[ISN] What's the Biggest Security Problem?

From: InfoSec News (isnat_private)
Date: Wed Apr 16 2003 - 01:01:44 PDT

  • Next message: InfoSec News: "[ISN] Alliance takes security call to boardroom"

    http://www.pcworld.com/news/article/0,aid,110281,00.asp
    
    Andrew Brandt
    PCWorld.com
    April 15, 2003
    
    Experts, hackers debate cyberterror, digital teens, and holey
    software.
    
    SAN FRANCISCO -- Cyberterrorism is a joke, organized crime syndicates
    grow their own hackers, and the greatest threat to e-commerce is a
    metaphorical "angry Bulgarian teenager," said security experts in a
    lively panel here.
    
    The sometimes serious, sometimes riotously funny debate covered many
    of the most pressing computer security threats of the day.  
    Participants were reformed former hacker Kevin Mitnick; Maryann
    Davidson, Oracle's chief security officer; Gregor Freund, Zone Labs'
    chief executive; and Jeff Moss, organizer of the Black Hat security
    conference.
    
    
    Mixed Concerns
    
    "Generally, cyberterrorism is considered a joke. You're much more
    likely to piss off some teenagers in Bulgaria than Hezbollah," Moss
    said, referring to the Palestinian terrorist organization. "If you can
    defend [your networks] against teenagers, you can defend against
    terrorists."
    
    Oracle's Davidson decried how quickly today's malicious hackers can
    turn a just-announced software vulnerability into a usable hacking
    tool.
    
    "The gap between a theoretical exploit to a practical hack has gone
    from weeks, to days, to hours," she said.
    
    The telecommunications networks are a weak spot, noted Mitnick--and he
    should know. He spent years evading capture while manipulating
    telephone networks. "The possibility that an outsider can compromise a
    telecom provider is pretty likely," he said.
    
    But a cyberattack alone is unlikely to do much real damage. "If our
    enemies were going to attack, they would have to combine a physical
    and a cyberattack to increase the likelihood of casualties," Mitnick
    said.
    
    "What's the worst that could happen? They'd DOS my site and knock it
    off the Web for a couple of hours or a day," Moss said, referring to
    the common denial-of-service attack.
    
    
    Diverse Hackers
    
    But Zone Labs' Freund cautioned that hackers are organizing and
    hacking for a cause.
    
    "There's a major shift from kids with no motivation to go after
    particular companies, to targeted attacks against specific
    businesses," he said.
    
    Cybercrime by organized groups is on the rise, Moss agreed. "When you
    look at the attacks on the Web, the criminals are the innovators while
    the terrorists are playing catch-up. When you look at who is doing
    interesting attacks, it's all organized crime."
    
    Moss recounted receiving mysterious telephone calls late at night, a
    few years after he started hosting the annual DefCon hackers
    convention. The caller, whom Moss suspected of being involved in
    organized crime or an FBI agent, asked for his help with "theoretical"  
    problems involving breaking into PC and phone networks.
    
    The calls stopped in 1998, which "either meant they decided to do
    something else, or they just got good enough that they didn't need
    hackers anymore," Moss said. "Their own guys were taking computer
    science classes."
    
    
    Holey Software
    
    Security problems with operating systems and applications create an
    ongoing challenge to keep database software secure, said Oracle's
    Davidson.
    
    "The state of security in the software industry is 'don't worry, be
    crappy,'" she said.
    
    Davidson says analysts estimate a business pays $900 to patch a
    server, and $700 to patch a client. Multiply those figures by the
    number of systems a company has, and then by the number of patches
    required each year, and it's evident how expensive fixing bugs can be,
    she said. Yet software holes continue to surface, the panelists noted.
    
    "We can't always count on customers to pick the most secure
    [product]," said Moss. "I think they'll always buy the blinky, shiny
    thing."
    
    And Mitnick quipped, "You can't go to Windows Update and get a patch
    for stupidity."
    
    Moss also cited weaknesses in the BIND domain name system and other
    low-level problems with common network protocols.
    
    "The fundamental structure of everything we depend on for the Internet
    is fundamentally broken," Moss said. "I'm jaded, but I still want to
    fix 'em."
    
    
    Security's Silver Lining
    
    In the end, the panelists named software vulnerabilities the key
    security challenge--far above hackers or terrorists.
    
    "Software products have to be designed like Cuisinarts," Davidson
    suggested. "With one of those food processors, you have to really try
    hard to be able to run it in a dangerous way and get your hand in
    there. Software needs to be more like that."
    
    What's more, buggy software and frequent security patches keep
    software companies from focusing on creating software that fixes more
    fundamental problems, they said.
    
    "The security industry isn't happy that all these bad things happen,"  
    Freund said.
    
    Moss noted, "But we have job security for life."
    
    "You have a legion of people fixing the most basic security problems,
    getting burned out," Moss added. "I can't just look at the software
    itself anymore; I have to analyze the culture of software companies.  
    It's almost a full-time job to purchase a product now."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 04:22:15 PDT