet is still a ways off. The NSF places their new

version, now dubbed the Global Environment for Network Innovations (Geni), appearing

somewhere between 10-15 years from now. The problem is that the Internet has grown so

large and complex that it makes it incredibly difficult to start from scratch. There is also the

worry that the new Internet, while possibly improving security, may be worse than the current

Internet at certain important tasks (a security heavy internet runs the risk of complicating all

communication of data).xx

No matter what the future form of the Internet looks like, an overhaul of the Internet is

not going to fix the immediate threat of cyber-attacks that the world faces. It is the ultimate

8 Red team tactics refers to use of cyber attacks in order to expose vulnerabilities (as seen in PWN2OWN or DAST)

14

solution to deficiencies in internet security, but, for now, emphasis must be placed on

mitigating the damage from these cyber-attacks.

So Where Does that Leave Us?

The only true solution to the problem of cyber-attacks is to rebuild the Internet from the

ground up and include security processes within its architecture. No matter how advanced

methods for checking for vulnerabilities and detecting threats become, any device on the

Internet will be at risk of falling victim to a cyber-attack. Hackers are nothing if not persistent

and that determination can lead them to overcome the expanding security community.

The innovation of using red team tactics by employing hackers to attempt to exploit

vulnerabilities in software was a momentous advancement. In this case, offense proved to be

the best defense. Increasing the magnitude of these tactics from an industry based level to an

international based level would close the gap between the attacking hackers and defending

security experts.

Anti-virus software and firewalls are not enough to stop malware from causing havoc

and infecting many machines. These tools must be augmented by the enhanced information

gathering abilities of these security conferences. Involving the international community would

only increase the amount of information available to these applications, thus making them that

much more efficient.

There is great potential for success in the creation of a new internet, but there is also

great potential for disaster. Much more research needs to be done regarding how the new built

in security will actually work, if it will cause any inadvertent problems, and it should be clarified

15

how a transition would take place and what it would look like. In the meantime, it is time for

the international community to step up and help defend all internet users from cyber threats.

16

i “Malicious Software (Malware): A Security Threat to the Internet Economy”; Organization for Economic Cooperation and Development (OECD); 17-18 June 2008; Seoul, Korea; p. 11 http://www.oecd.org/dataoecd/53/34/40724457.pdfii Ibid p. 12iii “Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measure”; Keith A. Rhodes; United States General Accounting Office; August 29 2009; p. 4 http://www.gao.gov/new.items/d011073t.pdfiv “How Computer Viruses Work”; Michael Brian; http://computer.howstuffworks.com/virus5.htmv “Malicious Software (Malware): A Security Threat to the Internet Economy”; Organization for Economic Cooperation and Development; 17-18 June 2008; Seoul, Korea; p. 10vi “TOR: Overview”; https://www.torproject.org/about/overviewvii http://www.dailymotion.com/video/xhvn2j_vinton-cerf-lists-the-flaws-in-the-internet-s-original-design_techviii “How Firewalls Work”; Jeff Tyson; http://computer.howstuffworks.com/firewall1.htmix“ How Companies Can Defend Against Database Cyberattacks”; Joshua Phillips; http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-Database-Cyberattacks-.htmlx “How Does Anti-Virus Software Work?”; http://www.antivirusworld.com/articles/antivirus.php xi ibidxii “Security and the Internet: Fighting malware”; Lyndon Thompson; The OECD Observer; Paris, France; July 2008; Issue 268; p. 10xiii “Google Patches Security Flaw Exploited by Security Researchers in Pwn2Own Contest”; M2 Presswire; March 15, 2011xiv “ How Companies Can Defend Against Database Cyberattacks”; Joshua Phillips; http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-Database-Cyberattacks-.htmlxv “Security and the Internet: Fighting malware”; Lyndon Thompson; The OECD Observer; Paris, France; July 2008; Issue 268; p. 10xvi “NATO and Cyber Defense”; http://www.nato.int/cps/en/SID-18E557C3-C34AEA79/natolive/topics_78170.htm?xvii ibidxviii “NSF NeTS FIND Initiative”; http://www.nets-find.net/xix “FIND Observer Panel Repot”; Vint Cerf, Bruce Davie, Albert Greenberg, Susan Landau, David Sincoski; April 9, 2009; pp. 1, 6 xx “How do you build a new internet?”; Bobbie Johnson; The Guardian; August 1 2007; http://www.guardian.co.uk/technology/2007/aug/01/news.internet