The Real Lesson of Code Red: Insecurity Is a Way of Life
By Bruce Schneier
September 3, 2001
Most people don't understand the real lessons of Code Red II.
Code Red II could have been much worse. As it had full control of every machine it took over, it could have been programmed to do anything, including dropping the entire Internet. It could have spread faster and been stealthier. It could have exploited several vulnerabilities, not just one. It could have been polymorphic.
Code Red II left a lot of questions unanswered. What will come in when Code Red II installs a back door and drops a Trojan program in vulnerable computers? Will there be a Code Red III? What will it do? What about Code Red XXVII?
I've long said that the Internet is too complex to secure. One reason is it's too complex to understand. The erroneous predictions about Code Red's effects illustrate this: We don't know how the Internet really works. We know how it should work, but we continue to be surprised. So it's no wonder we can't adequately secure the Internet.
The hundreds of thousands of infected networks could have had better security. I've argued that expecting users to keep their patches current is blaming the victim. Even so, I would have expected most people to at least install this patch. But as late as Aug. 1, even after Code Red had been in the headlines for weeks, the best estimates show that only half of all systems running Microsoft Internet Information Server had been patched. Even Microsoft's systems fell victim to Code Red.
The Internet moves too fast for static defenses. You can't install every possible patch, and you don't know which ones will be important. Likewise, viruses and worms appear all the time, and you don't know ahead of time which ones to worry about. If we're going to make Internet security work, we need to think differently. I've put my effort into detection and response, instead of protection, because detection and response are resilient. I've put my effort into people instead of software because people are resilient.
But even if you can secure your particular network, what about the millions of other networks out there that aren't secure? One of the great security lessons of the past few years is that we're all connected. The security of your network depends on the security of others-and you have no control over theirs.
We shouldn't lose sight of who is really to blame for this problem. It's not the system administrators who didn't install the patch in time, nor is it the firewall and IDS vendors whose products didn't catch the problem. It's the authors of the worm and its variants. And it's Microsoft, which sold a product with this problem. If software companies were held liable for systematic problems in their products, we'd see a whole lot less of this kind of thing. Vendors are in other industries-just ask Firestone.
Code Red's infection mechanism causes insecure computers to identify themselves to the Internet, and hackers can exploit this feature profitably. My network is regularly probed by Code Red- infected computers trying to infect me. It's easy to generate a list of those computers and their IP addresses. These computers are vulnerable to the particular IIS exploit that Code Red uses. If I wanted to, I could attack every computer on that list and install whatever Trojan or back door I wanted. I don't have to scan the network; vulnerable computers are continuously coming to me and identifying themselves. How many hackers are piggybacking on Code Red in this manner?
Hacking is a way of life. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit-card thefts made news? Or last year, when fast-spreading worms and viruses caused a stir? Now, all these go unreported because they've become so common. Code Red II ushers in a new form of attack: a preprogrammed worm that unleashes a distributed attack against a predetermined target. After a few dozen Code Red variants and similar worms, we'll think of them too as business as usual on the Internet.
And, oddly enough, the Internet will survive.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..