Flaw law needed to tackle hackers
25 July 2005 | 0
California and a few other US states force firms to publicise security breaches involving personal information in their databases. Such disclosures affect firms’ share prices, but the consequences do not end there.
When people are told that their personal information has been exposed, many will ask what will happen if that information is used by crooks to obtain credit or for other illegal purposes.
The problems can be very expensive. Imagine the cost of providing counselling for a victim, and monitoring their bank accounts for a year or so to watch for signs of fraud, and indemnifying them for any such losses. Then multiply that cost by a few hundred thousand victims. It seems Americans have a law that gives an incentive to board members to ensure that databases are not lost or stolen. What a pity we don’t have a similar law governing the quality of software, because the issues are closely related.
Security experts warn that trojans are often installed on vulnerable computers by organised criminal gangs. They take control of the machines and steal personal information about the owners.
Recently updated research on the Witty worm revealed some surprising information. Witty was released onto the net a few hours after security software specialist ISS released a patch to fix a remotely exploitable buffer overflow in its software.
One of the key findings of this research was the short time between the patch being released and the worm appearing, plus the fact that the worm was released to a handful of specific computers known to be vulnerable. These facts lead most experts to think that the person who made the worm had known about the flaw for quite some time. They believe the worm was released as a sort of “toys out of the pram” protest at the software vendor finally closing down the culprit’s private playground.
The worm was not the work of a script kiddie, and was not produced from information derived from the patch.
Another startling fact is that the total number of vulnerable computers was remarkably small – about 12,000 in the world – and that the worm infected all but a few of them within about 24 hours. This explodes the myth that Windows computers are only targeted by hackers because there are so many of them – which is a bit like saying hackers only attack Windows because it’s so good.
It might be more honest to say that most software contains vulnerabilities because currently there is little encouragement for anyone to design more secure systems.
Perhaps we need incentives for software vendors to make better products. Otherwise, given the persistently vulnerable nature of software, you might need to add the cost of counselling victims to the costs of anti-virus and anti-spam systems that you already have.