[ISN] Planning for the Applet Threat

From: mea culpa (jerichot_private)
Date: Wed Jul 01 1998 - 15:33:04 PDT

  • Next message: mea culpa: "[ISN] SAC '98 List of Accepted Papers"

    Forwarded From: blueskyt_private
    Planning for the Applet Threat
    by Chris Oakes 
    6:31pm  30.Jun.98.PDT
    The latest security threat to corporate networks and computers on the
    Internet has been identified and, on Tuesday, an industry consortium came
    into being to combat it.
    The threat? Small software programs, or applets -- distributed via the
    Internet mainly as Java and ActiveX programs -- that steal or damage
    electronic data.
    Over the next few months the new group, calling itself the Malicious
    Mobile Code Consortium, plans to set up a Web site detailing its findings
    and proposing policies and guidelines for defeating the threat. The
    consortium was formed by the International Computer Security Association
    (ICSA), and charter members include Advanced Computer Research, Computer
    Associates (CA), Dr. Solomon's Software, eSafe Technologies, Finjan,
    Quarterdeck Corp. (QDEK), and Symantec (SYMC). 
    The consortium's name is derived from the generic term it uses for hostile
    Java applets and other "malicious mobile code." The code is defined as any
    Internet-delivered auto-executable program, delivered in the form of
    ActiveX, Java, or other HTML-based plugins, that employ so-called helper
    programs on a user's hard disk to access unauthorized files and deliver
    them to the applet's author.
    "Numerous attacks have already been publicly reported," said consortium
    manager Dave Harper at a Tuesday press conference. He cited a computer
    club's demonstration of an ActiveX control that could electronically
    transfer funds without a user's knowledge and another program capable of
    working through America Online software to steal account information and
    delete local files.
    The functions that mobile code can perform are potent, added Bill Lyons,
    CEO of Finjan, a company offering detection software. "They're all
    legitimate functions. They can open network connections, read a file,
    write a file, destroy a file.  But typically this isn't destruction. It's
    more espionage and copying files." 
    Lyons says there is no doubt about the arrival of the "mobile code"
    threat. "It's not something you can prevent or stop. It's coming, so what
    you want to do is manage it. And you're not going to manage it by denial."
    Security expert Peter Neumann says the ICSA is probably performing a
    useful function in pulling together the consortium. However, he warns
    that, as with any risk, companies should beware of easy answers. "There
    are many weak links," he wrote in an email. "Efforts to close up just a
    few holes are not satisfactory."
    For now, the threat posed by these next-generation electronic demons is
    largely hypothetical. "You can't get around the fact that there are not
    any known threats today," said Ted Julian, analyst for Forrester Research.
    Still, Julian is convinced of the threat posed by applets, and the
    demonstration applets he's seen have shown impressive capabilities.
    "They're pretty scary demos," he said. "They'll shut down your system,
    erase your hard drive, take password files.... It's a big issue." He says
    Forrester is convinced that these kinds of attacks will definitely become
    more real than hypothetical.
    Forrester's research shows that over 90 percent of security managers in
    corporations are concerned about Java and ActiveX security, but 72 percent
    are allowing them in without a defense strategy.
    Truly effective defense, Julian said, will come from building
    code-monitoring detection utilities into currently installed antivirus
    software. Companies working on such technology include Finjan, eSafe, and
    Security Seven.
    "Given the absence of known threats, we don't think it makes sense to buy
    a separate product,"  he said. "Our advice is that [security managers]
    wait until antivirus providers include code monitoring protection."
    Vendors are currently showing inadequate interest in addressing the threat
    of malicious mobile code, Julian said. Yet he thinks that the smaller
    companies now offering stand-alone monitoring products are only likely to
    see great success through acquisition by antivirus software companies. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:28 PDT