http://www.smh.com.au/news/Next/Security-claims-asking-for-trouble/2005/06/06/1117910220376.html By Patrick Gray June 7, 2005 Next Two words that should never pass the lips of a software vendor are "it's secure", says Symantec's Dave Ahmad. Such statements draw the undivided attention of the world's security researchers, eager to poke holes in vendor grandstanding by finding security glitches in software touted as unbreakable. As the moderator of the Bugtraq security mailing list for the past four years, Mr Ahmad has seen his fair share of security vulnerability advisories. A free email subscription to Bugtraq has become a must-have for IT security consultants, managers, vendors, researchers and students alike. Software vendors use Bugtraq to disclose vulnerabilities - which can be used by hackers to break into computers using the software - and security researchers share findings and collaborate on the list. After four years on the job, Mr Ahmad, who is based in Calgary, Canada, has come to appreciate that hyping software as a safer substitute to products having a bad run with security flaws may not be the best way to grab market share. "When systems are touted as a secure alternative to the mainstream, that attracts (security) researchers," he says. "It's that hacker instinct: to go against the norm, to attack assumptions." Recent examples cited by Mr Ahmad are the open source Mozilla Firefox browser, described by some as a secure alternative to Internet Explorer, and Apple's flagship operating system, OS X, an alternative to Microsoft's Windows. The image of both Firefox and OS X as completely secure software has been eroded in recent months, with security researchers disclosing vulnerabilities in the browser and operating system software. Mr Ahmad, 25, first joined the company that maintains Bugtraq, SecurityFocus, at 18 to maintain the company's vulnerability database. He took over Bugtraq in September 2001 and has been running it ever since. SecurityFocus, an operator of an early-warning system and web-portal, as well as the Bugtraq mailing list and vulnerability database, was acquired in 2002 by security software maker Symantec. He's seen a lot of change in his time running Bugtraq. For example, vendors are more responsive to security concerns. "Microsoft has got better. The open source community has got better," Mr Ahmad says. "Even vendors like Oracle, who I don't think are the best right now, have been pressured by high-profile researchers . . . into reacting a little more quickly." However, according to Mr Ahmad, the recent downturn in the number of serious security vulnerabilities disclosed to the wider community comes not from increased product security, but an increasingly secretive research community. "In the last year or so there just haven't been those high-profile vulnerabilities," he says. "A lot of the good vulnerability researchers have stopped disclosing their findings." More and more, security companies are selling their vulnerability data, Mr Ahmad says. "They're keeping their vulnerabilities private and charging a subscription fee," he says. "Now that vulnerabilities have a value, they're worth something, people will pay for them, there's a motivation to keep them private." Even the bugs themselves have changed with time, Mr Ahmad says. Sometimes a breakthrough in security research will lead to a flood of vulnerabilities being disclosed. Technical methods for manipulating the memory "heap" on several operating systems, for example, were widely published in hacker magazines such as Phrack, Mr Ahmad says. That led to an onslaught of heap-related vulnerabilities being disclosed that were previously thought to be non-critical. "The level of sophistication is incredible now," he says. At the CanSecWest security conference held in May in Canada, Mr Ahmad was impressed by a presentation by US-based IT security outfit eEye Digital Security. The company's consultants demonstrated the exploitation of a kernel vulnerability in Windows, a glitch traditionally thought too difficult to use practically to compromise a computer system. "A few years ago it was inconceivable that this could be done, but we're pushing the limits because a lot of the low hanging fruit has been picked," Mr Ahmad says. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jun 08 2005 - 08:09:07 PDT