Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/10/2013
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Spaf' On Security

Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm

He was one of the first computer scientists to dissect the game-changing worm that hit the Internet 25 years ago and took down thousands of computers. He's also credited for defining software forensics and shaping other security technologies. But Eugene "Spaf" Spafford says security still isn't taken seriously enough today.

Eugene Spafford, executive director of CERIAS and computer sciences professor at Purdue University
Eugene Spafford, executive director of CERIAS and computer sciences professor at Purdue University

Spafford -- who goes by Spaf -- is the executive director of Purdue University's Center for Education and Research in Information Assurance and Security, as well a professor of computer sciences at Purdue. He spoke with Dark Reading senior editor Kelly Jackson Higgins just prior to his keynote address this week at the ISSA International Conference.

Here is an excerpt from that interview:

DR: Next month marks the 25th anniversary of the Morris worm. What lessons did we learn about security from that incident and what did we miss?
Spafford: I'm not sure we learned any more lessons ... most of the things didn't get fixed.

We went from 20 pieces of malware in 1988 to [around] 180 million today ... that certainly is not a situation where anything has gotten better. We have had a number of opportunities where we could have learned lessons and changed the way we do business.

Back then, there really wasn't a security industry. The difficulty there was that vendors didn't really pick up on this as a problem and change the way their software was developed or the way they packaged things.

We had several years of catch-up where we could have made some changes, but it didn't happen ... I remember going to a couple of meetings that had slots from government, academia, and think tanks where we were talking about defenses of firewalls and so on, but nobody was there from the [vendor community]. They didn't show up at AV conferences in the early '90s, either. They were resistant to any discussion with those in the industry trying to contact them about security issues because they didn't think that was their problem.

The point I would make was that by investing in and putting all the attention on firewalls, we were giving up on host security, basically. My point [then] was if we depend on firewalls, once something gets in, the hosts are still vulnerable, but everyone said, "No, firewalls were a stopgap measure until the hosts were fixed."

Fast forward: We still depend on firewalls. The [security] situation really isn't any better, and now we have mobile and BYOD.

DR: Worms today are obviously more malicious and destructive than the Morris worm, but that one was a turning point in Internet security. How would you characterize the evolution of worms?
Spafford: There are hundreds of [worms] active out there now, but we don't hear about them. No one bothers to mention them.

Back in 1988, the worm would have made news no matter what [Robert T. Morris] had done because we had never seen anything like that. Not many people had thought about the potential for anything like that, and we didn't have the tools to analyze [it]. I don't think it was as much what it did as [it was] its timing. There were a few that followed and got named -- Iloveyou, Nimda, CodeRed.

They became more stealthy because after you've shown it can be done, why would you write one? The answer is for criminal intent. Therefore, you won't want to draw attention to it. You want it to be stealthy, to hide, penetrate, and steal information.

A decade or so ago, I was talking with some people, and we concluded that what Morris had done compared with current day was very minor. And, in fact, I joined a group that was trying to get a presidential pardon for him [at that time] because he has a felony on his record [for the worm conviction], and that's probably too severe. But the people we contacted at the White House told us, "No way."

DR: How has security regressed or evolved since then?
Spafford: A lot of it has been on the wrong path.

Security hasn't been taken seriously [enough] at any level or given the amount of resources and attention it should. Instead, the focus [is] on ... patching.

If everything was in balance, we would have people who are trained across the areas and products they are looking at that are designed to be solid and secure. Any breaking of a system would be a largely futile exercise they would nonetheless indulge in as confirmation or assurance.

Instead, we have a marketplace where that is rewarded: Microsoft just gave $100,000 [to a researcher in its bug bounty program]. This is treated as a first line in security defense. The fact that people are able to make that much money and find that many flaws is indication that something is very wrong with the way we're building systems.

DR: What about secure development programs like Microsoft's?
Spafford: It's the basic underpinnings of architecture. Microsoft's product isn't so much poor quality -- they do a very good job. The Windows kernel has far less flaws than Linux does, which surprises some of the hackers when they hear that. The problem [Microsoft has] is that they maintain software compatibility with old, broken stuff. They have to have a lot of things in place, otherwise third parties and software and hardware might break with their systems. This is one of the reasons they are really pushing hard to discontinue XP support, so they can fix things in newer versions.

We don't run all legacy software out there. You can build a much more secure system, but it would be slower.

That fact is that this decision is being made by everybody that speed is more important than security. That's implicit. That's part of the problem -- we're in the mind-set of fast and cheap is more important than making it secure.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/11/2013 | 12:25:02 AM
re: 'Spaf' On Security
I agree that there are problems with the way software and essential network protocols are developed, but I get the sense that some security folks think there's some kind of security Eden that could be reached with the right OS or the right app dev methodology or whatever. I think any human-designed system will have exploitable flaws, and even if we someday get unbreakable software, there's always social engineering. Security is hard, and always will be as long as people need access to information and resources to do stuff.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...