Mesec: julij 2012

Zero Day

Zero Day (or 0-day) is a term in computer security denoting a vulnerability in software that is being exploited “in the wild” before authors of the software (vendors) and the rest of the computer security community is aware that there is one. Hence there are zero days to prepare for it. Zero Day is also a novel by Mark Russinovich published last year that revolves around that concept. In the novel, a group of Arab terrorists purchase a stalthy rootkit from a Russian hacker, combine that with various “off-the-shelf” virus components and succeed in infecting a large number of important computers in the West with the intention to crash the internet and computers that we now rely on so heavily. On the other side battling the virus are former CIA computer analyst now turned free-lance computer security consultant and the head of US-CERT, the US government Computer Emergency Readiness Team. The novel starts with a computer malfunction on a Boeing 787 flight that nearly results in a crash and is followed by a number of similar faults on assembly lines and a nuclear power plant. I will not go further into the plot as my intention is only to comment on the feasability of a virus bringing down the net. Get the book, it’s a nice read (preferrably on the beach, not on the plane, as I did).

Mark Russinovich is well-known and respected for the work on his Sysinternals tools. These were a must for anyone even mildly interested in Windows administration since late 1990s. Microsoft baught Russinovich’s company and Sysinternals are now being developed under Microsoft’s umbrella. Definitely a wise move on part of Microsoft. Russinovich’s background ensured me from the start that this is not going to be just another “facepalm” hacker novel where you have to be very lenient and swallow pretty far-fetched technical simplifications. No way – Russinovich makes sure that every technical detail is correct, even to the point where I thought that a couple of explanations in the story were maybe too hard to understand if you were not knowledgable in the field.

That being said, some things did strike me as unusual or odd. I’ll start with the most familiar for me: CERT cooperation. Fighting a virus like that would get a big part of the CERT community world-wide heavily engaged. There are several forums where CERTs meet, both virtually or in person and operational issues with new malware are routinely discussed. Add a number of free-lance and corporate computer security researchers to that and you get a mix that usually produces results in a matter of days. Recent cases of Stuxnet, Duqu and Flame are examples of that. Having two lone analysts fight the malware while US-CERT is not able to bring vendors and anti-virus companies on board is pretty strange.

The book describes several special cases which are of course used for the dramatic effect: an assembly line where robots go crazy and kill the supervisor, an airplane system causing a near crash, medical equipment killing people by overdosing medication, nuclear power plant getting close to core meltddown and a gigantic oil tanker smashing into the port. I think that in practice it would take a long time to design such viruses and every case would require a different virus altogether. One supervirus probably would not make sense. Is Boeing using a plain Windows system in the cockpit which can be subverted easily without a deep knowledge of how everything is “wired” together?

The virus (or viruses) in the book all seem to target one operating system: Windows. There is no mention (as far as I remember) of malware being multi-platform. So when Jeff and Sue discussed whether company backups are infected or not with, I kept thinking: “Why don’t you inspect backups on a different OS? Linux? Or Solaris, if you’re really afraid it will spread there too?”

And then the most important: internet is not (Windows) servers. The backbone consits of routers running specialised operating systems and exchanging routing information, a really big hierarchical DNS system and various services layered on top of that. All these also have vulnerabilities exploited every now and then, but bringing this down with one blow would be really hard. And to keep banging my drum: there are emergency response teams in place ready to kick in if such a thing happens. Expecting that such an attack would destroy a whole western civilization is a bit of a strech even for a terrorist blinded by faith.

Undoubtedly Russinovich made several decisions to simplify the tech in the book to make it digestable for non-geeks. And even after all that I said above, he does point out a serious problem. Not only have we become very reliant on computers and the network, we are implementing vulnerable consumer-grade systems to run critical systems. Military used to develop their own operating systems. Airplane and rocket control systems were developed using specialized programming environments designed to lower the risk of undefined behaviour of a program. Industrial control systems were not put on-line at all. This is all changing. The reason? It’s cheaper to use Windows/Linux and C++. Until it all goes horribly wrong, that is. And if you’re close when that happens, you’ll bear some of the externalization of that cost.

I hope they make a decent movie out of Zero Day.