Computers' Insecure Security - Business Week, 17Jun05

["Gage" <12gage () comcast net>]

Looks like we have a case of the blind leading the blind. (respectively
excluding any dailydave's) the security software products that we recommend
and use are now worst than the out-of-the box OS from MS. The new Yankee
Group Report should be an interesting read for most.  It doesn't take much
hacking talent to hold down the F8 key and select safe mode with networking
to turn off 95+% of all security products. 

 

Gage

 

JUNE 17, 2005

Computers' Insecure Security

 

Software meant to protect PCs are now attack targets, revealing a rising
number of flaws -- even more than those of Microsoft products

 

Think you're safe because your computer has the latest antivirus program,
complete with daily updates via the Web? Or maybe you figure the firewall
you have installed will stop malicious software from reaching your machine.

 

Well, you may not be as secure as you think. Hackers are increasingly
finding flaws in the very programs designed to prevent attacks --
computer-security software. Advertisement

 

A new Yankee Group report, to be released June 20, shows the number of
vulnerabilities found in security products increasing sharply for the third
straight year -- and for the first time surpassing those found in all
Microsoft (MSFT ) products. The majority of these weaknesses are found by
researchers, academics, and security companies. Trouble is, hackers then
take those findings and use it for nefarious purposes.

 

SAME EXCUSE.  Last year, researchers found 60 flaws in a variety of
computer-security programs, almost double the 31 vulnerabilities discovered
in 2003, according to Andrew Jaquith, a Yankee senior analyst who culled a
national database of reported software vulnerabilities. Through May, 2005,
23 software glitches have been counted -- already up 50% over last year. And
that figure doesn't include those yet to come this summer, when the biggest
attacks are usually launched. So far this year, researchers have only found
22 vulnerabilities in Microsoft's products.

 

The trend is an embarrassment for computer-security outfits who have made
billions protecting PCs from cybercrooks. And much of that work has come
from fixing, or protecting against, lapses in the security of Microsoft
products. Now, it seems, the tables may be turning. Indeed, security
concerns are offering the same reason for glitches as many software makers:
"Everyone knows there's no way to have perfect software," says Jimmy Kuo, a
research fellow with McAfee (MFE ).

 

Symantec (SYMC ) has had the most reported vulnerabilities, with 16
documented last year (see BW Online, 6/17/05, "A New Frontier for
Hackers?"). But so far this year, it has fared better: Through May, only two
vulnerabilities were reported.

 

BRAGGING RIGHTS.  Still, Symantec is a target because it's the market
leader. Hackers generally want to crack programs with the largest installed
base -- thus offering the maximum impact for their exploits. That's one of
the rationales Microsoft has used to explain why its products seem to have
so many reported security glitches. But Jaquith points out that McAfee, the
second-largest security player, decreased its vulnerabilities over the last
year. "This is a leading indicator of the relative quality of the two
products," he argues.

 

Symantec executives declined to grant an interview. But the outfit did issue
a statement saying the report compares the products of a single company --
Microsoft -- to the entire security industry. "This is not an
apples-to-apples comparison," the statement said. Jaquith responds that the
comparison was made because Microsoft has been hackers' target of choice. He
notes that more broadly, security vulnerabilities grew at a pace greater
than the whole software industry last year.

 

What's driving the increasing discovery of flaws in the very products
supposed to prevent attack? Part of it comes down to professional bragging
rights. Computer-security consultants and researchers are always out to
prove they can find vulnerabilities in software. The idea is: Once those
holes have been discovered and made public, the businesses will move quickly
to patch their programs.

 

Having torn through Microsoft's operating system for years, security
programs provides new opportunity for researchers. Meanwhile, many hackers
have started finding flaws in security software out of necessity. The
software has become so prevalent, it was blocking most modes of attack.

 

WAKE-UP CALL.  While more flaws are being found, only one has been exploited
to launch a massive attack over the Internet. The Witty Worm, which targeted
security concern Internet Security Systems' (ISSX ) software, was sent 72
hours after the vulnerability was disclosed on Mar. 20, 2004.

 

A subset of ISS customers who get real-time patches over the Web were
protected, but others were not, says ISS Chief Executive Thomas Noonan. The
worm wrote over sections of infected hard drives, rendering the machines
unusable. In all, 12,000 servers were infected. But the malicious software
trashed more than hard drives: ISS's stock dropped about 5%, to $15.98,
after the worm was announced. It has since climbed back, to close at $21.60
on June 16.

 

ISS has only had three vulnerabilities in its history, but Noonan calls it a
wake-up call nonetheless. "Less than 1% of our customers were compromised,
but dealing with that 1% was enormous," he says. "It has affected a number
of things we do internally." Noonan wouldn't comment further about the
attack's repercussions, as it's under a company investigation.

 

DANGEROUS DAWNING.  That should have been a wake-up call to other companies
as well. Jaquith advises vendors to ratchet up their internal testing. Both
Symantec and McAfee recently acquired consulting firms that are experts in
launching test attacks before the software is released. "They both have the
tools in-house, it's a question of putting them to use," he says.

 

Vendors say they're already taking the threats seriously. Indeed, a new
reality may be dawning for the antivirus world -- code just isn't safe
anymore, no matter how good. "Software is software," says Ken Silva, chief
security officer for VeriSign (VRSN ). "I wouldn't classify it as a failure
on the part of the security industry. Hackers are just getting a little
smarter."

 

If the security industry is going to keep growing at double-digit rates,
it'll have to get a smarter, too.

 

 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave