We Will Never Be Secure While Secrecy Rules

The virulent Nimda worm shocked the world in 2001, but we are only just starting to learn the lessons of the past, says Eric Doyle

In the week that marks the tenth anniversary of the Nimda Worm, it is a time to reflect on how the malware world has changed since 18 September 2001, a week after Al Quaeda toppled the twin towers and changed our awareness of the importance of security in the 21st century.

For the first time, a computer worm became so prevalent it hit the top of the list of reported infections, and newspaper headlines, just 22 minutes after hitting the Internet. Here was a worm that used multiple vectors to spread: email, network shares, poisoned web sites, vulnerabilities in Microsoft IIS, and backdoors left by Code Red II and sadmind/IIS infections.

The start of a new era

When analysing Nimda code, F-Secure found the text “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China”, a positive link to China and possibly evidence, but only in hindsight, of government-sponsored malware.

Since Nimda, things have changed. Today’s malware still uses the same entry ports as Nimda but in a more subtle, targeted way. And hackers, though they still brag about their exploits, rarely reveal their subtle methods.

The publicity at the beginning of the decade brought about a blossoming of security firms offering protection and stifling exploits, but the world has moved on. Today it is hard to protect systems from exploits that are finely-tuned to hit specific companies.

Rather than malware, the biggest threat today is the one posed by hackers.

This is evident from the number of security and defence companies that have been hit recently. RSA Security, various SSL certification agencies, and organisations like Lockheed Martin and Mitsubishi. Just last week, the Intelligence and National Security Alliance (INSA) was hacked, ironically, only 48 hours after releasing a policy paper on cyber-security.

The best defense against these attacks is openness. RSA Security set the mood by being totally frank about the exploit that threatened its credibility – though maybe less-so about what was actually stolen.

Carefree talk saves lives

It’s time for security organisations to open up and really talk to one another, swap tales and be honest. For too long the culture has been to close ranks and try to hide the truth. As soon as a hack occurs, it should be admitted to – there is no longer any shame. In fact, the world has turned and companies can lose more respect by having a tight-lipped approach to security.

The Sony Playstation hack, for example, caused a big stir earlier this year because the company withheld the news of compromised accounts, not because the hack was the result of systems maintenance incompetence – that was reserved for the copycat hacks that followed against some of Sony’s other sites.

And don’t try to exempt yourself of responsibility for hacks, like Sony is trying to do by adding clauses to its new registration policy, (whether the clauses will withstand international laws is questionable). Shut down the site and let the innocent customers know immediately so they can protect themselves. Following that, analyse the problem and share it with others.

Last week, over 100 senior executives met behind closed doors in the US to talk freely about Advanced Persistent Threats, how to avoid them and regulatory changes that would help by deterring hackers. A laudable initiative sponsored by RSA Security.

But there is a danger that, left to themselves, big business’ and governments’ answers will open the door to invasion of privacy issues. If conferences such as this shut out the privacy and human rights lobbyists, the result could be governments introducing Draconian measures. We need to talk, but the emphasis is on “we”.

The RSA summit was a good start which brought together the open confessors and, according to RSA’s report, a few organisations that, for various reasons, have been hacked and still chose to  keep it to themselves. The next stage should be the development of regulatory and legal changes hammered out with the involvement of human rights groups.

Then we may be able to say that we have made progress in the last decade.