The truth about security By MARY KIRWAN
Wednesday, August 31, 2005 Updated at 10:56 AM EDT http://www.globetechnology.com/servlet/story/RTGAM.20050826.gtkirwanaug26/BN Story/Technology/ Special to Globe and Mail Update Mutton dressed as lamb? Are software products riddled with holes? Truth is often stranger than fiction, and never more so than in the world of IT security. The recent BlackHat security event in Las Vegas was a case in point, becoming the stage for a bizarre series of events. Bemused attendees watched as Cisco and Internet Security Systems Inc. (ISS) tried to stop Michael Lynn, an ISS employee, from giving his scheduled talk on critical vulnerabilities in Cisco routers. Routers move data around the Internet, and Cisco owns the market for them. It has generally been assumed- naively so- that they are impervious to attack, so news that they are not is very bad news indeed. These less than glad tidings, however dispiriting, would rarely qualify as front page news. But Cisco and ISS demurred. They secured an injunction to prevent Lynn from giving his talk, and his presentation was ripped from conference binders. The newly martyred Lynn duly quit his job at ISS, sallied forth and delivered his speech anyway, causing a veritable ruckus. The entire affair was quickly dubbed 'Ciscogate', and made news around the world. It also drew attention to a disquieting global trend that is gathering momentum. Software vendors are using copyright and trade secret laws to prevent researchers from revealing critical flaws in software products. For instance, in March 2005, Guillame Tena, a French researcher in molecular biology in the department of Genetics at Harvard University, received a hefty fine from a French court and narrowly escaped jail time for revealing flaws in a Tegam International anti-virus product that was advertised as being capable of detecting and stopping "100 per cent of viruses." He was prosecuted under the French Intellectual Property Code for counterfeiting. Tegam also seeks damages of 900,000 euros in a civil lawsuit it considers Tena a software 'pirate' who defamed the company. But does muzzling security researchers improve software quality and security? Or, as software vendors have no liability to customers for flaws, will such action simply serve to hide a festering problem under a rather large bushel? Politicians mandated with protecting us and the global economy in dangerous times ought take note. As more than 85 per cent of "critical infrastructure"- a phrase used to refer to critical sectors, such as telecommunication providers, utilities, and the financial services sector is in private industry's hands and hugely dependent on technology, more needs to be done to ensure its survivability. Vendors argue that researchers who expose software flaws are often less than pure of heart; that they threaten and cajole them to get publicity and lucrative contracts. Vendors also maintain that developing and testing patches takes time, and that customers expect researchers to give vendors time to address problems before releasing exploit code into the wild. However, it can be months before patches are released, and they are oftentimes only available to customers running the latest version of a piece software - a tactic that encourages upgrades. In addition, vendors derive revenue from patch management services. Meanwhile, many legitimate researchers are running scared, and opting to co-operate with vendors in return for their largesse and approval. So where does this leave us? Can we at least rely on security software to keep us safe? Alas, not as a matter of course. In recent years, the US Federal Trade Commission (FTC) has reprimanded companies, including Microsoft, Guess and Tower Records, for misrepresenting the effectiveness of their security practices. Security product vendors have received similar heat for making false or misleading claims about their products to the public. For example, the FTC recently got a temporary injunction and asset freezing order against Trustsoft, a Texas based company, accusing it of misleading and deceptive advertising, and of spamming consumers, pursuant to the US CAN-SPAM Act. According to the FTC, Trustsoft falsely misrepresented to consumers that its software had scanned their PCs, and located spyware. It used "frightening pop-ups" to try to persuade people to purchase their product to remove spyware a task it was not in fact capable of performing. The FTC alleged that the supposed scans completed on consumers' PCs were 'nothing more than computer graphics that have no computer scanning capabilities'. Even hardware vendors are not immune. Advanced Micro Devices (AMD), the computer chip manufacturer, was recently called to task by Dutch regulators for advertising a new chip as a way to prevent virus outbreaks in the Netherlands. A complaint was made to the Dutch consumer commission about an AMD radio advertisement in Holland that apparently stated that the new AMD64 processor would ensure people would "no longer have to worry about viruses". Reports indicate that the regulator found that some of the radio ads were "too absolute and as a result misleading." In June 2005, Lorrie Cranor, Associate Research Professor at the Institute for Software Research at Carnegie Mellon University, presented the disquieting result of research carried out by her team. They examined the performance of six commercial privacy tools, marketed as capable of permanently wiping data from computers to protect data privacy. The researchers were able in most cases to recover sensitive data; files were not properly overwritten, and in one cases, the product tested 'completely failed' to do anything useful. Users of such products were clearly left with a false sense of security that their data had been successfully erased. The vendors were contacted by the researchers, and the vast majority failed to respond. Unfortunately, flaws in security products are nothing new. Indeed, The Yankee Group research company has recently indicated that the security industry needs to pull up its socks in a big way, since the number of vulnerabilities in products that are supposed to protect us continue to escalate at an alarming rate. All this is to say that as long as vendors are impervious to entreaty and immune from legal liability, corporate customers should, where possible, take matters into their own hands and employ a wide range of defensive measures to make it harder for hackers to access vulnerable systems. The speed at which the recent Zotob worm hit several Canadian banks and media outlets in the U.S., such as CNN, ABC, and the New York Times, has convinced many experts that "there is no more patch window." That worm exploits a security hole in the plug-and-play feature of the Windows 2000 operating system. Microsoft had released a patch for the bug as part of its monthly patching cycle shortly before the outbreak, but new exploits emerged within three days of the patch release, before many machines had been updated with the security fix. Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in one of the security group's daily alerts, advised companies to rely on "defense in depth" strategies to "survive the early release of malware." In other words, the bad guys are out manoeuvring the security vendors, and it is every man for himself. Government and big business may have the resources and political clout to take matters into their own hands, and/or to make vendors sit up and take note, but the consumer does not. What can he/she expect by way of protection? There are indications that the FTC in the U.S. is taking a hard look at claims made by vendors who market consumer products and that they are determined to at least hold them to the truth of publicly made assertions about them. Can we expect the Competition Bureau in Canada to follow suit? Vendors surely cannot be expected to have their cake and eat it too. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
