Tag Archives: security consultant

Windows’ Gaping, Seven Month Hole

Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.

But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.

So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”

Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”

More On Damage Estimates And The Myth-Making Urge

It was bound to happen, and it always pays to be first: Who’s going to estimate how much damage MyDoom did?

Rob Rosenberger, editor of Vmyths, predicted it right: The winner is British security consultant mi2g, which reckons the damage will cost us all $38.5 billion. That’s a lot of cash. Vmyths is not impressed, dismissing it as ‘completely absurd’, and pointing to its previous reports on the company’s statements. Mi2g, it should be pointed out, has threatened to sue Vmyths in the past, so perhaps we’ll see a robust rebuttal.

I’m not able to explore how mi2g got their figure, since the full text of the report must be bought — for £29.38 including taxes — unless you’re a member of their Inner Sanctum (which costs £352.50 per quarter). Would buying that report be included in the estimated overall cost of MyDoom? (I did request a review copy, but my email to the form-based contact page bounced, ominously).

Reporters, Vmyths say, have already picked up the figure: It points to a report in The Web Host Industry Review, and adds it believes “major media outlets will fall like dominoes — mi2g’s declaration is simply too large for them to ignore”. Rob may be right, again: TechWeb have also picked it up, but so far nothing from the major agencies.

I have to agree with Rob that these kind of estimates are a bit too headline-grabbing to be useful. Anything with a figure in tends to be too much for a reporter to ignore. Mi2g, for its part, has been assiduously estimating the cost since it first appeared: $400 million on January 27, doubling later the same day, $3 billion the next day, before leaping to $19 billion the day after that.

Talking of which, I never got any further to establishing whether a figure of $55 billion attributed to a Trend Micro spokesman for the cost of viruses last year was real or an error (and if so, an error by the reporter or by Trend Micro). Funny how the PR people go to earth when they’re grappling with tricky questions.

Loose Wire: The State We

Loose Wire: The State We Could Be in

By Jeremy Wagstaff
from the 28 March 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

Voting in your underwear? Sounds an appealing proposition: the chance to exercise your constitutionally protected right without actually having to leave your home. You could be watching Frasier while working out which candidate you want to mess things up for you for the next three/four/25 years, based on criteria such as which one most closely resembles a Teletubby/Frasier’s brother Niles/your Aunt Maudlin.

Yes, the lure of Internet voting is coming around again. In May, soccer enthusiasts will be able to vote for their favourite players in the World Cup via a joint South Korean and Japanese project (mvp.worldcup2002.or.kr; the site is not fully functioning yet). This is just an on-line poll, of course, and doesn’t add much to the mix except to try to introduce a new social group (soccer fans) to the concept of on-line voting. Elsewhere, however, on-line voting is already kicking in: Some towns in Britain are undertaking pilot projects allowing voters to choose their local councillors via the Internet, or even via SMS, in borough elections in May.

I don’t want to be a killjoy, but this kind of thing gives me the heebie-jeebies. The arguments in favour of on-line voting make sense — faster counting, less human error, attracting younger, hipper voters with handphones and Internet connections in their hatbands, higher turnouts, you can vote in your underpants, etc., etc. — until you actually think about it. Computers, we’ve learned since we plugged one PC into another, are notoriously insecure. Viruses are now so sophisticated and prevalent that many security consultants advise their clients to update their anti-virus software every day. What are the chances of a voting system not being a juicy target for people writing these nasty little vermin programs?

Another argument wheeled out in favour of Internet voting is this: The Web is now managing billions of dollars of transactions successfully, so why can’t it handle voting? There’s a simple answer to this, as security consultant Bruce Schneier of Counterpane Internet Security (www.counterpane.com) explains: The whole point of voting is that it’s supposed to be anonymous, whereas any financial transaction has attached to it details of payee, recipient and other important data. This makes it much, much harder to protect any voting system from fraud, much harder to detect any fraud and much harder to identify the guy conducting the fraud. What’s more, if there was evidence of fraud, what exactly do you do in an on-line vote? Revote? Reconduct part of the vote? Chances are that faith in the overall ballot has been seriously, if not fatally, undermined.

Some of these problems could be done away with via ATM-style machines that print out a record of the vote. That could then be used in any recount. But it’s still not enough: As on-line voting expert Rebecca Mercuri points out, there is no fully electronic system that can allow the voter to verify that the ballot cast exactly matches the vote he just made. Some nasty person could write code that makes the vote on the screen of a computer or ATM-machine printout different from that recorded. This may all sound slightly wacky to people living in fully functioning democracies. But (political point coming up, cover your eyes if you prefer) democracies can be bent to politicians’ wills, and one country’s voting system may be more robust than another’s.

Scary stuff. Florida may seem a long way away now, but the lesson from that particular episode must be that any kind of voting system that isn’t simple and confidence-inspiring gives everyone stomach ulcers. The charming notion that the more automation you allow into a system, the more error-free and tamper-proof it becomes, is deeply misguided. The more electronics and automation you allow into the system, the less of a role election monitors can play.

Internet voting, or something like it, may well be the future. I’d like to see it wheeled out for less mission-critical issues, like polling for whether to introduce traffic-calming measures in the town centre, or compulsory kneecapping for spitters, say. But so long as computers remain fragile, untamed beasts that we don’t quite understand, I’d counsel against subjecting democracy to their whim. Even if I am in my underpants.