The Fear Industry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:30 PM

The Fear Industry

Shameless self-promoters? Fear mongerers? Sure, security researchers aren't always model citizens, but business technology pros want them on the job.

What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.

Most people who manage information security say bring it on, subscribing to the belief that the more details they have about vulnerabilities, the better prepared they will be. They count on not only the software vendors' official security advisories, but also on researchers who specialize in analyzing products for flaws.

That's where the controversy heats up. Many researchers bring serious flaws to light, but others are all too willing to cash in on their cleverness by posting information about software vulnerabilities before vendors have a chance to patch their products. This shameless self-promotion of being the first to expose a key vulnerability can bring fame and consulting contracts. Other firms readily open up their checkbooks to pay hackers for dirt on flaws, doling out premiums for the worst flaws--ones that, say, Microsoft ends up rating critical. These disclosures are followed closely by malicious hackers looking for cracks to exploit. They also force IT staffs to drop more strategic projects in order to plug holes in their systems before the next big worm or Trojan strikes.

It's when these researchers also hold elite vendors--like Microsoft and Oracle--accountable that they earn their keep. Software is more secure today in part because the threat of public embarrassment hangs over the vendors, says George Roettger, Internet security specialist for ISP NetLink Services, in an E-mail interview. Researchers also wield a lot of power, he says, because their information can be used by "the bottom-feeder hackers who don't know much and learn from every piece of information available."

Metafile Smackdown

Sadler wants to know: What do security companies stand to gain?

Sadler wants to know: What do security companies stand to gain?
The experience around Windows Metafile earlier this year shows why these researchers are so controversial and powerful. WMF exploits represented a true zero-day attack, threatening several versions of Windows before Microsoft could issue a patch. In January, a vulnerability in WMF surfaced that let attackers use the Windows' graphics rendering engine that handles WMF images to launch malicious code on users' computers via these images. A number of security researchers posted information about the vulnerability to their mailing lists. Within a few hours, researcher H.D. Moore posted a working example of a WMF exploit--a piece of code written to take advantage of a software flaw--on his Metasploit Web site. Some defended the action, saying it offered insight into the rules security pros needed to put on intrusion-detection systems to avoid getting hit. Others argued that what Moore did enabled the average hacker to more easily exploit the flaw. "I guess both views are correct. The only practical difference between them is the intention of the 'security specialist,'" says Mati Aharoni, lead penetration tester with Israeli IT security education firm See Security Technologies, in an E-mail interview.

The hoopla about Windows Metafile led to some of the most frustrating days of Connie Sadler's career. "There were people predicting dire straits if we didn't do something," says the director of IT security at Brown University. "I had to put days aside from my regular job just to monitor different sites just in case something came up."

While the researchers kicked up dust, companies looking to defend themselves had few options. Microsoft's customers had to either wait for Microsoft's patch or install workaround code written by Ilfak Guilfanov, a senior developer at Belgian software maker DataRescue. Although Guilfanov's code got the approval of the SANS Institute's Internet Storm Center and security research firm F-Secure, it created a dilemma for people like Sadler. "If we ask our users to install that, it tells them it's OK to find and install a third-party patch, and it gave phishers an opportunity to exploit users," says Sadler, a former manager of global infrastructure security at Lockheed Martin.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 6
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll