The Canary in the Network
By Richard Thieme

Like last week’s weather, the Melissa virus is old news, but its lessons have — once again — probably been forgotten already.

Melissa is a canary on its back, its little legs twitching in the air, but we tunnel on through the mountain as if we are safe and the square foot of dirt illuminated by our light is all we need to see.

Because of a rapid response to the virus, little serious damage was done by Melissa, a Word macro virus propagated by email on networks using Microsoft Outlook. Still, over a single weekend, Melissa had reached more than 100,000 computers and some sites had to take their email systems off-line. Had Melissa been designed to do serious damage, things would have been much worse. Still, thousands of hours of down time and interrupted communications reveal the real vulnerability of our networks.

Melissa may be a sign of things to come. It all depends on the choices we make.

The world of computer security constitutes an infrastructure on which global commerce and communication rest. It’s a multi-level world of thrust and parry, offense and defense designed and refined at every strategic level, from code to top-level domains where the message is the medium.

At the code level, Melissa is one of many viruses that take advantage of weaknesses in Microsoft software. When Microsoft decided to dispense with a security kernal, they ensured that every user of their software has the equivalent of "root" status, reserved in UNIX-based systems for a privileged few. For all practical purposes, there are no viruses in UNIX, MVS, VMS, MPE and other operating systems that run on workstations, minicomputers and mainframe computers, observes Mich Kabay, Director of Education, ICSA, in a letter to the Atlantic Monthly. Only Microsoft built systems that could be so easily compromised.

Many virus writers view Microsoft as an evil plague and resent what they believe to be false claims, that Microsoft provides operating systems with robust security. They write code designed to explode those claims.

It used to require a master programmer to write a good virus. Today, script kiddies can cobble together code from the Internet and make a lethal bomb.

That means confidential communication can be compromised, even by a virus as simple as Melissa. More destructive code can stop commerce in its tracks. Network users don’t usually care about technical details, they just want the telephones to work. But are they willing to pay a higher price in terms of inconvenience and heightened awareness as the threat increases?

To travel by air, we are willing to answer a few questions and show IDs at the ticket counter, then move slowly through metal detectors. Laptops are booted up or sniffed for chemicals. A short time ago, such restrictions would have seemed excessive, but awareness of a real threat made them tolerable. Still, those measures are minimal compared to airport security in Israel, for example, where I recently arrived for a flight four hours early and was interrogated twice at some length.

When we realize what’s at stake, we will do what we must to maintain safety. Unfortunately, there must often be serious losses before that moment arrives.

A free market economy relies on a handshake to get deals done. Despite all our laws, the basis of an efficient marketplace is trust. Trusted human networks work in relative freedom, as information networks do. Both were originally designed to facilitate the flow of information, not security.

The amount of downtime caused by Melissa, a relatively benign virus, is a twitching canary in the coal mine of the Net. Unless we become conscious of the price we would pay if a lethal virus was unleashed, we will stay asleep at the switch as innocuous packets enter our networks by stealth.

Melissa, or "The Canary in the Network," was originally published in Information Security magazine, a publication of ICSA, Inc.

1999

BACK