[ISN] Who Should Keep Out The Hackers?

InfoSec News isn at c4i.org
Thu Apr 22 03:11:04 EDT 2004


http://www.washingtonpost.com/wp-dyn/articles/A32480-2004Apr21.html

By Jonathan Krim
April 22, 2004

The calm of a few months without a major attack of a computer worm,
virus or other form of cyber-harassment was rattled hard this week.

So dangerous are the latest vulnerabilities that the Department of
Homeland Security took the rare step of briefing the media yesterday,
warning that quick action by users and network operators was crucial
to avoiding serious Internet disruption.

This time the problem is with routers, the appliances that push
traffic around the Internet. Routers made by Cisco Systems Inc., which
has a major share of the market, have two separate security holes that
could allow easy access for hackers to do their worst.

It's another reminder that security threats are not likely to go away
anytime soon and of the fragility of a world whose technology is so
intertwined that a breach in one place can be exploited to bring down
thousands or millions of systems around the world.

All of which makes recent recommendations in a report by an industry
task force unusual and worthy of close attention. In effect, the group
is saying: Tech providers, heal thyselves and make safer products.

That's a significant change for a technology industry that has spent
considerable public-relations resources talking mostly about the need
for better educating users and going after the bad guys.

But the report, issued Monday, pulls few punches.

"The lack of 'out-of-the-box' security in many products is
staggering," the authors state. By not having software that is set to
be secure from the start, "vendors are placing the entire burden of
securing products on their users."

Participants on the task force, one of several formed in December as
part of an industry partnership with the Department of Homeland
Security, included representatives of Oracle Corp., Microsoft Corp.,
Cisco, International Business Machines Corp., academics, banks and the
military.

Although the report was issued before the Cisco problems were
revealed, the Cisco holes helped make the point. In one case, wireless
network devices were all pre-set with the same easily discovered
default user name and password.

In some cases, the report tackles head-on what has thus far been
industry mantra: That market forces, without government involvement,
will produce the quickest and best solutions. For example, the report
asks why there aren't more tools available for detecting malicious
computer code.

The fact that there are "not more code scanning tools readily
available is, in part, a market failure," the report says. "Many
venture capitalists would rather support bandage companies than
vaccine companies."

For some time, many security experts have scorned the public-private
partnership as having been co-opted by the software industry as a way
of insulating itself. Critics have argued for numerous steps to
enforce production of safer products, including mandatory disclosure
of security breaches and requiring corporate cyber-security audits.

One of these critics, Alan Paller, head of the SANS Institute in
Bethesda, a cyber-security think tank and training facility, was
delighted at the new admission of accountability.

"For the first time, the vendors have defined the most important
security errors they have made, and continue to make," Paller said.  
"These are fundamental errors that are causing extreme pain and high
cost for users. The admission that the vendors are making such
mistakes, and that the mistakes must be corrected, are the essential
first steps in improving cyber-security in America."

Paller praised several of the report's recommendations, including
better quality control, new security standards and more collaboration
with customers.

Already, however, the bristling has begun among some industry players.  
They say money is being directed at a wide range of security products,
and they insist that better users, like safer drivers, are crucial.

For many security experts and an increasingly concerned Congress, the
question is, What happens now?

The celebrated public-private partnership was created expressly with
the hope of avoiding the need for regulation. As a result, none of the
task forces recommended government intervention. But there is no
single entity responsible for driving adoption of the numerous ideas.

The Department of Homeland Security officials say they are not
responsible for riding herd on industry. The technology trade
associations leading the corporate side want the agency to use its
bully pulpit to improve education but have been careful not to urge
federal action directed at their own industries.

In the meantime, worms and viruses are becoming so commonplace that
they are losing their luster as news stories.

But they continue to cost companies and ordinary consumers millions of
dollars a year.

Jonathan Krim can be reached at krimj at washpost.com.





More information about the ISN mailing list