Information Security News mailing list archives
Got a Virus? Blame the Tightwads
From: InfoSec News <isn () C4I ORG>
Date: Wed, 28 Feb 2001 19:43:25 -0600
http://www.wired.com/news/technology/0,1282,42047,00.html by Michelle Delio 2:00 a.m. Feb. 28, 2001 PST Short attention spans and skimpy security budgets are leaving computer systems wide open to attacks and viruses that should be easy to defend against, security experts say. All of the system cracks and viruses that have grabbed headlines lately could have been easily prevented with user education or software updates -- not to mention plain, common sense. On Monday, a cracker called "Fluffy Bunny" took advantage of a well-publicized hole in BIND, the software that translates word-based Web addresses into a numerical form understandable to computers - and managed to transform McDonalds' website in the Great Britain into "McDicks" for several hours. The BIND bug was also used on Monday by "BL4F Crew" to hack into 10 Nintendo Europe websites. BL4F left several messages on the Nintendo sites, including the poignant "security is a complete myth on the Internet.... It's frustrating. That's what it is." Frustrating indeed, since the attack -- and all of the other system cracks and viruses that have grabbed headlines lately -- could easily have been prevented with user education or software updates. Fixes for the BIND holes were released at the end of January. Intel, Disney, Terra Lycos (which owns Wired News), Compaq Computer, Hewlett-Packard, Gateway, Disney and The New York Times Online were all attacked this month, the cracker using a hole in Microsoft's Internet Information Server (IIS 4.0) to break in. A patch for that hole was released last Oct. 17. And most of the viruses that clog networks have been active for the better part of a year, according to Ken Dunham, a senior analyst at Security Portal. Warnings and antiviral patches have been released for all of them. Yet infections like Anna, which was nothing more than an old worm in a new wrapping, continue to spread. Security experts have scant hope that the situation will soon change for the better. "People are creatures of habit so they continue to click-click. When something like Anna comes around, awareness is up and memories are sharp and strong," said Vincent Gullotto, senior director for McAfee AVERT (Anti-Virus Emergency Response Team). "For a while they remember the 'rule' and no one click-clicks. But as time passes they forget and start click-clicking again." Gullotto and many of his colleagues believe that viruses will continue to spread as long as curiosity is strong enough to override common sense. "It is probably too much to expect that a few hundred million people around the globe -- plus the millions of new computer users each year -- will always remember the 'do-not-click' rule for e-mail attachments," said Richard Smith, of the Privacy Foundation. Smith thinks the only way to stop viruses is to "build top-notch security and privacy protections" into all e-mail programs, rather than expecting people not to click, or hoping that they or their systems manager will download and install the latest patch to protect them from the Crack Of The Day. Many systems administrators say that recent budget and staffing cutbacks makes it impossible for them to keep up with security procedures, and so patches aren't being applied to software as conscientiously as they should be. Security becomes a priority for some companies only when it adversely affects business as usual, Dunham said. "When the total expense for security goes up, the interest from managers goes down," Dunham said. "Updating patches and antiviral software is a low priority for some administrators and managers, and some IT departments suffer in performance because they are under-skilled and understaffed, or both." Some systems mangers also say that the companies they work for think that it's less expensive to clean up viral messes then to implement proactive security solutions. "When IT people get together, a good percentage of them will bitch about how they can't manage systems with a skeleton staff, and no budget to speak of," said a systems manager at a Manhattan bank who spoke on the condition that he be identified only as Joe Smith. "Most of the people who make the spending decisions are either not technically astute enough to grasp the importance of security, or just hope against hope that no one is going to attack our servers." Proactive expenditures are more difficult to justify because they are not as obviously necessary as the reactive measures, such as removing a virus from a corporate network, Smith said. But this attitude can be costly. Gullotto believes that the majority of attacks on websites and networks occur simply because security people don't install the necessary patches. "Security isn't convenient and it takes some work to stay on top of what the latest updates are," Gullotto said. "We recommend that any patch that has been developed be reviewed and implemented where possible." Another complicating factor is that patches can create problems of their own, problems that many systems managers say they don't have the time or resources to deal with. "I'm really leery about adding anything to the system until I see how it's working. I don't have the staff to troubleshoot a sick system, and we've had problems with patches in the past. So I tend to sit back and hold off on patching things, probably longer than I should," Smith said. Adding patches can be a major headache for administrators, said Dave Kroll, director of security research at Finjan Software. "There is no magic bullet here. Security is a process, constant vigilance is required and unfortunately this takes up a lot of time and funding," Kroll said. Kroll believes that too many systems administrators and users rely too heavily on anti-viral software instead of applying security patches, a trend that worries him. "The hole in anti-virus software is so big you can drive a truck through it and the hackers and even the anti-virus vendors know it," Kroll said. "The reactive approach of anti-virus updates is no longer sufficient by itself for security." In many cases, it is easy to bypass anti-viral (AV) software. Every hacker has a few good "compressors" or "packers" in his or her arsenal which can get around anti-viral software by compressing a known virus, thereby changing its appearance just enough so that the AV scanner can't recognize it. Some anti-viral and security companies have begun to look at more proactive ways to protect systems and get news to systems administrators quickly. McAfee is working on a system that will identify threats as they enter into a computing environment, and will recognize malicious code by looking for specific behaviors and patterns, not particular chunks of code. This technology, now under development, is called Outbreak Manager. And when time is too short to comb vendors' pages and security discussion sites for alerts and patches, systems managers can use direct news services, such as Security Focus' NetRadarEWS. But many systems administrators say that, while news services and intelligent detection programs will help, what they really need is real support from upper management. "If I could devote a full hour or two a day to dealing with security issues, I could protect our network and educate our users about viruses and safe computing," Smith said. "But in the current economic climate, managers want to use the system to make money. They don't want to spend money to secure it." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Got a Virus? Blame the Tightwads InfoSec News (Feb 28)