[ISN] Latest scary virus draws skeptics

From: mea culpa (jerichoat_private)
Date: Wed Jan 06 1999 - 17:34:19 PST

  • Next message: mea culpa: "[ISN] New York Investigation Firm Plans to Buy Internet Consultant"

    http://chkpt.zdnet.com/chkpt/zdnn010699/www.zdnet.com/zdnn/stories/news/0,4586,383371,00.html
    Latest scary virus draws skeptics
    The Russian New Year Excel bug hasn't hurt anybody and perhaps never will.
    By Jim Kerstetter, PC Week
    
    An Israeli security company finds an ingenious hack that has impacted no
    one and has yet to be spotted on the Internet, and everyone gets upset. 
    
    But should they? 
    
    This time, the danger is in malicious mobile code hidden on Web sites.
    Finjan Inc., with U.S.  headquarters in San Jose, Calif., detailed the
    attack, called the Russian New Year, during a teleconference earlier
    today. 
    
    The genius of this attack, according to Finjan officials, is in taking two
    functions normally used separately -- HTML and the CALL function available
    in Microsoft Corp.'s Excel 95 and 97 -- and combining them to form an
    attack. With this combination, an attacker could steal or copy Internet
    users' documents and spreadsheet files. The Excel application does not
    have to be running to execute this exploit. It just has to be installed on
    a PC. 
    
    The victim would never know what happened, said Bill Lyons, Finjan's
    president and CEO. 
    
    Lyons said he is not aware of any companies that have been exposed to the
    attack, although another Finjan official said he has heard of a few but
    couldn't disclose their names. They also said no one had pinpointed a site
    that's conducting such attacks. 
    
    A Finjan customer notified the company about the security "hole" after
    being alerted by a colleague in Russia (hence the "Russian New Year" tag).
    Finjan, in turn, contacted Microsoft (which had already posted a security
    alert last month that said such a thing was possible with Excel), alerted
    the highly regarded CERT (Computer Emergency Response Team), added a patch
    to its own mobile code-scanning software, gave The Wall Street Journal a
    heads-up and called a press conference. 
    
    The problem appears to be preventable, although at the cost of losing some
    of the Web's interactive features, said Lyons. 
    
    Install or upgrade to Microsoft's Office 97 and install Service Release 1
    and then install Service Release 2 plus patch to eliminate the CALL
    function. 
    
    If using Microsoft's Internet Explorer version 4.x, adjust the security
    setting on the browser to the highest level. 
    
    If using Netscape Communications Corp.'s Navigator browser, install or
    upgrade to Navigator 4.5. 
    
    Finjan is also offering a free 30-day trial of its SurfinGate server
    software that deals with the problem. 
    
    Observers are wary
    
    To some industry observers, the Russian New Year is more water than vodka. 
    
    They say by all means pay attention to such alerts and take steps to
    protect against such attacks.  But a company -- or a consumer -- cannot be
    a fortress and still function in an Internet economy.  Fears of hackers,
    malicious Web sites and internal saboteurs can't derail a company from
    taking advantage of the Internet. 
    
    "I fear that the media focus on things like this is making people make
    unwise security investments,"  said Ted Julian, an analyst at Forrester
    Research Inc. 
    
    What Julian says is: Be prepared, be safe and expand your security plans
    to include issues like giving customers and business partners access to
    data via authentication mechanisms like digital certificates. Maintaining
    tough security policies is often more beneficial than buying expensive
    software. Whatever you do, he said, don't become so paranoid that your
    business becomes an island on the Internet. 
    
    "Application access control is far more important in the long run than a
    lot of these issues,"  Julian said. 
    
    So far, most highly publicized security breaches have been isolated to a
    single company or even the laboratory. 
    
    Last month, for example, Network Associates Inc. called a press conference
    to talk about a virus that had been set loose on the internal network of
    MCI/Worldcom. One Network Associates official dubbed the attack
    "cyberterrorism," although the company later played it down. MCI/Worldcom
    officials even called reporters to refute such characterizations. And last
    summer, researchers at Bell Laboratories exposed a hole in the Secure
    Sockets Layer security used in most browsers.  Netscape and Microsoft
    quickly released patches and the hole was never exploited outside of a
    lab. 
    
    Sprinkle in the dozens of Microsoft Office macro viruses and other
    nuisance attacks, and it would appear that the world is a very dangerous
    place. 
    
    And it can be, said analysts. But the more worrisome attacks, like one on
    Caterpillar Inc. last summer that lasted for two weeks, still rely more on
    guile than technical savvy. 
    
    As bad as the worm? 
    
    Forrester's Julian chaffed at an assertion by Finjan that the Russian New
    Year attack is the worst thing since the Morris Worm, which virtually
    brought down the Internet about 10 years ago. 
    
    Robert Morris, a student at Cornell University at the time, created a
    self-replicating virus -- more of an experiment than a malicious act --
    and set it loose on the university's network to see what would happen.
    Within days, it had spread across the Internet and even disabled part of
    AT&T's phone system, according to the book, "Cyberpunk: Outlaws and
    Hackers on the Computer Frontier" by Katie Hafner and John Markoff. 
    
    "Give me a break," said Julian. "There is no comparison between a
    malicious code incident with no fallout and what was one of the seminal
    hacks of all time." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:10 PDT