[iwar] [fc:As.Threat.of.Cyber.Attacks.Grows,.Security.Specialists.Blame.Faulty.Software]

From: Fred Cohen (fc@all.net)
Date: 2002-08-24 07:56:13


Return-Path: <sentto-279987-5236-1030200958-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 24 Aug 2002 07:58:09 -0700 (PDT)
Received: (qmail 16951 invoked by uid 510); 24 Aug 2002 14:54:14 -0000
Received: from n16.grp.scd.yahoo.com (66.218.66.71) by all.net with SMTP; 24 Aug 2002 14:54:14 -0000
X-eGroups-Return: sentto-279987-5236-1030200958-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.66.97] by n16.grp.scd.yahoo.com with NNFMP; 24 Aug 2002 14:55:58 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_1_0_1); 24 Aug 2002 14:55:57 -0000
Received: (qmail 92455 invoked from network); 24 Aug 2002 14:55:57 -0000
Received: from unknown (66.218.66.216) by m14.grp.scd.yahoo.com with QMQP; 24 Aug 2002 14:55:57 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 24 Aug 2002 14:55:57 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7OEuEn07070 for iwar@onelist.com; Sat, 24 Aug 2002 07:56:14 -0700
Message-Id: <200208241456.g7OEuEn07070@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 24 Aug 2002 07:56:13 -0700 (PDT)
Subject: [iwar] [fc:As.Threat.of.Cyber.Attacks.Grows,.Security.Specialists.Blame.Faulty.Software]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

As Threat of Cyber Attacks Grows, Security Specialists Blame Faulty Software

<a href="http://www.newsfactor.com/perl/story/19104.html">http://www.newsfactor.com/perl/story/19104.html>
Dallas Morning News
August 21, 2002
Almost a year after Sept. 11, the United States is growing more
vulnerable by the hour to cyber attacks.

"Between 7,000 and 10,000 computers are being installed to the Internet,
with known vulnerabilities, as we speak," said Allan Paller, director of
the SANS Institute for Internet security training.  "Between 2,000 and
3,000 programs are running 24 hours a day, seven days a week, seeking
out computers with vulnerabilities to install Trojan horses for future
attacks."

One reason for this rises over all others: bad software. 

Bad Software Costs

Watts Humphrey, former director of International Business Machines'
programming and software quality, says "90-plus percent of all
vulnerabilities are due to poor quality software."

"Software is a critical technology for mankind, but it's very badly done
– and doesn't need to be," he said. 

A study by the National Institute of Standards &amp; Technology last May
found bad software costs the economy $59.5 billion a year.  Those costs
reflect breakdowns and repairs.  Security specialists say bad software
will plague computer users until they demand better quality. 

That could come from high standards set for software used by the federal
government, which buys $20 billion of software a year.  It could come
from competitors in developing countries such as India or China offering
bug-free software. 

Texas has tried to improve software with professional certifications for
programmers.  Change could also come from product liability lawsuits –
which software makers have tried to head off with hold-harmless laws
passed by some state legislatures. 

Demand for Improvement

Richard Clarke, the White House cyber security adviser, said at a Las
Vegas hacker conference that software loaded with errors "is no longer
acceptable."

Clarke has spent the year demanding that vendors such as Microsoft,
Oracle and Novell improve their products. 

"It is no longer acceptable that we can buy software ...  that is filled
with glitches," Mr.  Clarke said this summer at a Las Vegas hacker
conference.  "It is no longer acceptable that the number of
vulnerabilities is going up."

Software firms say they've gotten the message.  Microsoft chairman Bill
Gates made security the company's "highest priority" in January.  He
halted work on the Windows operating system for two months while
programmers and engineers sought ways to eliminate software errors. 

"When we face a choice between adding features and resolving security
issues, we need to choose security," Mr.  Gates wrote in an e-mail sent
to all Microsoft employees. 

Mary Ann Davidson, Oracle's chief security officer, said Microsoft faces
a major cultural transformation to put security at the top of its
priorities.  Oracle, meanwhile, advertises its software as "unbreakable"
because it is run through 15 independent security evaluations before
release. 

"The market dynamics now are, 'Throw it over the wall and hope the
security is pretty good,' " she said of the overall software market. 
"Vendors need to take the pledge.  They need to commit to a secure
product life cycle."

Clarke Urges Boycott

Mr.  Clarke has welcomed these commitments, but meanwhile he comes close
to urging a government and consumer boycott of unsecured applications. 
Until handheld computers and other wireless products are more secure, he
said, "We should all shut them off."

Bad software on the market is not the product of absent-minded
programmers rocking out beneath headphones and surrounded by empty pizza
boxes and coffee cups, said Mr.  Humphrey, who is a senior fellow at
Carnegie Mellon University's Software Engineering Institute. 

Software programming involves translating operating instructions into
millions of 1s and 0s.  Software is considered poor quality if it has
five errors per thousand lines of code.  That's like five spelling or
typographical errors in 20 to 40 pages of text, he said. 

"We're not talking sloppy stuff.  It takes very disciplined work just to
get poor quality software," he said. 

But security requirements for privacy, avoiding shutdowns and keeping
intruders from taking over a computer system – "what I consider
reasonably good software," Mr.  Humphrey said – should have no more than
one defect per million lines of code. 

Hardly any of the software now running computers or available off the
shelf meets that quality standard.  Today's market defines "good
software" as one error per thousand lines.  "That's the kind of stuff
people break into all the time," Mr.  Humphrey said. 

Hacking Tools for All

Security specialists said there are hacking tools on the Internet that
anyone can use to launch attacks on systems with such "good software."

Charles Pfleeger, author of the college textbook Security in Computing,
said consumers could get nasty surprises from the poor security of
wireless devices. 

"The messages you may be sending to your stockbroker or accountant are
available not just for reading, but for manipulation," he said. 
"Someone truly malicious could get into your order where you ask a
broker to sell 100,000 shares of Enron and convert it into a hold for
100,000 shares of Enron."

Both software and computer makers complain this is often the fault of
the user who fails to turn on the encryption included in the product. 
But these sorts of security losses could easily balloon. 

"If you think the typical attack is from a 16-year-old with a
skateboard, we can live with that," said Tom Noonan, president and CEO
of Internet Security Systems Inc.  in Atlanta.  "The threat we are
concerned about is far more insidious.  Foreign governments or
operatives, terrorists, represent types of threats that might cause
serious availability, integrity and operations problems."

Quality Assurance Tools

The National Institute of Standards and Technology has tried to help by
improving quality assurance testing tools, which it says are "still
fairly primitive."

The institute maintains a Web site logging more than 4,500 software
vulnerabilities (icat.nist.gov/icat.cfm).  NIST has partnerships with
the government of Canada and with the National Security Agency for
testing software encryption. 

In December, it announced a new encryption standard for federal
government software that uses an algorithm of staggering complexity. 
Someone trying to crack the new code standard to identify the user's key
would face a minimum of 340 undecillion possibilities (that's 340
followed by 36 zeros). 

'Brilliant Coders'

Jim Gerretson, director of information assurance with the defense
industry unit of Dallas-based Affiliated Computer Services Inc., doubts
the federal government is a customer large enough to change the software
industry's ways. 

"Americans are brilliant coders, but they treat it as an art form rather
than a science," he said. 

Software companies are rushed by market pressures to get their products
to a workable level rather than a fail-safe level, he said.  "They get
it to where it works, test to success, then release it, and the patches
come out soon after," he said.  New operating system software could have
200 million lines of code, and testing that thoroughly could take years. 

"If it's a choice of spending two years to get it to work, or five years
to get it bug-free, they're always going to come down on the side of the
shortest route to market," he said. 

Mr.  Gerretson said it might require lawyers to get to a secure level of
quality. 

"Get a couple of big companies with their computers compromised who sue
for a billion dollars – maybe that's what it takes."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
4 DVDs Free +s&p Join Now
http://us.click.yahoo.com/pt6YBB/NXiEAA/mG3HAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT