Personal Tech Pipeline | Hackers Attack Security Software

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

June 20, 2005

Hackers Attack Security Software

Courtesy of TechWeb News

Hackers are switching targets, a research firm said Monday, as they look for new vulnerabilities. Rather than focus on operating systems, Windows in particular, they're going after the very security software that's supposed to protect PCs.

"Am I just crazy, or have there been a lot of security vulnerabilities for security companies announced?" Andrew Jaquith, a senior analyst at the Yankee Group said in describing what led him to analyze data from a public vulnerability database, ICAT.

From the beginning of 2004 to May 2005, 77 vulnerabilities affecting security products were posted to ICAT. That was a rate of increase greater than even Microsoft's Windows, which actually has showed improvement since the release last fall of Windows XP SP2.

"When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole," said Jaquith.

According to Jaquith, three factors played a part in the rise of security product problems. For one, vulnerability researchers -- who include both above-board "good guys" and underground hackers -- may have nearly depleted the supply of easily-exploited Windows vulnerabilities, and so are looking for virgin territory.

"An adolescent enthusiasm, and I think that's the right way to describe it, is what's driving a lot of this vulnerability research. They're always looking for the next thing and for recognition," said Jaquith.

Second, security products are an attractive target because nearly all enterprises have deployed them, especially anti-virus solutions. "There's low-hanging fruit in security products," said Jaquith, because the press hasn't forced security firms to acknowledge and fix problems in their code, as it has with operating system makers like Microsoft and Apple. "Flaws targeting security software stand a better chance of being successful," noted Jaquith.

That brings up what Jaquith calls the "tailgating effect," where hackers use the vulnerabilities in security software for their own purposes. "The real bad guys will put these vulnerabilities to work," said Jaquith to, for instance, slip malicious code past the defenses companies count on to protect their networks.

A third driver of the trend, he added, is the economic self-interest of security assessment vendors. Although the practice isn't illegal -- and rarely gets slammed by security firms whose products are tagged as vulnerable -- some assessment firms specialize in spotting flaws in security providers' products. The assessment firms -- eEye Digital is an example, said Jaquith -- then sell their own security analysis software, which include detection signatures for the other vendors' vulnerabilities.

One in four vulnerabilities in security products, in fact, was discovered this way during 2004 and the first half of 2005.

While Jaquith refused to label the practice as unscrupulous, he did say "In the airliner manufacturing industry, you don't see companies saying 'our airplane falls out of the air less often than our competitors.'"

Of the major security vendors whose products have been tagged with vulnerabilities, Symantec's were "disproportionally affected" according to Jaquith's examination of the ICAT database. Check Point and F-Secure also saw their numbers jump in 2004, while others, such as McAfee, showed a significant decrease.

Disclosed vulnerabilities don't always lead to a worm or other exploit, but Jaquith noted that some researchers insist on publicly releasing proof-of-concept code, which makes a hacker's job all that much easier.

"These are like unprocessed uranium," he said. "Malicious parties can transform them easily into munitions."

So far, only one security product vulnerability -- in products from Internet Security Systems (ISS) -- has resulted in a major worm outbreak. In early 2004, the Witty worm snuck through ISS firewalls, and reportedly infected tens of thousands of PCs worldwide.

"Not coincidentally, ISS tightened up its security processes and decreased its share of vulnerabilities last year relative to 2003," said Jaquith. "The Witty worm should have been a wake-up call to the security vendors. It wasn't.

"We should be sounding the alarm," Jaquith urged. "We should be telling the security vendors, 'We know there's not a big problem at the moment, but we want to make you're aware of it.'"

And working on it.

While all users should be pushing security vendors to put more emphasis on coding secure products -- so they use some of the same techniques that operating system makers now employ, such as regular security design reviews and reviews of the code base for security issues -- one of the best times to pressure them is when contracts come up for renewal.

Jaquith recommended that enterprises ask their preferred security vendors to detail how they develop in a secure fashion, and how they fix and patch problems.

Another way to mitigate possible exploits is to take a page out of operating system analysts' books. "One potential strategy is to diversify security vendors," he said.

"In the end, though, what we really need to do is push security vendors toward interoperability. They need to open up their APIs and their management consoles," he said, so that a heterogeneous security environment is actually practical.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
Unleash the Power & Opportunity of Grid Computing
Experts will identify trends in grid computing, provide
examples and examine solution options.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Apple posted this week its first-ever full-length movie -- the made-for-TV Disney Channel original movie "High School Musical" -- on iTunes for the price of $9.99. What do you think of this pricing for downloadable movies?
Love it! The price is lower than I would expect.
Like it. The price is about right.
Dislike it. The price is is a little too high.
Hate it! The price is way, way too high.
Neutral. It depends on the movie.

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

On the CIO Agenda with IBM
With business growth back on the agenda, the role of the CIO is changing from manager of technology to C-suite collaborator in enabling innovation that matters for the business. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Learn how much you save with open source.
Find out how much of a financial impact open source can have on your enterprise. Get these tools now, compliments of JBoss. Go!

Buy a Link Now

Top ten search terms from the TechWeb TechEncyclopedia
How does your pay rate? Check the InformationWeek Salary Survey
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia