How security vendors use fear to sell protection software
(IDG) -- Mobile-code programs pose an increasing threat that security vendors are having a difficult time illustrating to potential customers.
To impress security users with the dangers of mobile code, companies such as eSafe, among others, have placed links on their Web sites to third-party demonstrations of hostile ActiveX controls. Some security companies even work with consulting groups to create demonstration applets -- a practice that some analysts believe may do more harm than good. (See "Breach raises questions over security ethics"). However, some security companies insist the practice is necessary.
"We have demonstrated to a very large bank in the Boston area, using an applet that we had downloaded from the Internet. The management were watching as we downloaded the applet, and the ActiveX applet executed on their PC," said Asher Jospe, CEO and president of Security7. "Before we did this, they said they were completely secure."
Malicious mobile code is still an unknown in some users' minds, because it is fundamentally different from the more common viruses that can infect a system or the straight hacking attempts that may plague a network.
"[Users] know that mobile code is an issue and that it can do bad things, but what they don't know is how far encompassing a problem it is," said Penny Leavy, vice president for worldwide marketing and business development at Finjan. "If you are looking at deploying security, you should have a firewall, you should have a VPN [virtual private network], you should have intrusion detection, anti-virus, and mobile-code security."
Rogue applets do not replicate themselves or simply corrupt data as viruses do, but instead they are most often specific attacks designed to steal data or disable systems.
"In days past, you almost had to open a document or install software in order for some malicious entity to get into your hard drive, and now you don't even know what is happening," said Fiona Swerdlow, a digital commerce analyst at Jupiter Communication, in New York. "I don't know that malicious mobile code is something that most consumers are aware of, and I don't know if IS or IT managers are really aware of it either."
"The easiest way for a hacker to get into a company now is to write a vandal and have it do the job for them on the inside rather than trying to hack into a system," said Jerry Huyghe, global product manager for enterprise products at eSafe, a mobile-code scanning company.
The two most prevalent forms of mobile code, Java applets and ActiveX controls, have security features built in to the languages, according to their creators, JavaSoft and Microsoft, respectively.
Java includes a security model inherent to the language called the Java Sandbox. The Sandbox is designed to limit an application's access to unauthorized systems within a computer, and with the forthcoming release of Java Development Kit 1.2, access to systems will be more vigorously monitored. Sun executives insist that Java is a secure language that does not require special scanning, but they do admit that nothing is totally secure.
"In theory, the Sandbox is secure and everything is fine, but we cannot guarantee that to you," said Li Gong, Java security architect at Sun. "Any large and complex piece of software may have bugs and those may translate to be security holes."
Sun's addition of a security model with Java is generally applauded by the security industry, but analysts point out that nothing is totally secure.
Many analysts agree that ActiveX controls perhaps pose the bigger security threat, because the system has less than comprehensive security features that either let a control run completely or not at all.
"ActiveX is fairly scary, because it pretty much runs or it doesn't run," said Ted Julian, an analyst at Forrester Research, in Cambridge, Mass. "ActiveX has a far less granular security architecture than Java, but neither are secure."
The bottom line, of course, is that as more and more mobile code is put in use by businesses, malicious mobile-code attacks will gain more attention.
"If somebody is in security, this is not a hard sell -- they know this is an issue. The mass market, it usually takes a watershed event to sell to these people," Leavy said.
Matthew Nelson is a reporter for InfoWorld.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.