ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




How security vendors use fear to sell protection software

Buying protection from Java applets, ActiveX controls, JavaScript

August 31, 1998
Web posted at: 11:10 AM EDT

by Matthew Nelson


(IDG) -- Mobile-code programs pose an increasing threat that security vendors are having a difficult time illustrating to potential customers.

Mobile-code applications, in the form of Java applets, ActiveX controls, JavaScript, and other autoexecutable applications, can be powerful tools for distributing information. But with their increasing power, the potential also increases for those applications to be used for unscrupulous ends. Companies that offer products to protect against such threats sometimes must prove to end-users that the problems even exist before they will listen to possible solutions.

To impress security users with the dangers of mobile code, companies such as eSafe, among others, have placed links on their Web sites to third-party demonstrations of hostile ActiveX controls. Some security companies even work with consulting groups to create demonstration applets -- a practice that some analysts believe may do more harm than good. (See "Breach raises questions over security ethics"). However, some security companies insist the practice is necessary.

"We have demonstrated to a very large bank in the Boston area, using an applet that we had downloaded from the Internet. The management were watching as we downloaded the applet, and the ActiveX applet executed on their PC," said Asher Jospe, CEO and president of Security7. "Before we did this, they said they were completely secure."

Malicious mobile code is still an unknown in some users' minds, because it is fundamentally different from the more common viruses that can infect a system or the straight hacking attempts that may plague a network.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Subscribe to's free daily newsletter for IT leaders
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute

"[Users] know that mobile code is an issue and that it can do bad things, but what they don't know is how far encompassing a problem it is," said Penny Leavy, vice president for worldwide marketing and business development at Finjan. "If you are looking at deploying security, you should have a firewall, you should have a VPN [virtual private network], you should have intrusion detection, anti-virus, and mobile-code security."

Rogue applets do not replicate themselves or simply corrupt data as viruses do, but instead they are most often specific attacks designed to steal data or disable systems.

"In days past, you almost had to open a document or install software in order for some malicious entity to get into your hard drive, and now you don't even know what is happening," said Fiona Swerdlow, a digital commerce analyst at Jupiter Communication, in New York. "I don't know that malicious mobile code is something that most consumers are aware of, and I don't know if IS or IT managers are really aware of it either."

"The easiest way for a hacker to get into a company now is to write a vandal and have it do the job for them on the inside rather than trying to hack into a system," said Jerry Huyghe, global product manager for enterprise products at eSafe, a mobile-code scanning company.

The two most prevalent forms of mobile code, Java applets and ActiveX controls, have security features built in to the languages, according to their creators, JavaSoft and Microsoft, respectively.

Java includes a security model inherent to the language called the Java Sandbox. The Sandbox is designed to limit an application's access to unauthorized systems within a computer, and with the forthcoming release of Java Development Kit 1.2, access to systems will be more vigorously monitored. Sun executives insist that Java is a secure language that does not require special scanning, but they do admit that nothing is totally secure.

"In theory, the Sandbox is secure and everything is fine, but we cannot guarantee that to you," said Li Gong, Java security architect at Sun. "Any large and complex piece of software may have bugs and those may translate to be security holes."

Sun's addition of a security model with Java is generally applauded by the security industry, but analysts point out that nothing is totally secure.

Many analysts agree that ActiveX controls perhaps pose the bigger security threat, because the system has less than comprehensive security features that either let a control run completely or not at all.

"ActiveX is fairly scary, because it pretty much runs or it doesn't run," said Ted Julian, an analyst at Forrester Research, in Cambridge, Mass. "ActiveX has a far less granular security architecture than Java, but neither are secure."

The bottom line, of course, is that as more and more mobile code is put in use by businesses, malicious mobile-code attacks will gain more attention.

"If somebody is in security, this is not a hard sell -- they know this is an issue. The mass market, it usually takes a watershed event to sell to these people," Leavy said.

Matthew Nelson is a reporter for InfoWorld.

Related stories:
Latest Headlines

Today on CNN

Related stories:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.

Enter keyword(s)   go    help


Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.