News

CERT: Watching the Internet

The nation's IT infrastructure remains safe, thanks in part to the efforts of Carnegie Mellon's Computer Emergency Response Team.

• By Keith Ward
• 09/10/2003

The fact is, CERT almost always knows about Internet-related attacks before the general public does. It's the organization's job to know. CERT serves as a sort of clearinghouse for security issues affecting the IT industry. "Our goal is to better the practices of security and push them out to others to implement," explains Marty Lindner, CERT's team leader for incident handling. It does that by analyzing potential threats, coordinating with vendors and other organizations involved in security, and disseminating information through its Web site, e-mailers, and other methods to thwart or minimize damage to the nation's IT infrastructure.

CERT, part of the Software Engineering Institute of Pittsburgh, Pennsylvania-based Carnegie Mellon University, got its start in 1988 during the infancy of the Internet, when the majority of traffic was college professors and soldiers. Since then, it's grown to become one of the best-known security sites on the Internet. It's a non-profit organization that receives the majority of its funding by the U.S. Department of Defense.

CERT performs three key functions: vulnerability handling, incident handling, and artifact analysis. The high-visibility area among those is incident handling, i.e. the after-the-virus-has-hit cleanup, but the other two are just as important.

Vulnerability handling occurs at the earliest stages, when CERT learns about potential security holes in a product. "The vast [majority of] work from the vulnerability handling team goes unnoticed by the public, and that's a good thing. It means we're finding vulnerabilities, talking to vendors and they're building fixes into products before they're exploited," Lindner said.

CERT gets a lot of its information from the public. As of early August, it had received more than 200,000 e-mails from people reporting problems. Based on outside information and investigation from its own 25-member team, CERT determines if there's a threat to the core Internet infrastructure, then notifies the appropriate organizations or entities to stop attacks or minimize damage.

The other less-celebrated but equally critical mission is artifact analysis. That involves reverse-engineering malware to "fingerprint" it and see how it works. The next time a virus or worm is released, CERT can use that information to see what the hackers are doing. Linder said that code is often reused by the black hats in different exploits. "The guts of Code Red have been seen in Nimda, Code Red 2 and bits and pieces in other malware over the years," he added.

Most of that code is aimed at Windows systems. But that might begin to change with Windows Server 2003, which Lindner thinks is a step forward in terms of security. "Microsoft takes a lot of bashing, but they have the biggest code base of almost anybody. It's safe to say there are clear indications that Microsoft is working much, much harder to try to produce more secure software. But they still miss things," Lindner said.

Overall, Lindner doesn't think the Internet is getting safer, even with organizations like his fighting the good fight against the bad guys. His opinion was backed up just days after the interview for this article, as first MSBlaster and then SoBig.F knocked Tsunami-like through the Internet.

What will help? Better software development, he said. "The Internet will get more secure as the quality of software improves. As we spend more time producing better-quality software, the level of security on the Internet will increase."

He lists one vulnerability in particular that is at the top of his list of vulnerabilities. "Buffer overflows is the biggie. If we eliminate buffer overflows, we eliminate [most] exploits. When we eliminate exploits, we have a more secure world."