Interview: Fred Cohen, inventor of computer virus defense techniques – David Geer recently spoke with Fred Cohen, an early and principal inventor of computer virus defense techniques, a widely sought information protection consultant, and author of the popular Chief Information Security Officer's Toolkit series of books. Following is an edited transcript of that conversation. You may also listen to the original interview here, or visit our Podcast Center for more audio interviews.


David Geer: We're going to start off with a basic question and see where we go. In your view, what are the primary information protection policies and practices?

Fred Cohen: That's a big, complicated area to cover. Information protection covers a very broad range of factors from HR, people-related issues through legal issues. It deals with risk management. It has to deal with testing and change control and technical safeguards, both physical and logical, has incident management aspects. It has auditing aspects. It has to do with awareness and such things and documentation. So it's really a very broad subject area. So typically, the number of policies involved for a large enterprise is on the order of 40.

Geer: And I assume then, that just protecting information is far from plugging the holes?

Cohen: Well, we do a lot of what some people call red teaming, or penetration testing, to look at companies to assess their protection posture. It involves a broad range of things, typically starting with external intelligence to try to find out information. People very often use telephone elicitation techniques. They might try to get a job. They might visit physical facilities. We have one thing that we've been doing lately with Apple-based wireless access points -- they have [something called] Wireless Extreme. It's about two inches in one direction, three inches in the other direction, and one inch in the other direction. It has a plug built into it and an Ethernet cable, so as part of our test, we've been walking into facilities, plugging one of these things into the network and into a wall plug and leaving. That takes about 30 seconds to 60 seconds end-to-end. You walk outside the building and you can have remote access to their network. So if you don't have physical security, you're not going to have effective protection.

Personnel is another major area. So your people are the key to your effective protection. If they can't follow the processes and the procedures you have, they can't do their jobs right. So a lot of companies, for example, make password requirements that say you have to have an eight-character password that has upper and lower case and special characters and isn't like anything you know and you have to change it every 30 days. That means people can't remember it, so they write it down, so you can find the next guy's password by looking at their desk where they wrote it down. So there's a lot of complexity in getting a large-scale system to work right and there's also globalization problems. The things that will work in the US, because our culture, if you want to call it that, is one way, just won't work in China or India.

Geer: What are some of the latest examples that some of our listeners may not have heard of, of really massive holes in some of the policies and practices at places where you've done some of this testing?

Cohen: Well, one of the biggest ones that we found was a way to steal $1.2 billion from a large corporation. And in this case, it was purely procedural. You had a series of things that people did to transfer money and a bank account with a lot of money. It had to have a lot of money because they do a lot of transactions on a daily basis. And we just figured out a problem in the process that allowed one individual to both submit and commit the transaction. Once it's gone, it's gone in the electronic fund world. So that's a pretty big hole. I mentioned the very common hole of being able to walk in and jack in. That's usually what we call it, walk in, jack in. So you walk into the facility, maybe a tailgate behind somebody who's walking in the back door, or you find an open door, or you just walk past the desk and nobody asks you. You jack in, you plug into some jack or access or if they have wireless, you just go into their wireless access capability, and you're on their network. Another very common point of attack is, of course, you send a Trojan horse or something like that so that you send an email or whatever it is that you send into the environment, and somebody on the inside uses it, or interprets it, or plugs an update into their computer, or something like that, and off you go. So that's the most common thing is to exploit the weaknesses and the behaviors.

Geer: Any other example that corporations seldom know about of strictly gross IT holes in practices?

Cohen: Some of the most common things are default passwords. Despite the fact that we've known for 15 years, probably, about default passwords, maybe 20, and how bad they are - people use default passwords all the time. I was just at a corporation a few weeks ago where they had default passwords to their routers and to their main file servers. So you could just go in and become administrator on those servers and take over. So in most cases, it's not rocket science to break in. It's that the people that are on the defensive haven't done an even reasonable job of defending themselves. And in defense of the defenders, if you're in a large enterprise, you might have 100,000 people and 120, 130,000 computers and managing 130,000 computers is not a simple thing. If you make one little mistake somewhere, with modern tools, I can scan your network and find it very quickly. So being able to use automation to find weaknesses is a very different situation than what was around, say, 15 years ago. So now that people are scanning for weaknesses, of course, the defenders are scanning for the same weaknesses.

The solution, of course, is to do a better job of defending from the start, use architectural methods, separation and filters and design things with something in mind. But that rarely happens and there are two basic reasons. One of them is a lot of people are tied into the Windows operating environment, which has inherent insecurities and that are very, very difficult to get around. And the other big problem is that nobody is willing to pay the up front time and expense to build a network that's secure and then maintain it on an operational basis for a large variety of users. For a production system, something where you're manufacturing something, people will take the time and effort. There are regulations that force it, it's a very difficult thing if you don't properly protect such a network because you can have products that are faulty because of it and so forth. So there are places where it's done, but the vast majority of places, it's just too expensive and time consuming and the IT people don't have a clue that this should be done.

Geer: In an article that I interviewed you for previously, we were talking about the nation's control systems -- things like control systems for dams, utilities, nuclear power plants. And one of the biggest issues was, I believe that we discussed, was that oftentimes where there isn't really enough of a driver to do it, people are connecting the internet and other computers that are on the internet to these control systems, when that's really a big security concern, and they really don't get enough practical benefit out of it to be doing that. Can you comment on that?

Cohen: Well, certainly people are connecting the internet up to almost everything and so anytime you connect one thing to another, then all the vulnerabilities of one, times all the vulnerabilities of the other, are the total vulnerabilities now available to be exploited. They pair up. So the old story, the chain is as strong as the weakest link. So when you add the internet, that's an awfully weak link. So unless you're very, very careful about how you hook it up and what you use it for, almost certainly somebody is going to find a way around it. And it's not only that an outsider will maliciously go and do something bad, there's also the problem that insiders want to use this new functionality for their purposes. So if you're an insider and you say, gee, I have an internet connection, I should be able to use a web browser to see what movie I'm going to go to tonight, then eventually you'll find a way to get a web browser to work through the firewall that they've put in place. And now once that browser is working, it can download something that has a Trojan horse in it, that gets loaded onto your local computer and it can attack from the inside, using the same communications method you used to download the thing to work back and forth between whoever is on the outside and whatever software you've placed on the inside on their behalf. So anytime you loosen controls just a little bit, things get far, far weaker. And so you need to not connect things that are critical, like for people's lives and so forth, to the rest of the world, unless you can do it with a proper protection. And it turns out there are very few people that know how to implement protection properly. So what we see is, a tradeoff between the risk and the benefits and people take more and more of the risks and they suffer more and more from the consequences.

Geer: One of the things I remember you mentioned also that's being done about a lot of the technically related security issues is going to trusted computing systems.

Cohen: There is a motion towards trusted computing environments for select applications, and there are several different classes of these. One of them is the sort of traditional -- I'll call it traditional because in computer security we've had a long tradition of it, but for most people they've never heard of it. It's the Bell-LaPadula based system. These are systems that are designed to protect secrecy. And secrecy systems are very useful in preventing leakage of information, so it's very useful, for example, if you're bringing in a lot of information about individuals, personally identifiable information or health-related information that's identifiable to the individual. Then these are good systems to bring that in, use it usefully, but keep it from getting back out. There's another class of these trusted systems that are based on the idea of assuring that things don't change without authorization. The so-called trusted computing group and trusted computing bases that they operate are designed to assure the integrity is, so that you can share with anybody, but it won't corrupt your system. Or if it does corrupt your system, it might be detected and then prevented from operating and perhaps even fixed automatically if it's implemented properly. So that's a different sort. And then there's another sort of a trusted system and that's a system that's not designed for a particular capability, such as preventing leakage or assuring integrity, but rather it's designed so you have a reliable starting point. So in this case, bootable CD-ROMs with customizable startup scripts are fairly interesting because they allow you - if somebody breaks into a server, you can, for example, push the reset button and it will be back to a known good state and then you can work forward from there, and similar effects. So the ability to get to a known situation and work from the known situation without assuring that you don't have any bad things in the environment, other than what you started with, is a very important element of trust in the system. So those are the three classes of systems we're typically looking at these days.

Geer: And finally, what are you doing today to help promote the best security for enterprise and other systems?

Cohen: Well, I'm not in the promotions game. I'm in the help-people-do-it game. I help people build policies and implement them within their corporations. As I mentioned earlier, I do protection assessments where we go in and identify the potential weaknesses and what should be done about it in what timeframe. Help do design of security architectures. So if somebody has a large network environment, for example, we can help them redesign the structure of it so that it will be inherently safer and operate more reliably. And then I do some digital forensic work, digital crime scene reconstruction and extraction of data from media when everybody else can't extract it.

Geer: Thank you for speaking with us today, Fred. If you would like to learn more about Fred Cohen and his security initiatives, visit Fred Cohen & Associates at  

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon