Managing Network Security

The Millennium Article - Yet Again!

The Bots are Coming!!! The Bots are Coming!!!

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


The Bots are Coming!!!

Like Chicken Little, many people think that the coming of the 'bots' is like the falling of the sky. Fear not. The bots are coming indeed, and it is a good thing, but not always so good for security.

Since this is the millennium article, I thought it would be a good time to look into the future and the past and to consider the big picture. In my view, the emerging 'bots' and the remainder of the automated intelligence function as it is developing represents the killer application of the Web that will transform the society and information technology once again.

At the same time, the use and support of "bots" (automated information-based 'robots', some call some of them "intelligent agents", but I just call them programs) is already transforming the information landscape into one designed to allow programs designed by others to penetrate deeply into systems of all sorts and extract the data they are looking for. This function of search, 'data fusion', analysis, and presentation in usable form is at the heart of the intelligence function and at the heart of the use of information systems for enhancing human and non-human intelligence.


Non-human intelligence you say?

For me to say this, things need to be getting really significant. I often quote a friend of mine - Rob Armstrong - who says he has never seen a program with the intelligence of a piece of celery. And I agree with him. But both he and I will probably also agree that this is changing and that, in the distant future, some computer program somewhere will indeed achieve the intelligence level of a piece of celery, and that will really be something.

But it is not human-type intelligence that I expect from computers - nor is it human intelligence that I desire from computers. What I do desire from computers, and what I think I am likely to get from them sometime soon, is that they will get better and better at:

My goal, as you can see, is not so lofty as to make a computer that is able to replace human thought processes. Rather, I want to make a computer that can do things computers do well so that I don't have to do them at great time and expense in order to get at the real substance of what I want to use computers for - getting better understanding of the things that interest me. So the 'intelligence' I am talking about is the raw material I need to understand a subject, presented in a way that I can understand it and use it.


So what's the problem with that?

This is, of course, a wonderful opportunity... for me. And that's just what I want. I want to be able to do all of that, but I don't necessarily want you to be able to do all of that, especially with my data. And there lies the rub.

The rub is, of course, that for some reason, we are all pretty much stingy with our own data and rather less so with other peoples' data - especially when it comes to our getting it. It's even better when I can get it and nobody else can because, regardless of how good or bad it may actually be, because it's mine and not yours, and that is good for me.

So just to reiterate, I want all of your data and the tools to do what I will with it, and I don't want you to get any of my data unless I publish it for your use - in which case I would like you to pay for it and not give it to anyone else, and by the way, I want all of this in an exclusive manner so that I have lots of market advantage over everyone else. Of course you can trust me, and it's not that I don't trust you, but rather that because you have trusted me with your data that I am not to provide to others, naturally, I cannot go letting just anyone get to your data, so my data is protected alongside yours as a sort of a side effect.


Are we all happy yet?

For some reason, I don't see a smile growing on your face. How could you possibly be unhappy with me and my bots getting all of your information so I can be better informed? Better still, I can then sell the combined information back to you with some analysis added in and you can benefit from my wisdom applied to your data! Could there be a better deal?

For some reason, this argument sells a lot of folks, and as a result, I have a rapidly growing intelligence business. It's a matter of trust - that I won't reveal your secrets - and a matter of economics - that you cannot do the job yourself as cost effectively as I can do it for you, and it is a job that needs to be done. So, if you want an intelligent analysis of all your data, send cash - lots of it - and trust me.

But there is one thing you might want to consider. Suppose you don't want me and everyone else in the world to have access to most of your information? What can you do then?


Life is good to me

There's not a whole lot you can really do to change this on a large scale for the immediate future. As long as money drives the web toward an advertising and intelligence based economic model, those who provide value will not allow you to obtain their value on a large scale without payment in the form of intellectual property of one form or another.

That may have seemed a bit obscure or hard to follow, so I will break it out again. Here is the economic model of the web from my point of view:

Question: Who's information is it anyway? Answer: Nobody really has this part figured out yet. If the information gathered from me is my intellectual property, then when you take it , you are taking my property and if you use it I should be able to get compensation for it. If the information you gather is your property, you should be able to do with it as you will. When information is mixed from different sources - like when I use my infobot and database and analysis capabilities to correlate your information, who owns the results? Is there a mixed ownership? How does it work? To quote an appeals court judge I know, it's not privacy rights that are at question, it's property rights.


The Emergence of a New Sport

Over this last weekend, I had the amazing experience of watching the 'battlebots' show on the comedy channel over cable television. This show is just the most amazingly wild thing you have ever seen if you are into robotics and engineering. It has pairs of quite powerful automated (usually teleoperated via radio controls - but that will change) robotic devices whose sole purpose is to rip each other to shreds. It features bots with circular saws on extension arms that come down on other bots to slice them up. It features a bot with a small rail gun that can penetrate bullet proof glass. And my favorite bot looks like a lady bug - it lifts up its top, covers its opponent, and uses an internal circular saw to rip the opponent to shreds while keeping it captured - it also looks very cute and innocent and is run by an 11-year old girl.

This mild-mannered, polite, cute little innocent looking school girl and her cute little innocent looking lady bug robot are out there ripping the shreds out of nasty looking horrific devices created by engineers and mechanics. It sort of reminds me of the infobots we see spreading all over the Internet. They are cute little helpful pieces of automation that gently penetrate networks of all sorts and exfiltrate gobs and gobs of your internal information by using gentle and subtle covert channels and steganographic encoding so you won't have to worry about your nasty firewall getting in the way or your nasty security people getting upset by them.

I have written at least one article in this series in the last year about how hard it is to find and plug all of the bugging devices - sorry the infobot - in just one piece of software. Consider the problem of doing this for all of the downloaded software at a major site. This has to include such things as Java applets that are used by your browser's interpreter and can cause information to be associated with the user's computer, cookies that make their way through your proxy by being encoded in interpreted visual basic content, and all those not-quite viruses that exfiltrate information more selectively and thus fall below the noise level of most of your current detection systems.


It Seems so Innocuous

It looks like such a warm and fuzzy thing. You can do stock trading over the Internet - at a significantly reduced cost - if only you enable all of the things on your system to allow the vendor to track you and collect the details of your usage. But in reality, it's the cold razor-sharp nails of the corporate infobot sucking your information for everything it is worth. (I sometimes sound really radical, don't I?)

It seems so impossible that by putting together these little pieces of information I could ever get anything of real value back out. It may seem impossible, but it is most certainly not only possible but commonly done. As an example, in one exercise a group of teenagers were able to piece together guard schedules, pay rates, shifts, their patrol schedule down to when they were at each checkpoint, and even detailed patrol car maintenance records. This was done by writing a small perl script to analyze data collected through an intelligence effort. In another case, data was aggregated on an individual by combining a small amount of internal data with a great deal of data collected from open sources over the Internet. The result was a stunning portrait of somebody with a great deal of influence including enough information to begin an effective extortion effort.

The only real defenses against this sort of thing are (1) eternal vigilance (but who has the time and money for that?) and (2) a systematic deception effort to assure that much of the information gathered and analyzed is wrong so that the conclusions will be wrong. Unfortunately, eternal vigilance just never seems to work as well as we would like and it is very expensive. The alternative is often seen as unethical or immoral in some way and has a its own set of serious problems - for example - suppose you have to reply to a subpoena and included in the company records are a whole bunch of deceptive information. Even your lies have to be done with great care.


Conclusions

One of the most enjoyable aspects of writing these articles is reviewing the titles of the sections...

If somebody were to quickly read this article - or most of my other articles - they would probably get the wrong idea about the contents. I don't know if that's a good thing or a bad thing, but it is part of my writing style. And that is really my point. Effective protection against the bots these days is not really something you can train people to do in any reasonable amount of time. My way of keeping the bots off of me is embedded in my whole way of looking at the world.

I have something called a security mindset. It means that my view of the world includes aggregation of information about security-related issues and that view provides me with an embedded security incident detection and response system. My detector isn't perfect and I certainly make my fair share of mistakes. My response system often overshoots the target. But at least I see things coming at me - both strategically and tactically.

This security mindset is something we need to foster in our people if we are to meet the future full of infobots while holding onto the value of information. The Star Trek vision of a universe without financial motives - wherein we all work for the advancement of knowledge - is an interesting one, but not one we are rapidly approaching here on Earth. For us, information has value - in its accuracy, in its timeliness, and in its confidentiality.

And - oh yeah... I almost forgot to advertise. If you have enough money, you can hire my ever-increasing and outrageously expensive but effective intelligence staff to tell you all about your business and yourself. To quote a CEO's response to what a good competitive intelligence firm could tell a competitor about their business: "Could I hire them to tell me about my business?". It seems that your competitors may know more about you than you do.


About The Author:

Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting /