http://www.washingtonpost.com/wp-dyn/articles/A32480-2004Apr21.html By Jonathan Krim April 22, 2004 The calm of a few months without a major attack of a computer worm, virus or other form of cyber-harassment was rattled hard this week. So dangerous are the latest vulnerabilities that the Department of Homeland Security took the rare step of briefing the media yesterday, warning that quick action by users and network operators was crucial to avoiding serious Internet disruption. This time the problem is with routers, the appliances that push traffic around the Internet. Routers made by Cisco Systems Inc., which has a major share of the market, have two separate security holes that could allow easy access for hackers to do their worst. It's another reminder that security threats are not likely to go away anytime soon and of the fragility of a world whose technology is so intertwined that a breach in one place can be exploited to bring down thousands or millions of systems around the world. All of which makes recent recommendations in a report by an industry task force unusual and worthy of close attention. In effect, the group is saying: Tech providers, heal thyselves and make safer products. That's a significant change for a technology industry that has spent considerable public-relations resources talking mostly about the need for better educating users and going after the bad guys. But the report, issued Monday, pulls few punches. "The lack of 'out-of-the-box' security in many products is staggering," the authors state. By not having software that is set to be secure from the start, "vendors are placing the entire burden of securing products on their users." Participants on the task force, one of several formed in December as part of an industry partnership with the Department of Homeland Security, included representatives of Oracle Corp., Microsoft Corp., Cisco, International Business Machines Corp., academics, banks and the military. Although the report was issued before the Cisco problems were revealed, the Cisco holes helped make the point. In one case, wireless network devices were all pre-set with the same easily discovered default user name and password. In some cases, the report tackles head-on what has thus far been industry mantra: That market forces, without government involvement, will produce the quickest and best solutions. For example, the report asks why there aren't more tools available for detecting malicious computer code. The fact that there are "not more code scanning tools readily available is, in part, a market failure," the report says. "Many venture capitalists would rather support bandage companies than vaccine companies." For some time, many security experts have scorned the public-private partnership as having been co-opted by the software industry as a way of insulating itself. Critics have argued for numerous steps to enforce production of safer products, including mandatory disclosure of security breaches and requiring corporate cyber-security audits. One of these critics, Alan Paller, head of the SANS Institute in Bethesda, a cyber-security think tank and training facility, was delighted at the new admission of accountability. "For the first time, the vendors have defined the most important security errors they have made, and continue to make," Paller said. "These are fundamental errors that are causing extreme pain and high cost for users. The admission that the vendors are making such mistakes, and that the mistakes must be corrected, are the essential first steps in improving cyber-security in America." Paller praised several of the report's recommendations, including better quality control, new security standards and more collaboration with customers. Already, however, the bristling has begun among some industry players. They say money is being directed at a wide range of security products, and they insist that better users, like safer drivers, are crucial. For many security experts and an increasingly concerned Congress, the question is, What happens now? The celebrated public-private partnership was created expressly with the hope of avoiding the need for regulation. As a result, none of the task forces recommended government intervention. But there is no single entity responsible for driving adoption of the numerous ideas. The Department of Homeland Security officials say they are not responsible for riding herd on industry. The technology trade associations leading the corporate side want the agency to use its bully pulpit to improve education but have been careful not to urge federal action directed at their own industries. In the meantime, worms and viruses are becoming so commonplace that they are losing their luster as news stories. But they continue to cost companies and ordinary consumers millions of dollars a year. Jonathan Krim can be reached at krimj@private _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Thu Apr 22 2004 - 02:47:38 PDT