The Fear Industry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:30 PM

The Fear Industry

Shameless self-promoters? Fear mongerers? Sure, security researchers aren't always model citizens, but business technology pros want them on the job.

What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.

Most people who manage information security say bring it on, subscribing to the belief that the more details they have about vulnerabilities, the better prepared they will be. They count on not only the software vendors' official security advisories, but also on researchers who specialize in analyzing products for flaws.

That's where the controversy heats up. Many researchers bring serious flaws to light, but others are all too willing to cash in on their cleverness by posting information about software vulnerabilities before vendors have a chance to patch their products. This shameless self-promotion of being the first to expose a key vulnerability can bring fame and consulting contracts. Other firms readily open up their checkbooks to pay hackers for dirt on flaws, doling out premiums for the worst flaws--ones that, say, Microsoft ends up rating critical. These disclosures are followed closely by malicious hackers looking for cracks to exploit. They also force IT staffs to drop more strategic projects in order to plug holes in their systems before the next big worm or Trojan strikes.

It's when these researchers also hold elite vendors--like Microsoft and Oracle--accountable that they earn their keep. Software is more secure today in part because the threat of public embarrassment hangs over the vendors, says George Roettger, Internet security specialist for ISP NetLink Services, in an E-mail interview. Researchers also wield a lot of power, he says, because their information can be used by "the bottom-feeder hackers who don't know much and learn from every piece of information available."

Metafile Smackdown

Sadler wants to know: What do security companies stand to gain?

Sadler wants to know: What do security companies stand to gain?
The experience around Windows Metafile earlier this year shows why these researchers are so controversial and powerful. WMF exploits represented a true zero-day attack, threatening several versions of Windows before Microsoft could issue a patch. In January, a vulnerability in WMF surfaced that let attackers use the Windows' graphics rendering engine that handles WMF images to launch malicious code on users' computers via these images. A number of security researchers posted information about the vulnerability to their mailing lists. Within a few hours, researcher H.D. Moore posted a working example of a WMF exploit--a piece of code written to take advantage of a software flaw--on his Metasploit Web site. Some defended the action, saying it offered insight into the rules security pros needed to put on intrusion-detection systems to avoid getting hit. Others argued that what Moore did enabled the average hacker to more easily exploit the flaw. "I guess both views are correct. The only practical difference between them is the intention of the 'security specialist,'" says Mati Aharoni, lead penetration tester with Israeli IT security education firm See Security Technologies, in an E-mail interview.

The hoopla about Windows Metafile led to some of the most frustrating days of Connie Sadler's career. "There were people predicting dire straits if we didn't do something," says the director of IT security at Brown University. "I had to put days aside from my regular job just to monitor different sites just in case something came up."

While the researchers kicked up dust, companies looking to defend themselves had few options. Microsoft's customers had to either wait for Microsoft's patch or install workaround code written by Ilfak Guilfanov, a senior developer at Belgian software maker DataRescue. Although Guilfanov's code got the approval of the SANS Institute's Internet Storm Center and security research firm F-Secure, it created a dilemma for people like Sadler. "If we ask our users to install that, it tells them it's OK to find and install a third-party patch, and it gave phishers an opportunity to exploit users," says Sadler, a former manager of global infrastructure security at Lockheed Martin.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 6
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll