Got a Virus? Blame the Tightwads

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,42047,00.html

by Michelle Delio
2:00 a.m. Feb. 28, 2001 PST

Short attention spans and skimpy security budgets are leaving computer
systems wide open to attacks and viruses that should be easy to defend
against, security experts say.

All of the system cracks and viruses that have grabbed headlines
lately could have been easily prevented with user education or
software updates -- not to mention plain, common sense.

On Monday, a cracker called "Fluffy Bunny" took advantage of a
well-publicized hole in BIND, the software that translates word-based
Web addresses into a numerical form understandable to computers - and
managed to transform McDonalds' website in the Great Britain into
"McDicks" for several hours.

The BIND bug was also used on Monday by "BL4F Crew" to hack into 10
Nintendo Europe websites.

BL4F left several messages on the Nintendo sites, including the
poignant "security is a complete myth on the Internet.... It's
frustrating. That's what it is."

Frustrating indeed, since the attack -- and all of the other system
cracks and viruses that have grabbed headlines lately -- could easily
have been prevented with user education or software updates.

Fixes for the BIND holes were released at the end of January.

Intel, Disney, Terra Lycos (which owns Wired News), Compaq Computer,
Hewlett-Packard, Gateway, Disney and The New York Times Online were
all attacked this month, the cracker using a hole in Microsoft's
Internet Information Server (IIS 4.0) to break in. A patch for that
hole was released last Oct. 17.

And most of the viruses that clog networks have been active for the
better part of a year, according to Ken Dunham, a senior analyst at
Security Portal.

Warnings and antiviral patches have been released for all of them. Yet
infections like Anna, which was nothing more than an old worm in a new
wrapping, continue to spread.

Security experts have scant hope that the situation will soon change
for the better.

"People are creatures of habit so they continue to click-click. When
something like Anna comes around, awareness is up and memories are
sharp and strong," said Vincent Gullotto, senior director for McAfee
AVERT (Anti-Virus Emergency Response Team). "For a while they remember
the 'rule' and no one click-clicks. But as time passes they forget and
start click-clicking again."

Gullotto and many of his colleagues believe that viruses will continue
to spread as long as curiosity is strong enough to override common
sense.

"It is probably too much to expect that a few hundred million people
around the globe -- plus the millions of new computer users each year
-- will always remember the 'do-not-click' rule for e-mail
attachments," said Richard Smith, of the Privacy Foundation.

Smith thinks the only way to stop viruses is to "build top-notch
security and privacy protections" into all e-mail programs, rather
than expecting people not to click, or hoping that they or their
systems manager will download and install the latest patch to protect
them from the Crack Of The Day.

Many systems administrators say that recent budget and staffing
cutbacks makes it impossible for them to keep up with security
procedures, and so patches aren't being applied to software as
conscientiously as they should be.

Security becomes a priority for some companies only when it adversely
affects business as usual, Dunham said.

"When the total expense for security goes up, the interest from
managers goes down," Dunham said. "Updating patches and antiviral
software is a low priority for some administrators and managers, and
some IT departments suffer in performance because they are
under-skilled and understaffed, or both."

Some systems mangers also say that the companies they work for think
that it's less expensive to clean up viral messes then to implement
proactive security solutions.

"When IT people get together, a good percentage of them will bitch
about how they can't manage systems with a skeleton staff, and no
budget to speak of," said a systems manager at a Manhattan bank who
spoke on the condition that he be identified only as Joe Smith. "Most
of the people who make the spending decisions are either not
technically astute enough to grasp the importance of security, or just
hope against hope that no one is going to attack our servers."

Proactive expenditures are more difficult to justify because they are
not as obviously necessary as the reactive measures, such as removing
a virus from a corporate network, Smith said.

But this attitude can be costly. Gullotto believes that the majority
of attacks on websites and networks occur simply because security
people don't install the necessary patches.

"Security isn't convenient and it takes some work to stay on top of
what the latest updates are," Gullotto said. "We recommend that any
patch that has been developed be reviewed and implemented where
possible."

Another complicating factor is that patches can create problems of
their own, problems that many systems managers say they don't have the
time or resources to deal with.

"I'm really leery about adding anything to the system until I see how
it's working. I don't have the staff to troubleshoot a sick system,
and we've had problems with patches in the past. So I tend to sit back
and hold off on patching things, probably longer than I should," Smith
said.

Adding patches can be a major headache for administrators, said Dave
Kroll, director of security research at Finjan Software.

"There is no magic bullet here. Security is a process, constant
vigilance is required and unfortunately this takes up a lot of time
and funding," Kroll said.

Kroll believes that too many systems administrators and users rely too
heavily on anti-viral software instead of applying security patches, a
trend that worries him.

"The hole in anti-virus software is so big you can drive a truck
through it and the hackers and even the anti-virus vendors know it,"
Kroll said. "The reactive approach of anti-virus updates is no longer
sufficient by itself for security."

In many cases, it is easy to bypass anti-viral (AV) software. Every
hacker has a few good "compressors" or "packers" in his or her arsenal
which can get around anti-viral software by compressing a known virus,
thereby changing its appearance just enough so that the AV scanner
can't recognize it.

Some anti-viral and security companies have begun to look at more
proactive ways to protect systems and get news to systems
administrators quickly.

McAfee is working on a system that will identify threats as they enter
into a computing environment, and will recognize malicious code by
looking for specific behaviors and patterns, not particular chunks of
code. This technology, now under development, is called Outbreak
Manager.

And when time is too short to comb vendors' pages and security
discussion sites for alerts and patches, systems managers can use
direct news services, such as Security Focus' NetRadarEWS.

But many systems administrators say that, while news services and
intelligent detection programs will help, what they really need is
real support from upper management.

"If I could devote a full hour or two a day to dealing with security
issues, I could protect our network and educate our users about
viruses and safe computing," Smith said. "But in the current economic
climate, managers want to use the system to make money. They don't
want to spend money to secure it."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".