In the previous post we saw that the idea of aggregated damages is probably at least 2300 years old. These days we have means of aggregation that Kautilya never dreamed of, from ships to planes to telephones to satellites to the Internet. So what’s the most aggregation we can expect to see for damages on the Internet?

At a conference in May, two researchers attempted to answer that question wiith a paper:

“Worms represent a substantial economic threat to the U.S. computing infrastructure. An important question is how much damage might be caused, as this figure can serve as a guide to evaluating how much to spend on defenses. We construct a parameterized worst-case analysis based on a simple damage model, combined with our understanding of what an attack could accomplish. Although our estimates are at best approximations, we speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload.”

“A Worst-Case Worm,” Nicholas Weaver, Vern Paxson

This $50 billion dollar estimate is actually conservative. The paper was supposed to have three authors, not two; the third author thought a higher estimate should be included.

Also, the estimate given is only for the United States. About half of the Internet is outside the U.S., so it is probably safe to assume that total worldwide damages would be even higher. A simple linear multiple of 2 may not be accurate, since the rest of the world isn’t as closely connected topologically the U.S. is. On the other hand, most of the Internet in the rest of the world is in Europe, Japan, East Asia, Canada, Australia, and New Zealand, all of which are tightly connected within themselves and closely connected to the U.S. The Slammer worm, for example, did not respect national boundaries.

So there is good research to indicate that the fears some Fortune 500 CEOs have of a $100 billion dollar risk are very well founded.

-jsq

Scob was the attack that exploited a bug in Internet Explorer to exploit an option in the IIS database server to cause the web server to append a JavaScript trojan loader to image files to retrieve a keystroke monitor which mailed its results to the cracker.

There have been reams of reports from security companies about how scob worked, and more about who was behind it,
how connections to the addresses it used to report were blocked, etc. It’s good to see so many people and companies on the ball, busily producing forensics.

But what does scob mean?

Well, for one thing, even image files are no longer safe from exploits. I suppose it’s good that people realize that anything can be broken.

For another, because there was no patch for IE at the time, a few more people will take software diversity seriously and use other browsers. This could even lead to competion among browsers on security; for example, it seems that Mozilla is offering $500 per critical bug. Both diversity and any resulting security competition would be good.

However, even patching bugs in individual facilities won’t solve the class of attacks that scob represents, because scob exploited a combination of bugs or features in several different facilities. Some of them weren’t even bugs for that facility; it was only when they were used in combination that they turned into bugs. Checking for such combinations is far more complex than debugging a single facility. Software diversity will help somewhat with this, because for example a browser and a database server from different vendors are less likely to have the same types of design flaws and coding styles. But diversity, like traditional security solutions such as patches, firewalls, intrusion detection etc., none of which stopped scob, has its limits.

And attacks like scob will happen again. Phishing in general is on the rise, and scob is a kind of phishing that doesn’t even require the user to consciously interact. So such an attack can be an automated money-making machine.

What to do? Certainly we need to do all the usual things: apply patches, run firewalls, install intrusion detection, educate users, system administrators, and software vendors. Plus some new things, such as software diversity, and competition on security. This is all due diligence and best practices.

But many users and companies won’t do these things, because people tend to pay attention to security only when they suffer direct damage, and most people didn’t this time. So no matter how diligent you and your company are, the next attacks may still affect you because someone else was not so diligent.

You can have all the non-flammable insulation and sprinkler systems you like, and your office can still burn down in a wildfire, or your telephone or the power can go out due to a tornado or a system overload, all of which are beyond you control.

The time to buy insurance is before the building burns down.

-jsq