[ISN] The truth about security

InfoSec News isn at c4i.org
Thu Sep 1 05:16:37 EDT 2005


August 31, 2005
Special to Globe and Mail Update

Mutton dressed as lamb? Are software products riddled with holes?

Truth is often stranger than fiction, and never more so than in the
world of IT security. The recent BlackHat security event in Las Vegas
was a case in point, becoming the stage for a bizarre series of

Bemused attendees watched as Cisco and Internet Security Systems Inc.
(ISS) tried to stop Michael Lynn, an ISS employee, from giving his
scheduled talk on critical vulnerabilities in Cisco routers. Routers
move data around the Internet, and Cisco owns the market for them. It
has generally been assumed- naively so- that they are impervious to
attack, so news that they are not is very bad news indeed.

These less than glad tidings, however dispiriting, would rarely
qualify as front page news. But Cisco and ISS demurred. They secured
an injunction to prevent Lynn from giving his talk, and his
presentation was ripped from conference binders. The newly martyred
Lynn duly quit his job at ISS, sallied forth and delivered his speech
anyway, causing a veritable ruckus.

The entire affair was quickly dubbed 'Ciscogate', and made news around
the world.

It also drew attention to a disquieting global trend that is gathering
momentum. Software vendors are using copyright and trade secret laws
to prevent researchers from revealing critical flaws in software

For instance, in March 2005, Guillame Tena, a French researcher in
molecular biology in the department of Genetics at Harvard University,
received a hefty fine from a French court and narrowly escaped jail
time for revealing flaws in a Tegam International anti-virus product
that was advertised as being capable of detecting and stopping "100
per cent of viruses." He was prosecuted under the French Intellectual
Property Code for counterfeiting. Tegam also seeks damages of 900,000
euros in a civil lawsuit - it considers Tena a software 'pirate' who
defamed the company.

But does muzzling security researchers improve software quality and
security? Or, as software vendors have no liability to customers for
flaws, will such action simply serve to hide a festering problem under
a rather large bushel?

Politicians mandated with protecting us and the global economy in
dangerous times ought take note. As more than 85 per cent of "critical
infrastructure"- a phrase used to refer to critical sectors, such as
telecommunication providers, utilities, and the financial services
sector - is in private industry's hands and hugely dependent on
technology, more needs to be done to ensure its survivability.

Vendors argue that researchers who expose software flaws are often
less than pure of heart; that they threaten and cajole them to get
publicity and lucrative contracts. Vendors also maintain that
developing and testing patches takes time, and that customers expect
researchers to give vendors time to address problems before releasing
exploit code into the wild.

However, it can be months before patches are released, and they are
oftentimes only available to customers running the latest version of a
piece software - a tactic that encourages upgrades. In addition,
vendors derive revenue from patch management services.

Meanwhile, many legitimate researchers are running scared, and opting
to co-operate with vendors in return for their largesse and approval.

So where does this leave us? Can we at least rely on security software
to keep us safe?

Alas, not as a matter of course.

In recent years, the US Federal Trade Commission (FTC) has reprimanded
companies, including Microsoft, Guess and Tower Records, for
misrepresenting the effectiveness of their security practices.
Security product vendors have received similar heat for making false
or misleading claims about their products to the public.

For example, the FTC recently got a temporary injunction and asset
freezing order against Trustsoft, a Texas based company, accusing it
of misleading and deceptive advertising, and of spamming consumers,
pursuant to the US CAN-SPAM Act. According to the FTC, Trustsoft
falsely misrepresented to consumers that its software had scanned
their PCs, and located spyware. It used "frightening pop-ups" to try
to persuade people to purchase their product to remove spyware ‹ a
task it was not in fact capable of performing. The FTC alleged that
the supposed scans completed on consumers' PCs were 'nothing more than
computer graphics that have no computer scanning capabilities'.

Even hardware vendors are not immune. Advanced Micro Devices (AMD),
the computer chip manufacturer, was recently called to task by Dutch
regulators for advertising a new chip as a way to prevent virus
outbreaks in the Netherlands.

A complaint was made to the Dutch consumer commission about an AMD
radio advertisement in Holland that apparently stated that the new
AMD64 processor would ensure people would "no longer have to worry
about viruses". Reports indicate that the regulator found that some of
the radio ads were "too absolute and as a result misleading."

In June 2005, Lorrie Cranor, Associate Research Professor at the
Institute for Software Research at Carnegie Mellon University,
presented the disquieting result of research carried out by her team.
They examined the performance of six commercial privacy tools,
marketed as capable of permanently wiping data from computers to
protect data privacy. The researchers were able in most cases to
recover sensitive data; files were not properly overwritten, and in
one cases, the product tested 'completely failed' to do anything
useful. Users of such products were clearly left with a false sense of
security that their data had been successfully erased. The vendors
were contacted by the researchers, and the vast majority failed to

Unfortunately, flaws in security products are nothing new.

Indeed, The Yankee Group research company has recently indicated that
the security industry needs to pull up its socks in a big way, since
the number of vulnerabilities in products that are supposed to protect
us continue to escalate at an alarming rate.

All this is to say that as long as vendors are impervious to entreaty
and immune from legal liability, corporate customers should, where
possible, take matters into their own hands and employ a wide range of
defensive measures to make it harder for hackers to access vulnerable

The speed at which the recent Zotob worm hit several Canadian banks
and media outlets in the U.S., such as CNN, ABC, and the New York
Times, has convinced many experts that "there is no more patch
window." That worm exploits a security hole in the plug-and-play
feature of the Windows 2000 operating system. Microsoft had released a
patch for the bug as part of its monthly patching cycle shortly before
the outbreak, but new exploits emerged within three days of the patch
release, before many machines had been updated with the security fix.
Johannes Ullrich, chief research officer at the SANS Internet Storm
Center, in one of the security group's daily alerts, advised companies
to rely on "defense in depth" strategies to "survive the early release
of malware."

In other words, the bad guys are out manoeuvring the security vendors,
and it is every man for himself.

Government and big business may have the resources and political clout
to take matters into their own hands, and/or to make vendors sit up
and take note, but the consumer does not. What can he/she expect by
way of protection?

There are indications that the FTC in the U.S. is taking a hard look
at claims made by vendors who market consumer products ‹ and that they
are determined to at least hold them to the truth of publicly made
assertions about them.

Can we expect the Competition Bureau in Canada to follow suit? Vendors
surely cannot be expected to have their cake and eat it too.

More information about the ISN mailing list