Raided Firm's Software Checks Out

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/conflict/0,2100,56777,00.html

By Michelle Delio
Dec. 10, 2002

Software designed by Ptech, a Massachusetts technology firm U.S.  
federal agents suspect might be linked to terrorist groups, does not
appear to threaten national security.

Federal agents raided the company's Quincy offices early Friday
morning. Officials are investigating allegations that investors in the
company also finance terrorist organizations.

News of the raid sparked concerns that Ptech's software could have
been engineered to allow attackers access to classified
national-security data. The Army and Air Force, Congress, the White
House, the Federal Aviation Administration and the FBI use the
company's knowledge-management software.

Initial reports indicate that Ptech's software was not engineered to
allow attackers easy access to government databases.

But security experts warned that while Ptech products might be safe,
the raids highlight the need to secure systems from internal as well
as external threats.

"Internal security breaches are the number one problem. It's rare that
someone actually hacks a system without help from inside," networking
consultant Mike Sweeny said.

"Just look at the last news bite about ID theft," Sweeny said. "A
help-desk worker was handing over credit reports with all the info
needed to steal peoples' identities for 60 bucks a pop. No hacking
required there."

According to a representative from the Department of Justice,
officials had determined that Ptech software was "clean" before
Friday's raid.

"All of the products Ptech provided to the government were of a
non-classified nature," said U.S. Attorney Michael Sullivan in a
statement. "However, out of an abundance of caution, the affected
government agencies, including the FBI, conducted a review of their
computer systems.

"There is no reason to believe that the software has any secondary
purpose or malicious code, or that there has been a breach of any
kind. There have been no vulnerabilities identified in connection with
any of the products provided by Ptech. There is also no evidence to
suggest that the system is susceptible to compromise or poses any
security risk."

Many security experts also said they doubted Ptech's software was a
threat, but wondered how officials arrived at that conclusion so
quickly.

"Most commercial software is compiled in some manner," said Sweeny.  
"In other words, you do not see the source code so it's tough to look
for backdoors or Trojans. And even if it were not closed source, the
amount of code to go through is overwhelming unless you know exactly
where to look."

Some said the Ptech incident proves that government should rely on
open source software.

"This is exactly why open source software advocates promote open code,
to allow peer review and preclude such things from happening," said
security consultant Richard Forno. "It works for both a security and
operational stability benefit."

But Michael Wendy, of the Initiative for Software Choice, a lobbying
organization that's battling to block governments from passing
legislation encouraging or mandating the use of open source software,
cautioned against making any "sweeping security conclusions from this
event or anything similar that may occur."

"It's important to note that a development model is only a process,"  
Wendy said. "It does not guarantee, in and of itself, that a product
produced under one type of model will be any better than another
product produced under a different model. In other words, no single
development mode inherently produces safer, more secure software."

Still others said it makes little difference whether the government
uses open source or closed software.

"Having more open source software in circulation with the government
would be nice, but open source software can be as insecure as closed
source software," said William Knowles, senior analyst at C4I.org, a
private computer security and intelligence group.

"But it's entirely possible that a backdoor could have been inserted
into software destined for U.S. government clients," Knowles added. "I
often wonder about all the Y2K programming done offshore in
less-than-friendly countries and if there are any backdoors in that
software."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.