Internet Security: an Interview with David Durham
Security concerns are pervasive and affect every aspect of computing. Internet security is a critical issue as threats have evolved from the level of "stupid programmer tricks" to sophisticated malware and even international cyber-warfare. The recent creation, by the U.S. Government, of an Office of Cyber Security, underscores the importance of security, and especially Web security.
A sampling of recent InfoQ content in this area would include news, Ruby Security, .Net authentication; presentations George Reese; interviews Josh Holmes; and articles The Dark Cloud, Encrypting the Internet, and Stealth Malware.
Intel has been very active in sharing their security expertise with InfoQ readers with several articles on various aspects of security and this offered us the opportunity to interview David Durham the manager of Intel's Security and Cryptography Research group.
InfoQ - The Intel Technology Journal (Volume 13, Issue 2) investigates Internet threats and ways to thwart them. In a nutshell, are the "bad guys" winning? This question has two subparts: Are the malware creators more innovative and inventive, such that security efforts are always playing catch-up? And, are we engaged in a costly “arms race,” one that imposes enormous costs for defense, costs that might end up bankrupting (yet again) our economy?
An analogy can be seen in biological systems. The biological viruses aren't necessarily winning, but they remain a chronic problem because we have not been able to eliminate them. Drug companies and our own antibodies are in a constant arms race with relatively simple organisms. It doesn't take much intelligence or innovation to cause harm; random evolution is sufficient. However, it does require a great deal of intelligence and innovation to prevent and repair the harm these organisms can inflict.
InfoQ - In an Intel Technology Journal (ITJ) article on detecting malware, a significant change in motivation for malicious hackers is noted-- making money. To what degree has the monetization of malware increased the level of risk for all of us?
Money has taken hacking out of the domain of fun and fame and moved it to an activity that demands serious attention and effort. The hackers' goals have changed from getting attention to hiding, amassing compute resources, and stealing information. Spam email is an excellent example. It hasn't gone away, and it still accounts for a vast amount of traffic on the Internet. Spam is a great advertising medium for scams and products that don't have to answer to any form of customer protection or review. The best way to send all of that spam is not to use one computer to send a million emails--such activity could easily be detected as unusual and stopped--but rather to compromise millions of computers around the world and send just one message from each of them--an activity that would look entirely quite normal.
InfoQ - A quick scan of the Intel Technology Journal security issue (13:2,2009) suggests the need for a very deep technical and mathematical background just to read and understand some of the articles. Do most enterprises, all ISP vendors, hosting services, and cloud services (plus everyone else that might be involved) have people on staff capable of understanding and using the insights and technologies provided by Intel and your peers?
The articles on cryptography do contain a great deal of mathematical depth. The topic makes that unavoidable. However, we all use this technology every day, whenever we bank online, shop online, or connect to work over the Internet. The takeaway message is that Intel's researchers are working on ways to make the underlying algorithms run faster and work better, so more of our online activities can be secured to protect our identity, our personal information, and our online transactions.
InfoQ - If the world adopted the secure HTTP technology described in "HTTPS Everywhere! Encrypting the Internet," how much safer would we all be? Is it possible to quantify, even in dollar terms, what we would gain by universal HTTPS?
It is very difficult to put a dollar figure on safety, but HTTPS everywhere would help reduce phishing attacks, identity theft, eavesdropping, and other security breaches. Basically, every website can be strongly authenticated, and the information exchanged with that authenticated website can be kept private. Today HTTPS is widely used for online banking and online purchases. With virtually every web browser HTTPS-ready today, why aren’t we searching, emailing, and browsing in general given the same protections? Cost, performance, and complexity are the main reasons, and this is what we aim to address.
InfoQ - A question regarding the ITJ article on detecting malware using cloud-based technology to scale up response and reduce costs associated with malware detection: If companies that provide virus protection software established this kind of cloud-based anti-virus servers, would these companies eliminate the need for all PC users to install anti-virus software on their machines? Can a business model for this kind of solution be established?
Cloud-based scaling simply allows the anti-malware solutions to be the most up-to-date. Outbreaks can be quickly classified and fixes posted, keeping up with the rapid proliferation of new virus variants and their associated signatures. Users will still want local anti-virus software on their computers for those times when they are not online and to deal with legacy and known viruses.
InfoQ - Among the concerns I might have as a potential user of public cloud service providers is, of course, the security of the data I put into the cloud. I can encrypt the data and make it secure while it is idle, but if I am going to actually use that data with a cloud-based application, I must decrypt the data while it is being used and this opens a security hole. Do any of the techniques and technologies currently advanced by Intel provide a way to keep my data secure while it is in the cloud and being used within the cloud?
Aside from protecting the communication channel itself, as described before, even if user data is ultimately stored in the cloud, it can be stored and migrated while encrypted with only the owner having the key to unlock it. The Intel Technology Journal article about protecting critical applications on mobile platforms demonstrates how individual programs can be authenticated, protected, and safely seal their secrets to a particular platform using Intel(R) VT and Trusted Execution Technology (TXT). This kind of safety can be provided to applications even if their operating system is fundamentally compromised by malware. Such technologies are being developed to improve the safety of cloud-based computing.
InfoQ - A corollary question: IBM recently announced a way to manipulate (compute using) encrypted data while it is encrypted. From my limited understanding this seems to be much more of a theoretical possibility than a pragmatic reality? What is your perspective?
Security mechanisms can be a double-edged sword. They can help solve one problem but may inadvertently create another. For example, end-to-end secure communications can be seen as a good thing because it keeps man-in-the-middle and eavesdropping attacks at bay. On the other hand, end-to-end secure communications may also mean that IT's network appliances looking for viruses and malware can't scan network traffic to do their job. Is the risk greater from potential eavesdropping or is the risk greater from an undetectable worm spreading out of control in an enterprise network? Techniques that allow encrypted data to be safely manipulated may allow multiple, sometimes contradictory goals to be achieved, for example, scanning encrypted payloads for virus signatures without having the capability to decrypt user-originated content.
InfoQ - How far are we from quantum computing solutions to some of the cryptographic issues raised in the Intel Technology Journal?
The Bell Paradox and other forms of quantum entanglements, while not capable of faster-than-light communications, do create interesting mechanisms for secure communications. Quantum entanglements mean that states observed in one correlated particle have consequences for the observed state of another correlated particle, making eavesdropping a physical impossibility. In the meantime, the mathematician's domain of cryptography based on difficult-to-compute mathematical problems continues to be the practical workhorse for security today. The industry will continue to evolve cryptographic algorithms as computational power improves over time and new attacks become known.
InfoQ - The descriptions of Botnets in the Dark Cloud article are particularly alarming. Intel scientists describe some strategies for dealing with this type of malware, but does any commercial vendor implement any of these? How would I, as a relatively naive end user, protect my desktop machine?
Currently these strategies are the domain of research and we are focused on what we must do next to stem the tide of attack. It is important to look at the techniques malware uses to infect, spread, and communicate so that we can understand if the solutions can utilize the same techniques to defeat malware. Meanwhile, defense-in-depth means that multiple strategies should be utilized at multiple levels in the system.
While the Dark Cloud article focuses on network-layer anomalies, there are also whitelisting solutions that scan memory and storage to assure that only verified programs and known correct configurations comprise a system, and existing signature-based methods will look for known malware instances as well. Good practices for end users today are to keep their software (OS and applications) always up to date, enable firewalls, and run legitimate anti-virus software.
InfoQ - Malware was once the province of silly, but malicious, boys-in-bedrooms. Monetization provides a motivation for adults and "evil small businesses" to play the game. Recent news with regard North Korea's supposed cyber-attacks on the U.S. reminds us that even governments are motivated to produce malware. Is it possible to catalog and categorize all the potential threats? Perhaps rank them by degree of risk and of likelihood? Do we have any means to align our research appropriately with our understanding of those risks?
Categorizations of malware are usually driven by how it infects, how it spreads, or what it modifies to hide or persist. For example, one proposed method for classifying types of stealthy malware is categorizing rootkits as Types I-III, identifying the level of the software stack they invade and modify to hide.
Macro viruses modify macros in programmable or customizable applications, cavity viruses embed themselves in executable or system files, cross-site scripting attacks are spread across the cloud as scripts from multiple sites converge with content in a user's browser, buffer overflow attacks modify an executing program's behavior, and blended threats combine a multitude of these.
To understand risk and likelihood requires knowledge of the number of machines that are vulnerable to a particular active attack because they are unpatched, knowing where in the software stack a vulnerability exists, and knowing the number of malware variants targeting that vulnerability.
The hard part comes because of what we don't know. The adversary is adapting and always finding new methods of attack, so the list of categories itself is growing over time as well.
Thank you David Durham for your informative and interesting responses.
David Durham joined Intel in 1995 and is currently a principal engineer at Intel Labs. He has a passion for research into protecting computers from viruses and network-borne attacks. He manages the Security and Cryptography Research group responsible for developing new security capabilities for Intel's products. Since joining Intel, David developed policy-based network management standards, traffic engineering products and created security solutions for Intel® vPro™. He is the author of a book entitled “Inside the Internet's Resource Reservation Protocol: Foundations for Quality of Service” published by John Wiley and Sons Inc.; he is the editor of several Internet standards-track RFCs and represented Intel externally in various standards bodies at the working group chair level. David holds over two dozen issued patents and has B.S. and M.S. degrees in Computer Engineering from Rensselaer Polytechnic Institute. His e-mail is david.durham at intel.com.