Skip to main content /TECH with /TECH

Persistent viruses sound industry alarm


By Brian Fonseca and Tom Sullivan

(IDG) -- The almost daily onslaught of computer viruses and attacks is prompting calls in the industry to bolt-in better security at the application development stage. Experts say if these escalating concerns among users are not addressed, application providers may become legally accountable.

During the past two months, serious threats posed by two versions of the "Code Red" Microsoft Windows worm, which infects Microsoft Internet Information Servers (IIS), have run companies ragged fending off potential damage. The worm connects to IIS implementations via the Internet and launches a coordinated DoS (denial-of-service) attack on a targeted host at a predetermined time. A patch for the IIS hole has been available from Microsoft since June.

Equally damaging is the "Sircam" worm, which surfaced late last month. Sent via e-mail as a disguised random file attachment, Sircam copies itself onto a user's Windows directory and launches private documents from an infected system to all addresses found in the user's address book.

The worldwide loss in labor costs and systems repair caused by Code Red and its variants has been estimated at $2 billion by Carlsbad, Calif.-based research firm Computer Economics. But the lack of accountability for security holes in applications is frustrating users.

"What [app vendors] have been trying to do is push the liability back to the consumer and accepting none for themselves," said Charles Dulin, formerly of Internet Privacy Solutions, a consultancy based in Hawthorne, N.Y. In terms of providing security with their applications, "the vendors have been selling snake oil," said Dulin, now an independent consultant. INFOCENTER
Related Stories
Visit an IDG site search

Users as well as vendors have to reconsider their role in girding their applications with adequate security, said Graham Cluely, senior technology consultant at Wakefield, Mass.-based Sophos Anti-Virus. The Internet plays a dual role in this problem -- it's the mechanism for the delivery of viruses as well as for the cure, which has lulled some into apathy.

"I wonder if the Internet in some ways has made people a little bit more lackadaisical in quality control and testing," Cluely said. "It's so much easier now to get [security] updates. To cut corners, the temptation [to vendors] may be to say, 'Well the software seems to work; maybe we don't need the extra time [to add security measures].' "

As a result of being the prime target of hackers' wrath, Microsoft is one of the companies motivated to take action. The Redmond, Wash.-based software giant is trying to shore up its product vulnerabilities by adding patches and fixes via its Windows Update program and the Outlook E-mail Security Update, available since June 2000.

According to Steve Lipner, manager of Microsoft's security response center, the Outlook update is a systematic counterattack on viruses that slip into a network via e-mail. It features technology that stops executables from running. Lipner added that Microsoft also uses smart cards and the Kerberos security model for stronger security.

Other vendors also have been compelled by circumstances to take a proactive stance against hacking.

Cambridge, Mass.-based security company @stake was reviewing a client's application when it unearthed an implementation flaw within iPlanet Web Server Enterprise Edition, versions 4.0 and 4.1, said Andy Schmidt, @stake's New England regional director.

The flaw would allow any remote user to retrieve data from the memory allocation pools on the running server. The data consists of fragments from previous HTTP requests and responses, including session identifiers, cookies, form submissions, user names, and passwords. The security company worked with iPlanet to create a fix.

Schmidt said this example illustrates how important it is for commercial application developers to envision possible harmful uses of their product.

"It's always been thought of from the standpoint of, 'What do I want [an application] to do,' not, 'What do I not want it to do,' " Schmidt said.

@stake features a class within its education security center on its Web site to arm developers with a "best practices" toolkit to help them create more secure applications.

For its part, iPlanet rectified the problem three months ago. Sanjay Sarathy, director of product marketing at iPlanet, in Santa Clara, Calif., said that "we take design issues of our products very seriously."

Beyond design, Schmidt said that there's a correlation between the level of business-critical use for an application and the level of security it needs.

Hoping to achieve this balance, Pacific Sunwear, a $600 million clothing retailer, has shied away from using Microsoft products in mission-critical capacities because of the constant security threats, said Ron Ehlers, vice president of information systems at Pacific Sunwear in Anaheim, Calif.

Instead, Pacific Sunwear runs its business on IBM's AS/400 mid-range servers and uses Windows NT and Windows 2000 servers for file sharing, Ehlers said. The company does allow Windows PCs to access AS/400 data. "By intent we don't use Microsoft Outlook for e-mail because of the vulnerabilities to virus spreading," Ehlers said.

Ehlers said Pacific Sunwear standardized on IBM Lotus Notes and has not been severely infected with any of the recent worms.

"The industry, so far, has taken the approach that everyone is kind of on their own and has to fix problems themselves whenever they arise. We need to see more attention paid to this by the vendors," he said.

Vendors may also need to call in third-party security experts.

Sybase, based in Emeryville, Calif., concentrates on security within its application server by using encrypted data and enabling users to define network access and what each user can access, as well as embedding firewall integration.

Fairfax, Va.-based webMethods, for one, works with security professionals who hack away at webMethods' b-to-b middleware and related systems in search of holes. The company, as do many others, also offers best-practice guidelines for its customers.

Jeremy Epstein, director of product security at webMethods, said he foresees accountability shifting toward a scenario in which not only vendors will be liable. Customers who fail to protect and maintain their networks will be held responsible by their partners and customers for spreading security problems, Epstein predicted.

Users may have to consider liability insurance to protect themselves, said Al Varrachio, assistant vice president of Kaye Tech Risk Solutions, a technology liability division of New York-based insurance brokerage Kaye Group.

Security coders will bear the brunt of criticism in the short term for security attacks, but negligence charges will implicate companies that fail to assume responsibility for their own security, he said.

One cyberliability underwriter, Okemos, Mich.-based J.S. Wurzler Underwriting Managers, will increase premiums by 5 percent to 15 percent if a user's Microsoft Windows NT administrators are insufficiently trained, Wurzler officials said. If administrators are up-to-speed, Wurzler rewards clients with a 20 percent discount.

Users who are "not doing due diligence or not doing enough to protect their network and recognize a potential virus can be held liable," Varrachio said. But the demand for such insurance will not grow "until people get really burned," he said.

• Symantec Security Updates

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top