Return-Path: <sentto-279987-5236-1030200958-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 24 Aug 2002 07:58:09 -0700 (PDT) Received: (qmail 16951 invoked by uid 510); 24 Aug 2002 14:54:14 -0000 Received: from n16.grp.scd.yahoo.com (66.218.66.71) by all.net with SMTP; 24 Aug 2002 14:54:14 -0000 X-eGroups-Return: sentto-279987-5236-1030200958-fc=all.net@returns.groups.yahoo.com Received: from [66.218.66.97] by n16.grp.scd.yahoo.com with NNFMP; 24 Aug 2002 14:55:58 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_1_0_1); 24 Aug 2002 14:55:57 -0000 Received: (qmail 92455 invoked from network); 24 Aug 2002 14:55:57 -0000 Received: from unknown (66.218.66.216) by m14.grp.scd.yahoo.com with QMQP; 24 Aug 2002 14:55:57 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 24 Aug 2002 14:55:57 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7OEuEn07070 for iwar@onelist.com; Sat, 24 Aug 2002 07:56:14 -0700 Message-Id: <200208241456.g7OEuEn07070@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 24 Aug 2002 07:56:13 -0700 (PDT) Subject: [iwar] [fc:As.Threat.of.Cyber.Attacks.Grows,.Security.Specialists.Blame.Faulty.Software] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: As Threat of Cyber Attacks Grows, Security Specialists Blame Faulty Software <a href="http://www.newsfactor.com/perl/story/19104.html">http://www.newsfactor.com/perl/story/19104.html> Dallas Morning News August 21, 2002 Almost a year after Sept. 11, the United States is growing more vulnerable by the hour to cyber attacks. "Between 7,000 and 10,000 computers are being installed to the Internet, with known vulnerabilities, as we speak," said Allan Paller, director of the SANS Institute for Internet security training. "Between 2,000 and 3,000 programs are running 24 hours a day, seven days a week, seeking out computers with vulnerabilities to install Trojan horses for future attacks." One reason for this rises over all others: bad software. Bad Software Costs Watts Humphrey, former director of International Business Machines' programming and software quality, says "90-plus percent of all vulnerabilities are due to poor quality software." "Software is a critical technology for mankind, but it's very badly done – and doesn't need to be," he said. A study by the National Institute of Standards & Technology last May found bad software costs the economy $59.5 billion a year. Those costs reflect breakdowns and repairs. Security specialists say bad software will plague computer users until they demand better quality. That could come from high standards set for software used by the federal government, which buys $20 billion of software a year. It could come from competitors in developing countries such as India or China offering bug-free software. Texas has tried to improve software with professional certifications for programmers. Change could also come from product liability lawsuits – which software makers have tried to head off with hold-harmless laws passed by some state legislatures. Demand for Improvement Richard Clarke, the White House cyber security adviser, said at a Las Vegas hacker conference that software loaded with errors "is no longer acceptable." Clarke has spent the year demanding that vendors such as Microsoft, Oracle and Novell improve their products. "It is no longer acceptable that we can buy software ... that is filled with glitches," Mr. Clarke said this summer at a Las Vegas hacker conference. "It is no longer acceptable that the number of vulnerabilities is going up." Software firms say they've gotten the message. Microsoft chairman Bill Gates made security the company's "highest priority" in January. He halted work on the Windows operating system for two months while programmers and engineers sought ways to eliminate software errors. "When we face a choice between adding features and resolving security issues, we need to choose security," Mr. Gates wrote in an e-mail sent to all Microsoft employees. Mary Ann Davidson, Oracle's chief security officer, said Microsoft faces a major cultural transformation to put security at the top of its priorities. Oracle, meanwhile, advertises its software as "unbreakable" because it is run through 15 independent security evaluations before release. "The market dynamics now are, 'Throw it over the wall and hope the security is pretty good,' " she said of the overall software market. "Vendors need to take the pledge. They need to commit to a secure product life cycle." Clarke Urges Boycott Mr. Clarke has welcomed these commitments, but meanwhile he comes close to urging a government and consumer boycott of unsecured applications. Until handheld computers and other wireless products are more secure, he said, "We should all shut them off." Bad software on the market is not the product of absent-minded programmers rocking out beneath headphones and surrounded by empty pizza boxes and coffee cups, said Mr. Humphrey, who is a senior fellow at Carnegie Mellon University's Software Engineering Institute. Software programming involves translating operating instructions into millions of 1s and 0s. Software is considered poor quality if it has five errors per thousand lines of code. That's like five spelling or typographical errors in 20 to 40 pages of text, he said. "We're not talking sloppy stuff. It takes very disciplined work just to get poor quality software," he said. But security requirements for privacy, avoiding shutdowns and keeping intruders from taking over a computer system – "what I consider reasonably good software," Mr. Humphrey said – should have no more than one defect per million lines of code. Hardly any of the software now running computers or available off the shelf meets that quality standard. Today's market defines "good software" as one error per thousand lines. "That's the kind of stuff people break into all the time," Mr. Humphrey said. Hacking Tools for All Security specialists said there are hacking tools on the Internet that anyone can use to launch attacks on systems with such "good software." Charles Pfleeger, author of the college textbook Security in Computing, said consumers could get nasty surprises from the poor security of wireless devices. "The messages you may be sending to your stockbroker or accountant are available not just for reading, but for manipulation," he said. "Someone truly malicious could get into your order where you ask a broker to sell 100,000 shares of Enron and convert it into a hold for 100,000 shares of Enron." Both software and computer makers complain this is often the fault of the user who fails to turn on the encryption included in the product. But these sorts of security losses could easily balloon. "If you think the typical attack is from a 16-year-old with a skateboard, we can live with that," said Tom Noonan, president and CEO of Internet Security Systems Inc. in Atlanta. "The threat we are concerned about is far more insidious. Foreign governments or operatives, terrorists, represent types of threats that might cause serious availability, integrity and operations problems." Quality Assurance Tools The National Institute of Standards and Technology has tried to help by improving quality assurance testing tools, which it says are "still fairly primitive." The institute maintains a Web site logging more than 4,500 software vulnerabilities (icat.nist.gov/icat.cfm). NIST has partnerships with the government of Canada and with the National Security Agency for testing software encryption. In December, it announced a new encryption standard for federal government software that uses an algorithm of staggering complexity. Someone trying to crack the new code standard to identify the user's key would face a minimum of 340 undecillion possibilities (that's 340 followed by 36 zeros). 'Brilliant Coders' Jim Gerretson, director of information assurance with the defense industry unit of Dallas-based Affiliated Computer Services Inc., doubts the federal government is a customer large enough to change the software industry's ways. "Americans are brilliant coders, but they treat it as an art form rather than a science," he said. Software companies are rushed by market pressures to get their products to a workable level rather than a fail-safe level, he said. "They get it to where it works, test to success, then release it, and the patches come out soon after," he said. New operating system software could have 200 million lines of code, and testing that thoroughly could take years. "If it's a choice of spending two years to get it to work, or five years to get it bug-free, they're always going to come down on the side of the shortest route to market," he said. Mr. Gerretson said it might require lawyers to get to a secure level of quality. "Get a couple of big companies with their computers compromised who sue for a billion dollars – maybe that's what it takes." ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/mG3HAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT