INTERVIEW: Peter Mell, virus hunter

Peter Mell, a computer scientist and security expert at the National Institute of Standards and Technology in Gaithersburg, Md., researches computer penetration, intrusion detection and vulnerability databases.

I've been involved in security for five years'two years in graduate school doing computer security research and then three years at NIST.I started working on the ICAT vulnerability index, and before that I did pure theoretical research on mobile agents detecting intrusions. For a security person, I don't think I'm paranoid. I feel rather comfortable with the security we have today, but I do have some worries about the vulnerabilities constantly being published. Sometimes they are complicated enough that it legitimately takes the vendor several weeks to fix them.In that time, people can do nasty things, specifically to Web servers. People write programs that scan for Web servers, just as the Code Red worm did, but they break in and corrupt data and destroy things. You can easily make a virus that can wait a period of time before it affects other machines.A friend of mine owns a small company, and his main system got corrupted so he couldn't use it. He called me in a panic and asked, 'What happened?' We determined he had a virus. And he said, 'But I had a virus checker.' I said, 'Did you update it?' He said, 'Huh?' He just didn't know.We need to remind people to patch their systems. The newer versions of Microsoft Windows will pop up a little box saying 'Critical update needed.' Another way to get updated is Windows Update in Internet Explorer, under the Tools menu. I think patches come out too late. There always is a window between when a vulnerability is publicly announced and when a fix is available. Typically a vulnerability will be announced at the same time as an attack script'hand in hand with it. The hacking community and the virus writer community have been separate. Hackers break in for money or for political reasons.Virus writers might not have a target in mind, they just write things that are hurtful. The percentage of people that just want to hurt other people is relatively small. It's hard to know if somebody breaks in and doesn't do anything obvious. We have intrusion detection systems, but they don't cover all the methods. They are certainly effective enough to deploy, but they're not effective enough to rely on to be sure when you've been attacked. If you're going to have e-government, a public-key infrastructure offers valuable security, much greater than passwords. But it is pushing the envelope. I advocate a stance where we feel out the risk as we move in. Don't put all the eggs in the PKI basket at once. At a broad technical level, if you have a PKI, I feel you need smart cards. Our magnetic-stripe credit card system has worked so incredibly well that we haven't had a push to smart cards.Say you've got your private key on a card. If somebody tries to torture you, you can't even tell them your password because you don't know it. It's buried in the card. The weakness with smart cards is that a computer could send anything to that card to be signed. If somebody broke into your computer, they could sign anything they wanted.We need a separate interface: one to your computer and one to a separate monitor so you could see what was being signed and could type in your personal identification number separately from the computer that could be vulnerable.That is just a researcher's dream. We need to do pilot projects. We need to move slowly. People are paranoid about giving out personal information, but what they should worry about is when they sign a document digitally using PKI. How would any dispute be resolved in court? How can you prove whether you've had a key stolen or not? You can't, really. You can argue, somebody was watching. Somebody stole it. I would like to see everything be electronic. It would save money. But when you think it's a perfect world because you're not doing paper anymore, there are still going to be issues of dealing with all the electronic documents, organizing them, finding them. So it's not a perfect solution.Security of every computer is going to become much more critical. Nowadays, if somebody broke into my computer at work, they couldn't do much. Everything I do is public domain. I don't care if they read it. If they corrupt it, I'll probably figure it out. But when we move into a paperless society, then by breaking into my computer they can control aspects of my life. I had just started grad school and had never worked on a Unix system. My boss told me, 'For a job for the Defense Department, I want you to go break into that computer across the room.' So, I went off to happy hackers' highway and found one little program that would shut down the other machine.I noticed the attack had a feature that could pretend to come from somebody else's computer. There was a guy who was out for the day, so I made it come from his computer. I went home and left it running.An administrator noticed the computer science network had gone down. He's a smart guy, and he checked and saw all these network packets going past, obviously from the attacking machine. He ripped out the cord. The network was still down, because my machine was still sending out packets.I forgot to turn the screen saver off, and he got lucky because that program put out little dots every time it sent a packet, and he knew I'd been playing. It's kind of scary that that kind of power is available. Certainly hacking is a phenomenon of the younger generation. The big [DefCon] hacker convention in Las Vegas used to have stereotypical white males, 15 to 30 years old, with dyed hair. Now tons of FBI agents and government employees go.External people know more about breaking into computers, so they're more dangerous. Most security measures are put up to block external people. The internal people have fewer controls, but a typical insider who wants to do something malicious isn't well-versed in computer attacks. So there's a tradeoff. I would be equally concerned about both.When I was in graduate school, a company called and said, 'The head of our company just fired our main network administrator. How do we keep him out? He could do anything to us now.'They were scared. I recommend people do not fire their head network administrator.

WHAT'S MORE

  • Age: 29

  • Family: Wife, Anna; baby on the way

  • Last book read: Michael Crichton's Timeline, a medieval fantasy based on quantum computing theories

  • Last movie seen: 'Shrek'

  • Leisure activities: Studying Spanish and theology

  • Dream job: Designing the security system for the International Space Station
  • Peter Mell

    Peter Mell, a computer scientist and security expert at the National Institute of Standards and Technology in Gaithersburg, Md., researches computer penetration, intrusion detection and vulnerability databases.

    He is an editorial board member of the Common Vulnerabilities and Exposures project, which standardizes the naming of known vulnerabilities.

    Recently Mell has managed the ICAT vulnerability indexing service, at icat.nist.gov, and he has worked on the transition to industry of intrusion detection testing technology funded by the Defense Advanced Research Projects Agency.

    Mell received a master's degree in computer science from the University of California at Davis in 1998.

    GCN associate editor Dipka Bhambhani interviewed Mell at GCN's offices in Silver Spring, Md.


    GCN:What kinds of security projects have you worked on?

    MELL:



    GCN:What are you most paranoid about?

    MELL:







    GCN:Do you think patches offer sufficient protection?

    MELL:

    GCN:What's the difference between hackers and dedicated writers of viruses?

    MELL:



    GCN:How easy is it to know if a system has been invaded?

    MELL:

    GCN:What security measures would you recommend for e-government systems?

    MELL:

    GCN:What's your concern about PKI?

    MELL:







    GCN:Are people too concerned about giving out personal information electronically?

    MELL:

    GCN:Should some government processes remain on paper?

    MELL:



    GCN:What is the worst breach of security you've been involved in?

    MELL:









    GCN:Which group is more dangerous'young outsiders or internal intruders?

    MELL:





    NEXT STORY: Calendar

    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.