Liability? What Liability?
Many industries and professions have strict liability and accountability regulations, which can significantly increase the costs of doing business, and which provides a place to assign responsibility should something go significantly wrong. Strangely, the software development industry tends to avoid liability for errors in generated software. The Therac-25 is one known example where software errors can be directly linked to human deaths. Likewise the flight control software in early Airbus fly by wire models could be argued to be responsible for human deaths (although it can be counter-argued that it was the human error of not knowing the software operating boundaries which caused the fatal crashes). In the End User Licence Agreements (EULAs) that are presented to the user before initial installation or use of software, software vendors will tend to claim that they have no liability or responsibility for the effects from their software on the end user's system.
Mentioned in columns in May and August, EULAs can introduce problems for end users / clients of the vendor. While end users can shoulder some personal responsibility for acquiring and installing the software, who is to be held responsible for vulnerabilities and exposure to risks from flaws in the software? As mentioned above, the software vendors sidestep this liability through the use of the EULA, at least for consumer level software. For the right amount of money, vendors will develop software to appropriate standards, and provide a level of accountability for flaws within it. It is essentially offering insurance for problems caused by flaws in the vendor's own software. Going further, and for even more money, it is possible to develop software which is near-perfect, and which the vendor supports completely.
The problem with the above argument is that the market has set its own baseline for what is an acceptable level of software performance and stability, which is unfortunately quite low. Better software takes time, and by the time that a polished application is ready, it is highly possible that the market has already been saturated by sub-standard offerings from other companies. While it is fashionable to complain and whine about the vulnerabilities in commercial software, the market only has itself to blame, forcing the current situation when it chose the lower priced vendors.
Discussion about where liability rests for software vendors has come at an opportune time, with Microsoft releasing their October Security patch updates last week. With nine patches released, it is strongly recommended that all people who use Microsoft Windows update their systems as a matter of extreme urgency. A number of the vulnerabilities can be remotely activated to completely compromise a vulnerable system.
Exploit code is already circulating for some of these recently patched vulnerabilities. Initially it had been reported that exploit code was already developed at the time of patch release, but it was contained to one or two online locations. Exploit code has escaped this boundary, and is starting to appear in numerous locations. It is not known at this stage whether the code has mutated into an active exploit for delivery, but it is feared that an automated attack based on MS05-051 will only be a matter of days away (at most).
The most critical security patch, MS05-051, has also caused issues for some users, with their systems effectively becoming unusable following application of the patch. Although Microsoft have now provided information on their site for correct application of the patch, and resolution of the issues which could arise, it is possible that many people will uninstall the patch, or delay application unnecessarily, due to the added administrative burden required to properly configure the systems.
A major spike in traffic on the affected network port appears to have been arrested over the last couple of days, but it is possible that the activity represented probing actions, with the proverbial calm before the storm as the US and Europe pass through the weekend, and a mass exploit due in the very near future.
It is considered probable that an automated worm will appear soon, and will begin mass infection of systems, with the peak of the attacks hitting at the start of the US working week. It has also been disclosed that there are some low threat malware applications which remain functional even in Windows Safe Mode, which is used to effectively remove embedded malware. It is predicted that this sort of capability will only become more common across the various malware vendors and applications.
The vulnerabilities currently being targeted as a result of Microsoft's patch releases are not the only major threat that is facing the Internet over the next couple of months.
The ongoing argument between the Tier 1 ISPs, as treated in last week's column, continues to simmer, public exploit code has been released for a month old Cisco router vulnerability, and a brewing argument between the European Union and ICANN (a US organisation which manages / assigns IP - DNS relationships) over control of DNS could threaten the future operational structure of the Internet.
Essentially, the EU is arguing that the US should not have sole control of the top level of the Internet, and that it should be passed to a more global organisation (such as them). The risk is that if a consensus is not agreed upon at talks in Tunisia, it could see competing top level records established by ICANN and the EU. If it is mandated that EU companies have to register with the EU servers, it could see situations where sites such as telekom.de point to two completely different addresses, depending on which set of address servers you use. While it is more likely that in this situation most companies will just register the same data with both authorities, the problems surface when there is a dispute, or companies are too slow to establish the duplicate records and a competitor or squatter get the records first. Given that there is no compulsion to use any of the existing services, it will be interesting to observe how this change is mandated, and enforced.
The news from last week's column about the English Security contractor who was convicted of 'hacking' a donations website has continued to inflame emotions within the Information Security industry. Daniel Cuthbert was charged under the UK Computer Misuse Act for 'hacking' a website which was accepting donations following the 2004 Tsunami. A number of people have stepped forward to provide character references in an effort to provide at least some balance to the situation and reporting. It has also come out that Daniel is involved with OWASP, an industry group concerned with improving web application security knowledge and implementations, leading the London branch of the organisation, and he will be presenting at the upcoming OWASP conference in the US.
Unfortunately, it appears that Daniel's Information Security career has come to a sudden end as a result of the court case. It also appears that the case has caused a schism between Information Security researchers and law enforcement agencies, quite the opposite result from what was probably desired from the case. Unfortunately it has also caused deep division within the industry as various groups align on the different sides of the argument (that he did / did not do anything wrong), and it is likely that the current arguments will leave at least some lingering effects.
Losing a skilled Information Security worker could be seen as a strange move, given a recent survey conducted by IDC, on behalf of Cisco, of various CIO's across the UK and Europe. The survey has found that the respondents are expecting a shortfall of skilled workers as soon as 2008. In the UK it is estimated that as many as 40,000 positions may be unfillable, and across Europe the figure may be as high as half a million. A Cisco spokesperson indicated that these positions will not be general IT positions, but rather they will be highly specialised positions, such as Wireless technology (802.11, Bluetooth), and security. It has been said for a while now that Australia faces a critical shortage of skilled Information Technology personnel, amongst a greater shortage overall of skilled workers in the workforce. This latest survey indicates that this problem appears to be facing other countries as well.
Perhaps some of these skilled positions will be in protecting mobile gaming devices. Following on from news that the Sony PSP has been affected by malware which makes infected units unbootable, it has been disclosed that the Nintendo DS (a competing hand held gaming system) now has its own malware which also makes the unit unbootable. Known as DSBrick, the malicious software poses as user developed code, and overwrites various sections of memory in order to make the DS unbootable.
Sometimes, the extra staff will not necessarily prevent bad things from happening. The most advanced online banking security model currently in use (the equivalent of a one time pad) has recently come under extra attention from phishers. A Swedish bank was recently targeted with an attack which requested users enter the next several codes from their appropriate pad, providing the phishers with a limited number of attack opportunities. While increased user knowledge would avoid such a blatant attempt, a well designed phish, which claims that the first code was improperly entered, will be more likely to successfully obtain details that can be used to access the accounts of their victims. This is the first attack of this type to be reported on, although it was predicted quite a while ago (by us). The S?nnet Beskerming online banking security products, and model, provide security that can not be defeated through tricks such as this, and which are immune to all known phishing attacks and predicted attack models.
Finally, a threat which is not related to any Information Security threats, but demonstrates well in a slower time frame how Information Technology systems tend to get infected. The current strain of bird influenza, H5N1, which is causing concern globally for its potential to be a repeat of the 1918 pandemic (actually, much, much worse than 1918 - which was also a bird flu variant), appears to have mutated to be immune to the most widespread pharmaceutical defence against it that exists, Tamiflu (oseltamivir). It has been reported that a Vietnamese girl who was infected with the virus showed no response to the drug when it was administered to her, instead her body developed a much stronger, drug resistant strain.
The current spread of the disease through wild and domesticated bird flocks, and the last effort attempts to control the spread, have a parallel in rapid spreading computer based worm / malware infestations. An initial host is infected intentionally by the malware author (natural virus mutation in the birds), which then seeks out other vulnerable hosts in the nearby environment (same for the birds). Once a certain critical point has been reached, the infection escapes the initial contained environment and starts attacking more remote hosts (same for the birds).
From here, the infection saturates local vulnerable hosts and continues to spread along network connections (migratory paths for birds). As defences are activated, such as network disconnection, firewalls, IPSs, active sysadmin actions, and non-vulnerable hosts, the infection rate slows and eventually subsides to background noise as all vulnerable hosts are exhausted. The same thing is being observed with the bird flu, with continued global spread into Europe despite slash and burn tactics against bird flocks. Countries not yet infected are starting to take action, such as the Netherlands dictating that all domesticated birds must be kept indoors, and others continue to be protected by geography (such as Australia and New Zealand), despite the geographical proximity of confirmed human cases (Indonesia).
If and when the virus mutates and blends with the existing human influenza, it is probable that an extremely virulent influenza that is transmissable from human to human will be formed, and the pandemic will have started.
17 October 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.