features and capabilities of the infor-mation security models or the funda-mental building blocks used to createthem. (A good example of this is“When Hashes Collide,” the first in-stallment of the magazine’s newestdepartment, Crypto Corner.1

Yet, we rarely read about securitytechnology’s strengths and weak-nesses in the specific hardware andsoftware products used in real-worldenvironments. Isn’t it curious that al-most no published security productreview or comparison explicitly as-sesses or provides any more than su-perficial details about products’security? How could this be—especially considering that so manycurrent technologies are deeplyrooted in cryptography, a field thatderives its evolution from an iterativeattack-and-defend, prove-and-refuteprocess and whose practitioners ac-cept and embrace the idea of break-ing and reinventing the very systems,algorithms, and tools that result fromlong hours of hard work?

We can assume that cryptogra-phers apply logic that’s not only fun-damental to modern scientificdevelopment but that’s also beenused for decades or, arguably, cen-turies. If that’s true, we could justify

the lack of scientific rigor in securityproducts by noting the informationsecurity industry’s immaturity or byincluding in the analysis other vari-ables that drive its evolution. Forsuch an analysis, we should at leastconsider the economic, cultural, po-litical, and ideological backgrounds,as well as goals and motivations, of

the organizations and individualsthat shape the information securitymicrocosm.

Bearing in mind that humansdrive the discipline’s evolution, andadding the weight of the author’sown subjectivity to the analysis,you’ll find this Attack Trends install-ment looks at the security vendorspace—of which I am part—insearch of new vulnerability types andattack trends.

Software security and security software I’ve been told repeatedly since I wasa boy that money doesn’t grow ontrees; although this idea originallyseemed absurd and alien, I eventu-

IVAN ARCE

Core SecurityTechnologiesA

quick review of the articles in IEEE Security &

Privacy since its launch in January 2003 reveals a

wide range of software security topics. Several

articles and departments delved deep into secu-

rity technologies and software examining the security-oriented

The Land of the BlindAnd a thousand thousand slimy things lived on; and so did I.

— Samuel Taylor Coleridge, The Rime of the Ancient Mariner

PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY 63

We are in a tunnel. It’s been rather dark, and will stay that way for quite a while.— Hugh Hefner

Attack TrendsEditors: Elias Levy, aleph1@securityfocus.com

Iván Arce, ivan.arce@coresecurity.com

64 IEEE SECURITY & PRIVACY ■ JULY/AUGUST 2005

ally came to grips with the realitiesof the modern economy and thevalue of currency—often in hardways. A similarly outrageous theory

would indicate that new vulnera-bilities and attack trends don’t growon trees either; instead, they’re theoutcome of an evolving field drivenby scientists, technologists, businesspeople, and various other forms ofintelligent (yet error-prone) hu-mans with individual and collectivemotivations.

We can assess the status of theinformation security discipline byidentifying, quantifying, and ana-lyzing such relevant events as vul-nerability discovery and disclosure,security incident reports, researchand development advances in secu-rity technology, security serviceand product deployment, and therelevant regulatory and legal eventsthat affect the field. Substantialvariation in the quantity or qualityof these monitored events over aperiod of time indicates a newtrend. A notable qualitative excep-tion to the overall set of monitoredevents can signal a new type ofevent.

We can efficiently process thesecold, hard facts with a well-definedmethodology, but the trend analysis isheavily influenced by a single vari-able: humans. The people who col-lect and process the information anddraw conclusions throughout thatprocess often include their environ-ments, cultural backgrounds, exp-eriences, motivations, preferences,goals, and values. To paraphrase the20th century Spanish philosopherJosé Ortega y Gasset, “we are we, plusour circumstances.” Therefore, ob-

servers might find it difficult to iden-tify trends or new vulnerabilities inthe information security microcosmif they’re part of those phenomena:

observations and analysis are neces-sarily tinted with human subjectivity.

To avoid further epistemologicaldiatribes, let’s look at some interest-ing events observed in the informa-tion security vendor space thatexemplify the mechanics of an on-going search for new vulnerabilitiesand attack trends.

HookThe outbreak of the Witty wormand the subsequent analysis of its dis-tinguishing characteristics is a goodexample of a closely observed secu-rity event that indicates an excep-tional and qualitatively unique datapoint among the set of monitoredsecurity variables.

The Witty worm began spread-ing on 19 March 2004 at 8:45 p.m.and reached its propagation peak of12,000 infected hosts within 75minutes. Researchers Colleen Shan-non and David Moore at the Coop-erative Association for Internet DataAnalysis (CAIDA) provided an in-depth account and analysis ofWitty’s spread (www.caida.org/analysis/security/witty/) and out-lined some of its unique features:

• Witty exploited a vulnerability in awidely deployed information se-curity software product from awell-established and known secu-rity vendor.

• Witty started to propagate from atotal number of compromisedhosts that was an order of magni-tude (around 100 hosts) greater

than previous worms. This led an-alysts to conclude that Witty wasdeployed on those hosts prior tothe start of its propagation.

• The worm began propagatingwithin 48 hours of public disclo-sure of the vulnerability it ex-ploited. To date, this representsthe shortest interval between avulnerability’s public disclosureand its widespread automatedexploitation.

Several other interesting characteris-tics of Witty are present in Shannonand Moore’s report, but this list satis-fies our selection criteria for a quali-tative exception to our set of securityevents. Is this a new type of attack? Isit a new trend?

In the June 2004 issue of theUsenix magazine ;login:, NicholasWeaver and Dan Ellis provide theirhypothesis of the worm author’sgoals and motives based on theiranalysis of the worm’s code and themonitored events during its propa-gation (www.usenix.org/publications/login/200406/pdfs/weaver.pdf ). They characterize the worm asa dangerous new trend that com-bines both skill and malice on thepart of the attacker.

In a more recently publishedpaper (www.icir.org/vern/papers/witty-draft.pdf ), Abishek Kumar,Vern Paxson, and Nicholas Weavercombine a time-spatial correlation ofmonitored Witty worm events witha meticulous dissection of the code toreveal a seemingly extraordinarynumber of findings about the wormand the mechanics of its propagation.One of them is that a specific hostamong the entire IP address space(232 unique addresses) could be iden-tified as the worm’s initial spreadingpoint (patient zero). By analyzing thedisassembled code of the worm’s bi-nary, identifying design and imple-mentation flaws in the use of apseudorandom number generatorfor its target selection, and matchingthe expected behavior of the code tothe events observed during worm

Attack Trends

Observers might find it difficult to identify

trends or new vulnerabilities in the information

security microcosm if they’re part of those

phenomena.

Attack Trends

propagation, the authors singled outa specific IP address that couldn’tpossibly belong to the set of IP ad-dresses generated by the worm’s codebut nonetheless appeared to bespreading the worm with a trafficpattern distinctly different from thetraffic behavior observed during theincident.

Beyond the great technical de-tails and plausible motives attributedto the Witty worm attacker in theseresearch papers, another interestingmeta-analysis is worth noting: Thecharacterization of the attacker’stechniques, practices, and skills isquite similar to those of the re-searchers’ own. The worm’s authorseems to have learned from previousworm incidents and refined his orher skills. The author followed asomewhat sophisticated develop-ment process, tried to avoid designand implementation problems, andused (possibly independently dis-covered) information about an ex-ploitable vulnerability in a thirdparty’s security software package.

In turn, the researchers, armedwith their own arsenal of skills, ap-plied the same techniques and prac-tices—analyzing a third party’ssoftware package (the worm’s code),identifying an “exploitable” flaw inthe program’s code, and using it tofulfill their stated goal (enhancingour understanding of the securityevent, expanding our informationsecurity knowledgebase, and im-proving the chances of achieving amore robust security posture).

In this context, the extraordi-nary characteristics of the Wittyworm outbreak and its analysis,along with the qualitative differ-ences that singled it out amongmyriad monitored security events,are the natural but hardly surprisingoutcome of an evolving disciplinein which all participants—thegood, the bad, and the ugly—havedemonstrated growth in practice.

LineAn eagle’s eye view of certain moni-

tored information security eventswithin a certain time period canprovide the raw material to extrapo-late trends. Technology industry an-alyst firm, Yankee Group, recentlypresented such a report to the public(www.yankeegroup.com/public/products/decision_note.jsp?ID=13157). The report presents statisti-cal data about the vulnerabilities dis-closed to the public since 2001. Thereport then compared the resultingfigures to the number of disclosedvulnerabilities in Microsoft’s prod-ucts during the same time period.By correlating this data, the reportidentifies a relative increase in dis-closed vulnerabilities in securityvendor products over the past yearand the first quarter of 2005, thusextrapolating a new attack trend: anapparent shift in vulnerability re-search activity toward finding bugsin security vendor products.

The report also states that thirdparties, usually researchers affili-ated with other security vendors orindependent discoverers, foundmost of the disclosed flaws in secu-rity vendor products. Presumably,these attributions come from thefinder “credits” section in the ven-dor’s security advisories and patchnotifications. This data helps ex-plain the proposed trend as a resultof two key factors:

• The depletion of easily identifiablevulnerabilities in Microsoft prod-ucts due to the company’s ongoingsecurity push and the deploymentof Windows XP Service Pack 2(XP SP2). The easily identifiable

vulnerabilities (the low-hangingfruit) remain present in widely de-ployed security products.

• The prevalence of individual and

organizational self-interest as aguiding principle for vulnerabilityresearch. According to this pre-mise, security researchers areeager to find vulnerabilities in se-curity products due to an “adoles-cent enthusiasm” to one-up theirpeers. Similarly, security vendororganizations are economicallymotivated to find bugs from com-peting organizations, whichwould provide competitive ad-vantages and enable them to ob-tain increased market share at theexpense of vulnerable vendors.

Despite the possible inaccuracies, fal-lacies, and logical pitfalls of this sim-plified analysis, and in the absence ofmethodological details to supportthe research results, the final conclu-sions and recommendations seem alot more reasonable and well withinthe realm of common sense. Simplyput, vendors should adopt informa-tion security best practices in theirproduct development life cycle.

Security vendors are prone toerrors, yet their products are widelydeployed by security-conscious or-ganizations. In the presence ofbugs, the strength of the increas-ingly ubiquitous nature of infor-mation security technology couldbecome a serious weakness in or-ganizations’ security postures—areality that won’t go unnoticed bytoday’s security researchers andpractitioners, whatever their goalsand intentions. Accordingly, orga-nizations deploying security prod-ucts should exercise caution,require due diligence from their se-

curity providers, and mitigate riskby diversifying and mixing thesources of the security technolo-gies they deploy.

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 65

Security vendors are prone to errors, yet their

products are widely deployed by security-

conscious organizations.

Attack Trends

And sinker?So far, I’ve presented two interrelatedyet distinct information security

events that we can use to extrapolatean emerging attack trend:

• The Witty worm’s appearanceand its subsequent study signals asingular, qualitative exception toall previous intelligence on mal-ware dissemination (it’s beenviewed from multiple angles,such as the attacker’s sophistica-tion, payload semantics, elapsedtime from disclosure to massiveexploitation, and propagationtechniques).

• A cross-section of vulnerabilitiesdisclosed in the past few years haselicited a new real or perceivedtrend of targeting security prod-ucts for attack.

Does the combination of these twoevents provide sufficient evidence tosingle out a new attack trend? Or isthe perceived new trend the naturalconsequence of an ongoing processin the information security disci-pline that can be reasonably ex-plained with additional informationfrom a wider time span?

To delve a little deeper, let’s ex-amine a few more security eventsthat seem similarly relevant. Al-though their statistical value is negli-gible, their qualitative characteristicscould prove them to be more thanjust anecdotal evidence.

The revenge of the nerdsThe discovery and disclosure of vul-nerabilities in security vendor prod-ucts isn’t a new practice. In 1998,Thomas Ptacek and Timothy New-sham discovered and disclosed fun-damental design flaws in networkintrusion detection systems (“Inser-

tion, Evasion, and Denial of Service:Eluding Network Intrusion Detec-tion;” www.insecure.org/stf/secnet

_ids/secnet_ids.html). In 1996,Peiter “Mudge” Zatko, a researcherat BBN, reported similar flaws in Se-cureID, the industry-leading token-based secure authentication productfrom Security Dynamics (www.tux.org/pub/security/secnet/papers/secureid.pdf). Adam Shostack, an-other security researcher and entre-preneur, exposed these flaws furtherat the 1996 Network Threats work-shop at the Center for DiscreteMathematics and Theoretical Com-puter Science (DIMACS; http://dimacs.rutgers.edu/Workshops/Threats/Shostack.ps).

Simpler software implementa-tion bugs in security vendor prod-ucts aren’t news either, as Ptacek andhis fellow researchers demonstratedin 1998 (http://cert.uni-stuttgart.de/archive/bugtraq/1999/02/msg00315.html). Thanks to ThomasLopatic, Dug Song, and John Mac-Donald’s presentation at the LasVegas Black Hats Briefings Confer-ence in 2000, firewall vendorsquickly discovered that security vul-nerabilities weren’t necessarilyprevalent in single segments of thesecurity vendor space (http://blackhat.com/presentations/bh-usa-00/Song-McDonald-Lopatic/Song_McDonald_lopatic.ppt). The vul-nerabilities they found in one fire-wall’s stateful packet inspectiontechnology later proved to also applyto other security vendors (www.se-curityfocus.com/bid/979).

The SSH historyThe secure shell (SSH) program wasoriginally conceived as a replace-ment for a client-server applicationused to login remotely to Unix sys-tems. The standard Unix programs

used for this purpose, rlogin andtelnet, transmitted user authenti-cation credentials and all session datain the clear over the network. An at-tacker with access to the networkpath between the client and servercould capture and reuse the authen-tication credential to obtain unau-thorized access to the remotesystems or to eavesdrop on the ses-sion data and compromise the com-munication’s privacy.

SSH provided encrypted net-work communications and crypto-graphically strong authenticationmechanisms to replace insecureUnix programs and quickly becamethe de facto standard for secure re-mote login among system adminis-trators and security-conscious users.It’s debatable if SSH is a security ap-plication or simply an administrativeapplication with the necessary secu-rity technology built-in, but bothsoftware and security vendorsrapidly adopted it. Even giant soft-ware and networking vendors suchas Sun Microsystems and Ciscoadopted SSH as a default administra-tive interface.

Finnish developer Tatu Ylonen,founder of SSH CommunicationsSecurity, made the first SSH imple-mentation available for free in 1995(www.ssh.com/company/newsroom/article/650/). Security ven-dor firm F-Secure (known then asData Fellows) also sold the applica-tion as a commercial packagethrough a partnership with SSHCommunications. In 1999,OpenSSH—a new implementationof the program based on the originalssh version 1.21 release—appearedas an open-source project sponsoredby developers from the OpenBSDoperating system project (www.openssh.org/history.html).

In 1998, Ariel Futoransky andEmiliano Kargieman, security re-searchers and cofounders of CoreSecurity Technologies (a securityvendor firm), discovered a seriousdesign flaw known as the “CRC in-sertion attack” (www.coresecurity.

66 IEEE SECURITY & PRIVACY ■ JULY/AUGUST 2005

The discovery and disclosure of vulnerabilities

in security vendor products isn’t a new practice.

Attack Trends

com/files/files/11/CRC32.pdf) inthe SSH protocol and notified TatuYlonen, the program’s lead devel-oper at SSH Communications(www.coresecurity.com/common/showdoc.php? idx=131&idxseccion=10). Fortunately, Futoran-sky and Kargieman also produced apatch to prevent exploitation of theflaw and submitted it to Ylonen.The patch became part of the SSHpackage and continued to be used asan SSH version 1 protocol fix by allvendors in almost all existing sshimplementations. Two years later inFebruary 2001, the Polish securityexpert Michal Zalewski identifiedan exploitable integer-overflowvulnerability in Futoransky andKargieman’s original ssh patch(www.bindview.com/Services/RAZOR/Advisories/2001/adv_ssh1crc.cfm). Shortly afterwards, a patchto Futoransky and Kargieman’spatch was produced and included inthe SSH distribution to prevent ex-ploitation of the newly discoveredbug.

Almost seven months later,David Dittrich, senior security engi-neer at the University of Washing-ton, discovered an exploit (SSH x2,attributed to the TESO hackergroup) being used in the wild tocompromise systems running vul-nerable SSH implementations(http://staff .washington.edu/dittrich/misc/ssh-analysis.txt). Theinclusion of the exploit as a compo-nent of an automated compromisetool (a mass-rooter) seems to be acase of automated widespread ex-ploitation of a bug in security ven-dor code that predates the Wittyworm’s spread.

Scientists, technologists,and businesspeopleThe SSH story and other assortedanecdotes help describe the infor-mation security discipline’s develop-ment over the past 10 years, but theindividuals and organizations who

contributed to this evolution actedin varied roles and adhered to multi-ple guiding principles, as most hu-mans do. As scientists, technologists,and businesspeople, they’ve strivedto fulfill their goals using their skills,values, and inspiration. They mostlikely faced many technological, sci-entific, and business pitfalls, hope-fully learning from their ownmistakes and various historicallessons along the way. But even ifthey did, the results of their collec-tive effort are certainly far from per-fect, and it’s increasingly evident totechnology users.

Within the same basic 10-yeartime interval, the information secu-rity industry has exploded at a franticpace. Through mergers, acquisi-tions, spin-offs, and the cyclic emer-gence and disappearance of tenths orhundredths of information securitystart-up companies, close to 700 se-curity vendors have had and stillstruggle to get a grip on a movingtarget estimated to be worth US$16billion by 2008 according to Mor-gan Stanley Research analysts PeterKuper and Brian Essex.2

To complicate matters further,the importance of addressing in-formation security problems in atimely and effective manner is anincreasingly primary concern formany organizations. The adop-tion of information security tech-nologies and the deployment ofsecurity vendor products havealso increased significantly, thanksto several disastrous incidents, agrowing general concern for se-curity, and a complementing setof compliance requirements andregulations.

Perhaps the Witty worm inci-dent and the statistical analysis ofthe disclosure of security vendorvulnerabilities in the past threeyears are just symptoms of the exist-ing phenomena of an industry’srapid growth with foundations in adiscipline that is still far from matu-rity, rather than the hint of anemerging attack trend.

A ccording to Greek mythology,the Cyclopes were strong,

powerful, one-eyed beings whobuilt well-crafted weapons and in-dulged in other blacksmith arts.After their brother Kronos impris-oned them, they invented the thun-derbolt for Zeus so that he couldoverthrow Kronos and rule heavenand earth. In exchange, the Cy-clopes were freed. Their storyended sadly, though: Apollo killedthem after learning that Zeus hadused a Cyclopes-forged thunderboltto kill his son. Greek mythology isquite allegorical, seriously convo-luted, and certainly off-topic for adepartment in IEEE Security & Pri-vacy magazine, except for that dis-tinguishing Cyclopes characteristic:one eye.

As information security practi-tioners, we like to think we’ve beenimprisoned for years in a dark landpopulated with seemingly blindpeople. By using just one eye, we’vemanaged to build ingenious de-vices, but now we’ve found our wayinto the open, and this vast newland requires us to use both eyes,right now. If we are to avoid a tragicending, we (as well as our disciplineand industry) must step up and ma-ture very rapidly.

References1. P. Gutmann, D. Naccache, and

C.C. Palmer, “When Hashes Col-lide,” IEEE Security & Privacy, vol.3, no. 3, 2005, pp. 68–71.

2. P. Kuper and B. Essex, Data—TheNext Perimeter of Defense, MorganStanley Research, Jan. 2005;http://investext.com.

Iván Arce is chief technology officer andcofounder of Core Security Technolo-gies, an information security companybased in Boston. Previously, he workedas vice president of research and devel-opment for a computer telephony inte-gration company and as informationsecurity consultant and software devel-oper for various government agenciesand financial and telecommunicationscompanies. Contact him at ivan.arce@coresecurity.com.

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 67