The Internet crime division of the FBI issued a vaguely-worded warning last week about an alarming new tool soon to be available to computer criminals.
But the tool's author has promised not to publish it for months, and is already working with security companies to help protect their systems against it. So why the FBI warning? Just a case of bureaucratic panic, some say, and a rare look at how security issues create confusion inside the US government.
The tool -- called "Stick" -- essentially disarms intrusion detection systems, a crucial line of defence in the largest military and corporate computer systems. Intrusion detection software sits "on top" of any computer connection to the Internet, watching packets come in and out. It's smart enough to recognise suspicious packets and then warn an administrator via e-mail or pager. For example, the anti-intrusion software might notice a scan of a computer for specific connection points, called ports, known to be launching pads for an attack.
Stick foils these systems by simulating nearly 450 such attacks within two seconds, thus overwhelming the software. Using Stick, an intruder could disguise an attack inside the stream of false alarms. Or the tool could simply be used in a denial-of-service attack, effectively shutting off the system by overwhelming it.
An attacker using Stick is akin to a burglar deactivating a home security system before breaking through the front door. All that certainly sounds serious enough to interest the National Infrastructure Protection Center, the cybercrime arm of the FBI. But there are several points that make NIPC's announcement curious.
For starters, according to Joel de la Garza, a consultant at Securify.com, the technique for overwhelming anti-intrusion software is not new. Also, Martin Roesch, author of the well-known Intrusion Detection software "Snort," described the threat as "minimal" because of some flaws in the tool.
Meanwhile, Stick author Coretez Giovanni has said he doesn't plan to release the tool until at least July. Even NIPC's announcement itself has the ring of being premature: "The NIPC is still reviewing this information both for accuracy and to determine the level of threat. Further information will be provided, as it becomes available," the agency said in its Wednesday press release.
Giovanni thinks several government agencies worked together to create an overreaction. "The story behind the panic on Stick is a long one," Giovanni wrote in an e-mail to MSNBC.com. He wrote the program sometime last summer to test intrusion detection software and later gave the code to the National Security Agency through an intermediary with the proviso that he might release it this year, perhaps as soon as March 15.
Next, the NSA ran some tests and decided Stick could be considered a threat, so it issued a "For Official Use Only" bulletin across the military, Giovanni said. "To shorten the story, I eventually end up on the phone with a friend from JTF-CND (Joint Task Force Computer Network Defense). The Government side was in panic over the tool," Giovanni wrote. "We had a long talk about the proper way to release things and I agreed to hold off until Black Hat (a conference in July) a general release of the code. I didn't expect this big a deal."
After that, officials at CERT, the Department of Defense's computer security organisation, started asking questions about Stick on popular computer security mailing list, escalating curiosity about the program even more. This eventually resulted in NIPC's press release. Apparently believing the initial report that Stick might be released last Thursday, NIPC issued its warning on Wednesday. "NIPC could have just sent me an e-mail...but they didn't," Giovanni said.
While he hasn't released his code to the general public, he is sharing it with security software makers so they can issue updates that deal with the flaws he's exploiting. One, Internet Security Systems, has already issued a press release saying its software has been updated to deal with one of two issues Stick raises. "We don't see this as a story," said Chris Rouland, director of the X-Force vulnerability research team for Internet Security Systems.
So why did NIPC issue its press release? A spokesperson for NIPC didn't immediately return phone calls, but the agency has come under fire recently both for reacting slowly in some crises and issuing over-reactive warnings in others.
Several security experts have wondered about last week's press conference about an investigation into a ring of Russian/Ukranian hackers that have extorted over 40 e-commerce sites.
MSNBC.com had been reporting on the ring since last December. The FBI said it was going public with the investigation to get the word out to executives that e-commerce companies weren't doing enough to protect themselves. "They are struggling at the moment with defending their existence," said Rob Rosenberger, known NIPC critic and operator of the "Truth About Computer Virus Myths and Hoaxes" home page. "It comes up in September when the new administration's budget comes out....The organisation needs publicity if it's going to survive. This is just one more way to generate beltway ink."
Take me to Hackers
One of the most interesting books Michael Miller has read lately is Crypto, he says it is a wonderful account of the evolution of cryptography over the past few decades. Go to AnchorDesk UK for the news comment.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.