[ISN] Raided Firm's Software Checks Out

From: InfoSec News (isnat_private)
Date: Wed Dec 11 2002 - 00:22:57 PST

  • Next message: InfoSec News: "[ISN] The good and bad of computer hacking"

    By Michelle Delio
    Dec. 10, 2002
    Software designed by Ptech, a Massachusetts technology firm U.S.  
    federal agents suspect might be linked to terrorist groups, does not
    appear to threaten national security.
    Federal agents raided the company's Quincy offices early Friday
    morning. Officials are investigating allegations that investors in the
    company also finance terrorist organizations.
    News of the raid sparked concerns that Ptech's software could have
    been engineered to allow attackers access to classified
    national-security data. The Army and Air Force, Congress, the White
    House, the Federal Aviation Administration and the FBI use the
    company's knowledge-management software.
    Initial reports indicate that Ptech's software was not engineered to
    allow attackers easy access to government databases.
    But security experts warned that while Ptech products might be safe,
    the raids highlight the need to secure systems from internal as well
    as external threats.
    "Internal security breaches are the number one problem. It's rare that
    someone actually hacks a system without help from inside," networking
    consultant Mike Sweeny said.
    "Just look at the last news bite about ID theft," Sweeny said. "A
    help-desk worker was handing over credit reports with all the info
    needed to steal peoples' identities for 60 bucks a pop. No hacking
    required there."
    According to a representative from the Department of Justice,
    officials had determined that Ptech software was "clean" before
    Friday's raid.
    "All of the products Ptech provided to the government were of a
    non-classified nature," said U.S. Attorney Michael Sullivan in a
    statement. "However, out of an abundance of caution, the affected
    government agencies, including the FBI, conducted a review of their
    computer systems.
    "There is no reason to believe that the software has any secondary
    purpose or malicious code, or that there has been a breach of any
    kind. There have been no vulnerabilities identified in connection with
    any of the products provided by Ptech. There is also no evidence to
    suggest that the system is susceptible to compromise or poses any
    security risk."
    Many security experts also said they doubted Ptech's software was a
    threat, but wondered how officials arrived at that conclusion so
    "Most commercial software is compiled in some manner," said Sweeny.  
    "In other words, you do not see the source code so it's tough to look
    for backdoors or Trojans. And even if it were not closed source, the
    amount of code to go through is overwhelming unless you know exactly
    where to look."
    Some said the Ptech incident proves that government should rely on
    open source software.
    "This is exactly why open source software advocates promote open code,
    to allow peer review and preclude such things from happening," said
    security consultant Richard Forno. "It works for both a security and
    operational stability benefit."
    But Michael Wendy, of the Initiative for Software Choice, a lobbying
    organization that's battling to block governments from passing
    legislation encouraging or mandating the use of open source software,
    cautioned against making any "sweeping security conclusions from this
    event or anything similar that may occur."
    "It's important to note that a development model is only a process,"  
    Wendy said. "It does not guarantee, in and of itself, that a product
    produced under one type of model will be any better than another
    product produced under a different model. In other words, no single
    development mode inherently produces safer, more secure software."
    Still others said it makes little difference whether the government
    uses open source or closed software.
    "Having more open source software in circulation with the government
    would be nice, but open source software can be as insecure as closed
    source software," said William Knowles, senior analyst at C4I.org, a
    private computer security and intelligence group.
    "But it's entirely possible that a backdoor could have been inserted
    into software destined for U.S. government clients," Knowles added. "I
    often wonder about all the Y2K programming done offshore in
    less-than-friendly countries and if there are any backdoors in that
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 02:45:41 PST