[ISN] Who Should Keep Out The Hackers?

From: InfoSec News (isn@private)
Date: Thu Apr 22 2004 - 00:11:04 PDT

  • Next message: InfoSec News: "[ISN] Cisco warns of more critical software holes"

    http://www.washingtonpost.com/wp-dyn/articles/A32480-2004Apr21.html
    
    By Jonathan Krim
    April 22, 2004
    
    The calm of a few months without a major attack of a computer worm,
    virus or other form of cyber-harassment was rattled hard this week.
    
    So dangerous are the latest vulnerabilities that the Department of
    Homeland Security took the rare step of briefing the media yesterday,
    warning that quick action by users and network operators was crucial
    to avoiding serious Internet disruption.
    
    This time the problem is with routers, the appliances that push
    traffic around the Internet. Routers made by Cisco Systems Inc., which
    has a major share of the market, have two separate security holes that
    could allow easy access for hackers to do their worst.
    
    It's another reminder that security threats are not likely to go away
    anytime soon and of the fragility of a world whose technology is so
    intertwined that a breach in one place can be exploited to bring down
    thousands or millions of systems around the world.
    
    All of which makes recent recommendations in a report by an industry
    task force unusual and worthy of close attention. In effect, the group
    is saying: Tech providers, heal thyselves and make safer products.
    
    That's a significant change for a technology industry that has spent
    considerable public-relations resources talking mostly about the need
    for better educating users and going after the bad guys.
    
    But the report, issued Monday, pulls few punches.
    
    "The lack of 'out-of-the-box' security in many products is
    staggering," the authors state. By not having software that is set to
    be secure from the start, "vendors are placing the entire burden of
    securing products on their users."
    
    Participants on the task force, one of several formed in December as
    part of an industry partnership with the Department of Homeland
    Security, included representatives of Oracle Corp., Microsoft Corp.,
    Cisco, International Business Machines Corp., academics, banks and the
    military.
    
    Although the report was issued before the Cisco problems were
    revealed, the Cisco holes helped make the point. In one case, wireless
    network devices were all pre-set with the same easily discovered
    default user name and password.
    
    In some cases, the report tackles head-on what has thus far been
    industry mantra: That market forces, without government involvement,
    will produce the quickest and best solutions. For example, the report
    asks why there aren't more tools available for detecting malicious
    computer code.
    
    The fact that there are "not more code scanning tools readily
    available is, in part, a market failure," the report says. "Many
    venture capitalists would rather support bandage companies than
    vaccine companies."
    
    For some time, many security experts have scorned the public-private
    partnership as having been co-opted by the software industry as a way
    of insulating itself. Critics have argued for numerous steps to
    enforce production of safer products, including mandatory disclosure
    of security breaches and requiring corporate cyber-security audits.
    
    One of these critics, Alan Paller, head of the SANS Institute in
    Bethesda, a cyber-security think tank and training facility, was
    delighted at the new admission of accountability.
    
    "For the first time, the vendors have defined the most important
    security errors they have made, and continue to make," Paller said.  
    "These are fundamental errors that are causing extreme pain and high
    cost for users. The admission that the vendors are making such
    mistakes, and that the mistakes must be corrected, are the essential
    first steps in improving cyber-security in America."
    
    Paller praised several of the report's recommendations, including
    better quality control, new security standards and more collaboration
    with customers.
    
    Already, however, the bristling has begun among some industry players.  
    They say money is being directed at a wide range of security products,
    and they insist that better users, like safer drivers, are crucial.
    
    For many security experts and an increasingly concerned Congress, the
    question is, What happens now?
    
    The celebrated public-private partnership was created expressly with
    the hope of avoiding the need for regulation. As a result, none of the
    task forces recommended government intervention. But there is no
    single entity responsible for driving adoption of the numerous ideas.
    
    The Department of Homeland Security officials say they are not
    responsible for riding herd on industry. The technology trade
    associations leading the corporate side want the agency to use its
    bully pulpit to improve education but have been careful not to urge
    federal action directed at their own industries.
    
    In the meantime, worms and viruses are becoming so commonplace that
    they are losing their luster as news stories.
    
    But they continue to cost companies and ordinary consumers millions of
    dollars a year.
    
    Jonathan Krim can be reached at krimj@private
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Thu Apr 22 2004 - 02:47:38 PDT