Interview with Security Expert Avi Rubin
The tragic events of September 11 exacted an unimaginable toll. It has also created a new level of concern among network administrators. What new or different advice would you give to network administrators to help them protect their systems?
Answer: First of all, let me express my shock, horror and grief at what happened in NYC and Washington DC that day. I think that terrorist attacks in the physical world are on a whole different scale of the kinds of things we worry about today in computer security. Most of the kind of things I talk about in my book have to do with companies and consumers that use the Net for their data, communications, and business. The risks are loss of time, money, convience and privacy. While those things are important, they do not compare to the kinds of threats that terrorists pose of loss of life and limbs, and the threats that I cover in my book are not on par with the fear and uncertainty created by terrorist attacks. I do not think that the advice I would give to network administrators is any different.
The recent outbreak of the Nimda worm was particularly pernicious. You really can't ever predict what's around the corner, so what is the best way to preemptively defend yourself against future attacks?
Answer: Unlike the tragedy of September 11, the Nimda worm was totally predictable. It is a small evolutionary step from Code Red and Code Red II. The vulnerabilities it exploits are the same as previous worms, and it is not even that creative, compared to what had already been done. The difference is that Nimda is vicious, and that it tries to exploit many different vulnerabilities at once. It also has a nasty feature of making users' hard drives "shared", so that attackers can access files later. Given the lack of security in IIS and Windows in general, it was just a matter of time before something like Nimda came along.
To prevent against the next big worm, follow common sense practices.
- Keep up to date on patches and alerts.
- Do not open attachments, and educate users about the dangers.
- Set the Internet security options in outlook to High.
- Disable active scripting.
- Remember that diversity is a great defense in cyberspace, as in the biological world. Use a non-standard mailer or web browser and you will be less likely to be the victim of an ungainly worm.
And finally, be aware that there are some real worms, and there are many hoaxes. One recent hoax caused people to delete an imporant system file, for fear that it was placed on the system by a virus. Verify any potential threat, and seek professional help when in doubt. (That way, us security professionals will not starve.)
What makes your book unique compared to other security books?
Answer: This book is based on problems that people face in the real world. Other books attempt to cover different aspects of the discipline of security, but mine starts with the problem and the threat model, and the presents solutions.
How long did it take you to write this book?
Answer: The book took about two years from start to finish.
What made you want to write it?
Answer: I felt that a book that addressed the problems faced by users, system administrators, and IT professionals needed to be written. This book lets someone jump directly to the problem that is relevant to them and seek out solutions. It can also be used as an educational tool for someone who wants to understand security threats and solutions.
What is the most common problem network administrators have?
Answer: Network administrators have to balance user and business needs, which pull them in the direction of more and more functionality and features, with the needs of security, which dictate tighter controls and less freedom. Striking this balance, and keeping the user community satisfied enough that they do not try to circumvent the security, is the challenge faced by network administrators.
Why are viruses/worms are becoming more prevalent?
Answer: The lack of diversity in client platforms—that is, the fact that most people are running the same software on their computers—means that the same amount of effort that it takes to attack one computer with a virus is successful against millions of computers. Diversity helps protect biological organisms from viruses; it would do the same for computer platforms. Of course, diverse computer platforms means that software needs to be developed for each platform independently, and market forces converge on a common platform, or on a few common platforms. I predict that as Linux grows in popularity with respect to Windows (if that happens), we will see more viruses/worms designed for that platform. The same goes for mobile platforms such as Palm pilot and Windows CE.
Is it safe to shop on the Web? What are the e-commerce concerns with privacy?
Answer: I think that shopping on the Web is mostly safe. Credit cards face the same exposure when you shop in the physical world, and the credit card companies assume the liability in case of a problem anyway. The $50 fee is often waived. I believe that privacy concerns are more substantial that security concerns. When you shop online—or even browse, for that matter—information about you and your shopping habits can be collected, cross-referenced, tabulated, and sold. This happens in the physical world, too, but it is much easier to do and more effective in cyberspace.
What do you see as the biggest Internet security threat in the next 12 months?
Answer: It is impossible to ignore the increased number and potency of viruses and worms. I think the pending introduction of Windows XP, which promises to be a ubiquitous and homogeneous platform, along with the growing sophistication of malicious worms (which will exploit weaknesses in that platform), represents the biggest Internet security threat to date.
Most viruses/worms seem to be propagated by "ScriptKiddies," but is there any real possibility that this type of security threat could be undertaken by a more organized entity like a government?
Answer: Yes, the scripts run by the ScriptKiddies come from somewhere. The people who write these scripts are highly sophisticated programmers, and it is not unreasonable that a government would hire someone like this with malicious intent. I know of one case where this has already happened.
You have relevant academic degrees and industry experience. Can you give any advice to people who are interested in this field which value each kind of experience has added? And is one is more valuable than another?
Answer: For me, the academic and the industry experiences have complemented each other. My heart lies in the academic world. However, working in an industry lab has given me the opportunity to explore real-world problems. Many of my research papers are based on problems that I encountered while helping business units deal with security issues that they faced. One danger in academia is that the problems can become too theoretical and detached from anything that could really make a difference in the world. Thus, I think that I have found the balance that works for me.
You have a number of patents for your security work. The technology community is interested in the idea of patents and what should or shouldn't be patented. How did you decide or even know to patent your "inventions"?
Answer: Fundamentally, I think that the patent system is flawed. In its ideal form, the system is supposed to protect the little guy with the good idea. In practice, patents are a means for corporations to exert even more pressure on individuals and other corporations. That said, since I work for a large company, I am required to patent any idea of mine that has potential business benefits. I do not think that the patent system is doing anybody any good, and I would be happy to see software patents completely abolished, although I don't expect that to happen.
What are the most common questions you're asked about when talking to the media (as you've done with CNN, The New York Times, and others)?
Answer: The thing that most people ask me when they find out what I do is whether they should put their credit card into a Web form. As I mention in my book, most of the big-ticket items I have in my house were purchased online.
You've done some interesting analysis of e-voting. Do you think there is a real move to go this way, or has the brouhaha died now that the election has passed?
Answer: I think there are still powerful movement toward electronic voting. For public elections, this could spell trouble. I see no problem with e-voting in private elections.
What is your most interesting security anecdote?
Answer: When the Melissa virus hit, someone that I work with took his computer to David, a system administrator that we had contracted in my building to install virus-protection software. David was in the middle of installing software to protect against Melissa when he went home for the day. When he got home, he was arrested because he was David Smith, the author of the Melissa virus.