Re: A new level of sophistication in cyber security

From: Harvey Newstrom (
Date: Sat May 20 2000 - 00:32:46 MDT

"Spike Jones" <> wrote:
> There's a seriously interesting little article,
> Could have stopped the I-Love-You virus: Intelligent agents challenge
> computer intruders
> This level of sophistication is like nothing I've ever heard of before,
> though certainly it's understandable that someone or some many would
> inevitably address the cyber-security issue more seriously than
> heretofor.
> Extropian wizards of digitalia check it out and let me know whether it
> has promise, or is just the usual overconfidence.
> Yours for a safety and security in cyberia. spike 8^}.

This may be a good security program, but it is not apparent from the
article. The article claims that there is something new in this software,
but it doesn't describe what it is. Everything described in the article is
old hat to security experts. Some of the comments indicate that the author
of the article thought things were new and unique that are actually common
place in the security industry. I would need more information before I
could consider this to be anything more than hype over existing technology.

The ability to block "live" programs like the I-Love-You virus is trivially
easy. This means blocking V-Basic attachments, Active-X, Java, Javascript,
or anything else that tries to download and run on your PC. Most
organization don't do this because they like all the special effects that
these live programs can produce over the web. The fact that this is the
headline claim for this product announcement shows a lack of technical
understanding in the area of security. (The I-Love-You virus was really a
Microsoft-specific backdoor that did not affect any non-Microsoft operating
system or any non-Microsoft product.)

The concept of detecting port scans and patterns has been around for years.
Any basic Intrusion Detection System does this.

The concept of integrating security into each common service, such as ftp or
http, has been around for years. Any basic set of "wrappers" does this for
various services.

The article says it replaces agents periodically to make sure they have not
been compromised. This sounds like it doesn't know if it has been
compromised or not. Most Intrusion Detection Systems try to detect the
intrusion beforehand. Most system also have mechanisms (like matrix
checksums and encryption) to mathematically prove that software is
unchanged. There is no need to keep updating it if it hasn't changed. This
system apparently can't detect whether software has been changed or not. (A
better method is to publish read-only media, such as CD-ROMS, to really
prove that it hasn't been changed.)

The article also says it can choose alternate communications and tighten
firewalls. If the alternate communications are available and more secure,
why aren't they used in the first place. If they are not more secure, why
switch to them? If the firewall could be tightened without compromising
service, why not do it first? The usual answer to these questions is that
services are disrupted or degraded in such a way that these actions are
actually undesirable and won't taken until absolutely necessary.

The comment was made that existing systems scan for known attacks like virus
scanners. This sounds like the software authors are unaware of the
heuristics in most Intrusion Detection Systems, Firewalls and even common PC
virus scanners that detect new suspicious activity. This is not a new

The comment was made that humans aren't fast enough to protect against
hackers, and that this new software would do it. I know of know security
systems that use humans in preference to automation. Most systems fail over
to humans only after the system fails. This implies that the software will
finally solve a historical problem that never really existed.

The comment was made that no central authority operates the agent. This is
either a misstatement or else there is no way to configure security without
getting into every service on every server at every site individually.
Centralized authority is good for security.

Also note that the software is not slated for release for another three
years. It will take three years to train it for home use. If it is so good
at dynamically detecting and adapting to real-time hacker attacks, how can
it take three years to train for home use?

That's an eternity in Internet time. The whole Internet might migrate to
IPv6 or the Internet II backbone by then. I'm not sure how any new software
"trained" today could be useful in 2003, especially in the area of security.

Harvey Newstrom <>
IBM Certified Senior Security Consultant,  Legal Hacker, Engineer, Research
Scientist, Author.

This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:11:26 MDT