Embed Size (px)
Citation preview
A Failure to Learn from the Past
Presented by
Chad Frommeyer
CSC 493/593
Professors
Charles E. Frank/James Walden
Introduction
• Internet Worm and its Behavior
• Consequences to the Creator/Originator
• Resulting actions taken
• What have we learned?
Internet Worm
• October, 1988 Internet Contained 60,000 hosts
• Worm attack affected 3000-6000 (5%-10%)
• Infection lasted 3-4 days
• Only Unix based systems affected
Internet Worms -- Terms
• Worm – Independent program that can replicate itself
• Virus – Code that requires a host, and cannot run independently
• Malware – Malicious Software
Inernet Worm -- Operation
• Fingerd – Buffer Overflow (C-Language gets() – altering fingerd functionality
• Sendmail – DEBUG options exploit allowed execution of commands
• Password discovery
• Identify Trusted Machines
• Cleanup after Execution
• Chronology
Consequences
• Author Robert T Morris• No Prison, 400 Hours Community Service• Fine of $13,776• Suspended from graduate studies at Cornell• Malicious Intent not proven• Ultimately received Ph.D from Harvard, and is
currently an associate professor at MIT.• Adequate?
Resulting Actions
• CERT (Computer Emergency Response Team)
• Central switchboard for computer emergencies on ARPAnet and MILnet
• Not enough?
What have we learned?
• Software Flaws
• Incident Response
• Laws and Ethics
Learned? (Software Flaws)
• 95% of reported malware is against Microsoft
• Trust Relationships– Software– Hardware– Personal
• Buffer Overflows
• Default Configurations
Learned? (Incident Response)
• CERT/CC
• Delayed Communications
• Not Comprehensive
• What communication is good enough?
Laws and Ethics
• Fewer than a dozen people convicted
• Expensive/Difficult to Investigate
• Lack of Tools/Expertise
• Lack of Foreign Laws
• Lack of international cooperation
Conclusion
• Punishment not adequate – Needed precedence
• Awareness needs to be heightened
• Software processes need to recognize lack of expertise
• Security should be a priority to product management
