INTERVIEW: Peter Mell, virus hunter

I've been involved in security for five years'two years in graduate school doing computer security research and then three years at NIST.I started working on the ICAT vulnerability index, and before that I did pure theoretical research on mobile agents detecting intrusions. For a security person, I don't think I'm paranoid. I feel rather comfortable with the security we have today, but I do have some worries about the vulnerabilities constantly being published. Sometimes they are complicated enough that it legitimately takes the vendor several weeks to fix them.In that time, people can do nasty things, specifically to Web servers. People write programs that scan for Web servers, just as the Code Red worm did, but they break in and corrupt data and destroy things. You can easily make a virus that can wait a period of time before it affects other machines.A friend of mine owns a small company, and his main system got corrupted so he couldn't use it. He called me in a panic and asked, 'What happened?' We determined he had a virus. And he said, 'But I had a virus checker.' I said, 'Did you update it?' He said, 'Huh?' He just didn't know.We need to remind people to patch their systems. The newer versions of Microsoft Windows will pop up a little box saying 'Critical update needed.' Another way to get updated is Windows Update in Internet Explorer, under the Tools menu. I think patches come out too late. There always is a window between when a vulnerability is publicly announced and when a fix is available. Typically a vulnerability will be announced at the same time as an attack script'hand in hand with it. The hacking community and the virus writer community have been separate. Hackers break in for money or for political reasons.Virus writers might not have a target in mind, they just write things that are hurtful. The percentage of people that just want to hurt other people is relatively small. It's hard to know if somebody breaks in and doesn't do anything obvious. We have intrusion detection systems, but they don't cover all the methods. They are certainly effective enough to deploy, but they're not effective enough to rely on to be sure when you've been attacked. If you're going to have e-government, a public-key infrastructure offers valuable security, much greater than passwords. But it is pushing the envelope. I advocate a stance where we feel out the risk as we move in. Don't put all the eggs in the PKI basket at once. At a broad technical level, if you have a PKI, I feel you need smart cards. Our magnetic-stripe credit card system has worked so incredibly well that we haven't had a push to smart cards.Say you've got your private key on a card. If somebody tries to torture you, you can't even tell them your password because you don't know it. It's buried in the card. The weakness with smart cards is that a computer could send anything to that card to be signed. If somebody broke into your computer, they could sign anything they wanted.We need a separate interface: one to your computer and one to a separate monitor so you could see what was being signed and could type in your personal identification number separately from the computer that could be vulnerable.That is just a researcher's dream. We need to do pilot projects. We need to move slowly. People are paranoid about giving out personal information, but what they should worry about is when they sign a document digitally using PKI. How would any dispute be resolved in court? How can you prove whether you've had a key stolen or not? You can't, really. You can argue, somebody was watching. Somebody stole it. I would like to see everything be electronic. It would save money. But when you think it's a perfect world because you're not doing paper anymore, there are still going to be issues of dealing with all the electronic documents, organizing them, finding them. So it's not a perfect solution.Security of every computer is going to become much more critical. Nowadays, if somebody broke into my computer at work, they couldn't do much. Everything I do is public domain. I don't care if they read it. If they corrupt it, I'll probably figure it out. But when we move into a paperless society, then by breaking into my computer they can control aspects of my life. I had just started grad school and had never worked on a Unix system. My boss told me, 'For a job for the Defense Department, I want you to go break into that computer across the room.' So, I went off to happy hackers' highway and found one little program that would shut down the other machine.I noticed the attack had a feature that could pretend to come from somebody else's computer. There was a guy who was out for the day, so I made it come from his computer. I went home and left it running.An administrator noticed the computer science network had gone down. He's a smart guy, and he checked and saw all these network packets going past, obviously from the attacking machine. He ripped out the cord. The network was still down, because my machine was still sending out packets.I forgot to turn the screen saver off, and he got lucky because that program put out little dots every time it sent a packet, and he knew I'd been playing. It's kind of scary that that kind of power is available. Certainly hacking is a phenomenon of the younger generation. The big [DefCon] hacker convention in Las Vegas used to have stereotypical white males, 15 to 30 years old, with dyed hair. Now tons of FBI agents and government employees go.External people know more about breaking into computers, so they're more dangerous. Most security measures are put up to block external people. The internal people have fewer controls, but a typical insider who wants to do something malicious isn't well-versed in computer attacks. So there's a tradeoff. I would be equally concerned about both.When I was in graduate school, a company called and said, 'The head of our company just fired our main network administrator. How do we keep him out? He could do anything to us now.'They were scared. I recommend people do not fire their head network administrator.