The Velocity of Pwn3d

Tuesday, February 01, 2011

Rafal Los


Getting pwn3d (or "hacked", compromised, exploited... whatever) has evolved since I first flipped on my orange and black screen and started programming Turbo Pascal... that was a long time ago.

Over time, how the average user goes from happily computing to being completely compromised has changed, along with a lot of other things including the number of 'connected' devices. 

My colleague Gorge Hulme has a good piece on the topic here [CSO Magazine, "Researchers: Attacks Getting Faster, Wider"], stemming from a conversation we had as I was bemoaning the Chicago Bears loss on a Sunday night... so I thought I would expand my thoughts on the topic and write up a slightly extended version of my quote which ended up being used for George's story.

The Early Days

As people discovered personal computers, the way that most people were 'compromised' was by taking a floppy disk from one machine to another... and thus passing along the infection. 

Arguably there were a few viruses that soon snuck into binaries and started to infect boot sectors and corrupt computer hard disks and operating systems such as DOS and the early Microsoft Windows platforms, but the primary infection vector was physical passing of mediums from one machine to another.

This infection velocity was slow, and often made it quite obvious where the infection came from.  Soon we all started to purchase anti-virus software that operated as a TSR (remember TSRs?) and you could scan a disk when you put it into the drive to make sure it didn't have anything nasty hiding in the shadowy bits.

The velocity of infection depended on how fast you could swap disks into your floppy drive.  These types of infections, while having the capacity to bring down entire networks - were painfully slow and had predictable entry points which we the system operators and administrators had a hope of controlling.  Keep that last thought in mind as you keep reading.

Things Get Faster

As we discovered the Internet, and our 300Baud modems went to 14.4k, then 28.8k and 56k ...some of us even got 128k ISDN lines... and then DSL and cable modems.  The infection vectors became the things we downloaded, the links we clicked in our shiny new NCSA Mosaic, or NetScape browsers. 

Graduating to infecting ourselves without the help of a floppy disk being passed about sped up the infection velocity significantly, and if you can imagine a hockey-stick type curve going upwards, we were moving to be about 1/3 of the way up the curve.

Getting compromised was getting easier and more entry points which administrators were quickly losing control over meant that we needed personal firewalls, better and more anti-virus and a better understanding of how our computers worked... and many nights re-installing our operating systems after we got pwn3d once or twice.

Today's Connected Web

Enter today's super-connected world where I can get the 'web' on my television, my refrigerator, my computer, printer and smart-phone or my tablet... or on the back-seat headrest of my airplane seat. 

We've fortified our perimeter to a reasonable degree which for many of us meant upgrading to a modern version of Windows beyond Windows 98- so the bad guys have moved from 'infecting us' to shut down our ability to compute to owning our computing devices for nefarious purposes. 

Applications, legitimate web sites and services, and real companies have become the attack vectors now.

The social media explosion including mediums like FaceBook, Twitter and the like have become our own undoing in many cases. 

Whereas in the olden days you would have to take the time to pass a floppy disk to your friend to get them infected with some boot-sector virus, today you're part of a mass-email on FaceBook that comes (at least it appears to come) from a trusted friend telling you to go click a link you'll love. 

Bam! You're pwn3d.  Well, you and 1,000,000 of your closest friends

We, my dear friends, have moved up significantly on the hockey-stick curve where it takes seconds for a million people (or devices) to become 'infected' or owned. 

The velocity of infection thanks to the inter-connectivity of millions of devices and the social-interaction click-compulsion is ten or more orders of magnitude faster than it was 10 years ago.

Why is it like this?  Well the answer lies in how fast 'anti-malware' services and software can spread versus how fast the infection can spread.  Think about it, in order for a piece of malware to be detected by your computer's anti-malware software it must go through this process:

   1. [0:00 hr] Malware authored and released (assuming non-targeted attack)
   2. [1:00 hr] Initial population gets infected
   3. [6:00-10:00 hrs] Malware sample submitted to anti-malware researcher, analyzed
   4. [10:00 hrs] Anti-malware 'patterns' released for malware, released to endpoints
   5. [~12:00 hrs] ~25% of endpoints receive update
   6. [24:00 hrs] ~75% of endpoints receive update (and it tapers off after that)

That's a long, drawn-out process which probably takes at least 10 hours to get you 'protected'... this assumes you haven't clicked a link, or gotten auto-pwn3d by a script/bot at 0:01 hr... right?

So the attack surface of today's connected Internet has exploded like a fractal, which means that the velocity is many orders of magnitude faster than it "used to be" and as applications and then people become the targeted entities our defensive strategies need to change. 

Since I see thousands of applications across many, many customers I naturally think that the platforms (applications/sites) are the most logical place to perform active defense - but the strategies vary by site, method of delivery, and purpose so it's not simple.

I guess the lesson here is that the way we're getting pwn3d out there on the Internet is continually evolving but for at least the foreseeable future I think the epicenter of attack/defense is the application. 

So - logically I think it realistically all funnels down to writing better, higher-quality, more secure code... and like it or not that leads us back to Software Security Assurance as the focus for enterprises big and small.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Viruses & Malware
malware Application Security Vulnerabilities pwn3d infection
Post Rating I Like this!
Lee Mangold When you say "writing better, higher-quality, more secure code", I think the biggest target is OS development. If the primary OS-of-choice would implements a compartmentalization or object-capabilities model of some sort, we could eliminate quite a bit of the attack surface. Easier said then done, I know...

I was watching a Google talk a while back about object-capabilities and the author put up a great graphic: It was a picture of Solitare running on a windows machine with red letters across the table that said "This program can access any file on your computer".

Makes you think... Well, it makes security researchers think, anyways...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.