Counting from Zero (3 page)

Lars Elvström was a friend of the creator of a popular open source computer operating system, and an expert in kernel security among other things – the kernel being the core or central part of the operating system in a computer.
 
He hailed from Helsinki, Finland and traveled almost as much as Mick.

In the following minutes, there was very little discussion but lots of typing and occasional swearing.
 
The local techs gave everyone the passwords they needed to work on the computers and servers and answered any questions about the network.
 
Mick had already familiarized himself with the layout of the network and knew exactly where he wanted to spring the trap.

“What the hell is going on here?” The question came from a short man who walked into the room.
 
A tech jumped up and looked over to Mick.
 
Mick looked to Liz who sighed and went over to the man.
 
Liz sometimes helped them out of awkward social situations such as this.

“Hi there!
 
I'm Liz Clayton.
 
And you are?” she began, smiling at him as she brushed a lock of blonde hair out of her face.

“Ned Iverson, I'm in charge of this network, or at least I was...”

“Right, Ned,” Liz began, hoping to diffuse the situation quickly while Mick continued working.
 
“Let me explain what we're doing.
 
Your web servers haven’t been compromised
yet
in this zero day, so we are setting up monitors and message loggers so we can try to see the attack as it happens.
 
With the help of your techs, we are reconfiguring your routers and firewalls so we can learn how the attack works and how to protect against it.”

“Why can't you just look at the logs of the compromised servers?” he asked.

“We've already tried – the attack wipes the logs, very thoroughly, hiding its tracks.
 
No one has a dataset on this attack yet to analyze it,” Liz explained.
 
She could see him starting to relax, and knew the situation was diffusing.

“OK, but does my server have to be compromised?
 
I'd just as soon avoid that.”

“Hmm… we could replace your web server with a dummy one.
 
That way, your real site will be safe.
 
We'll just need to set it up quickly – everything else will be ready to go in a few minutes.”

“And will you put everything back together again when we're done?” he continued.

“Of course we will,” Liz replied, realizing she was going to be there most of the night.

“You owe me,” she growled at Mick as she walked back a moment later.
 
The only sign that Mick heard her was a slight curl in the corner of his mouth.

Less than fifteen minutes later, most people in the room were looking around and feeling pleased with
themselves
.
 
Mick saw the supervisor give him a nod.
 
Only two people were still working furiously.
 
Gunter was typing at light speed while a dark haired woman he hadn't noticed before stood over him giving him directions in an animated way.
 
From the look of the code scrolling across the screen, this was some complex configuration setting on the firewall.
 
Gunter gave him the thumbs up a moment later, and the woman sat down and smiled at Mick, making him nearly lose his train of thought.

Who is that?

Mick spoke with each of the groups and confirmed their settings and configurations.
 
They were finally ready.

“OK, let’s connect back up to the Internet,” Mick said, getting excited.

“Um, I can only get one link up as the other connector got busted,” one tech replied.
 
Mick would feel bad about it later, but now, he was still in fight-or-flight mode.
 
“We’re live!” the tech reported after plugging the Ethernet cable back in.

Everyone sat quietly waiting, watching the screens.
 
It only took a minute.

“I think we've got it!” shouted Gunter as he watched information scroll on his screen.
 
Everyone else looked to his or her screen – some showed activity, some didn't.
 
Mick refreshed his
browser which
was pointed at the conference web server; he was rewarded with the ‘Carbon is Poison’ page.
 
It amazed him how fast it happened.

Everyone was suddenly calling out pieces of information about what their logs showed.
 
Mick listened to all of it, sometimes asking for a repetition.
 
The answer started to become clear in his mind.
 
One fact would confirm it.

“Lars, did you see any activity on port 443?” he asked, leaning toward Lars.

“Yep, an HTTPS connection came in on port 443 which coincided with the attack,” he replied.
 
Mick slapped him on the back.

Gotcha!

Looking around at his ‘team’, Mick grinned and
said
“Thank you everyone – I'll need all these logs archived on the main directory for confirmation, but I think we have found the nature of the attack.
 
Thanks again for all your help...” he said, already starting to ignore them.

“What's next Mick?” Liz asked.

“Time to write a patch!” Mick replied, sitting down and pulling up the web server source code.
 
He began work on writing or ‘coding’ the change to the program to close the vulnerability, preventing the attack from succeeding.

The others drifted off or started looking at their mobiles, as the network was back up again.
 
Everyone was buzzing about the attack and who was hit and who wasn't.

A few hours later, Mick had the patch written.
 
He checked it in – uploaded it to the server where people download the software – ready for approval, release, and installation across the Internet.
 
The zero
day
was almost over.

“Wait a minute, you just did an anonymous check-in of that code!” someone shouted behind him.
 
He turned and saw the woman who was working with Gunter earlier.
 
She looked distinctively out of place among the fashion-challenged geeks around her, wearing a knit shirt, dark pencil skirt, and boots.

“That's right,” he replied evenly.

“But how will you get credit for writing the patch?” she asked.
 
Mick shrugged.

“I won't, but that's OK.
 
Checking it in anonymously will avoid bruising anyone’s ego or otherwise distracting
them
from stopping the spread of this thing.
 
We just need to get this patch released so we can end this zero day.”

“You don’t care that no one will know that you stopped the exploit?
 
You
are
crazy!” she responded, shaking her head.

“Thanks.
 
And you are...” he asked, enjoying her accent.
 
It was definitely Eastern European, maybe Serbian, but her English was excellent.

“I'm Kateryna Petrescu, with F.T.L. in San Francisco,” she replied, mentioning a well-known manufacturer of firewalls.
 
He made a mental note to not badmouth these overused security devices in front of her.

“Mick O'Malley – thanks for your help, by the way.
 
Nice work on the firewall,” he said, extending his hand.

“You are welcome,” she replied, shaking it.

A few stayed behind with Mick and Liz to help put the NOC back together.
 
When they were done, Mick spotted Kateryna across the room; she noticed him and approached.

“OK, so tell me how you did it,” she began.

“You mean uncover the attack?” he asked, and when she nodded, he continued.
 
“Well, I've seen quite a few attacks over the years, but this one was unusual.
 
Usually these days, it is the browser that gets infected, but in this case, it was the web server that provides the web pages.
 
The Wireshark trace we did confirmed it – it was a web browsing request from a site that had already been infected.”

“And port 443?”

“Again, the speed suggested the worm was using a common, unblocked transport.
 
Port 443 is commonly kept open for encrypted web traffic.
 
I was happy we didn't have to wait long.”

“That patch was a nice piece of code, by the way.
 
You must have worked as a software developer at one point in your career?”

“Yes, but it’s been a while," Mick replied.
 
“Anyway, once I knew how the attack worked, it was trivial to follow it through and find the bug.
 
Believe it or not, it was just a type of buffer overflow attack,” he concluded.
 
He changed the subject.
 
“Have you been to Nihon..
.
 
I mean Japan, before?”
 
A few days ago, Gunter had proposed that in honor of their visit to Japan, they should all exclusively use the word that Japanese use for their country – Nihon.
 
The usage had caught on in their social network, and was already second nature to Mick.
 
It was now an effort for him to say Japan or Japanese.

“Just once – I was in Tokyo and Yokohama a few years back,” she replied.

They discussed his previous four visits and her previous one, and which conferences they regularly attended.
 
Mick learned that Kateryna’s new role at her company meant she would be speaking at many of the same conferences he would be attending.

Liz waved to Mick as she left the room, having restored most of the NOC configurations.
 
Mick waved back and called out “Thank you!” to her back.
 
Kateryna looked over her shoulder at Liz.

“Liz Clayton, right?”

“Yep.
 
We've been friends forever,” Mick replied.
 
He thought he detected a slight reaction in her to his use of the word “friend”.

This could be quite a conference.

Chapter 1.

From the
Security and Other Lies
Blog:

What is the difference between a virus and a worm?
dieraptorzdie

This is a good question, dieraptorzdie.
 
Viruses and worms are different kinds of ‘malware’, short for malicious software.
 
Malware is usually installed on your computer without your knowledge, and might steal information, delete information, make your computer start sending spam emails or do other things you don’t want it to do.

Both a virus and a worm will try to spread to other computers or replicate – the difference is how they do this.
 
If the malware tries to replicate itself by attaching itself to another piece of software or data – the equivalent of a biological host - we then refer to it as a virus.
 
This could be an email message that you open, or a download from a web page you visit.

If the malware is designed to be self-propagating, using the Internet to spread on its own without the help of another application, it is known as a worm.
 
The word refers to the way the malware ‘worms’ its way through a network.
 
When your computer is connected to the Internet, it can receive all kinds of messages from other computers.
 
An attacker can send out a bunch of messages (sometimes this is called ‘port scanning’) to your computer, trying to cause it to unwittingly install malware.
 
This can happen anytime you are connected to the Internet, and you don’t even have to be checking mail or browsing the web for this kind of attack to happen.

Both worms and viruses can spread quickly and do a lot of damage in a short time.

There are a number of things you can do to protect your computer.
 
Virus scanning software you install on your computer can help protect against viruses: it monitors and checks everything that you download or install, and deletes it if it finds a virus.
 
A firewall can be used to protect against some types of worms.
 
A firewall’s purpose in a network is to block unwanted Internet traffic while allowing legitimate traffic.
 
The word ‘firewall’ comes from the construction industry, where it literally is a
fire-proof
wall between rooms or buildings.
 
If you have a firewall in your network, it can block port scans and only let traffic that you want flow from the Internet to your computer.