CurzTech News Network
CurzTech News Network | CurzTech World News | CurzTech U.S. News | CurzTech Entertainment News | CurzTech Political News | CurzTech Conspiracy News | Yesterday's News | Offsite Archive
A visiting US security expert believes not all businesses should be alerted to computer security flaws and the hacking community should ease off and give vendors time to fix up the mess.
Data from Internet Security Systems shows that computer exploits (taking advantage of flaws in systems and software), not viruses, are the bigger security threat these days. The number of exploits has increased rapidly to about 300 a month, whereas the number of viruses is declining equally fast.
Rules of disclosure give vendors about 30 days to find a fix for a vulnerability before the wider public is alerted to the flaw. Alternatively, hackers sometimes expose the flaw first and cause mass panic.
On a recent visit to Sydney, Oracle's chief security officer, Mary Ann Davidson, expounded the theory of "responsible disclosure" and said hackers should give vendors time to fix flaws before revealing them to the world.
"Blabbing to everyone if there is something nasty out there and there is no defence against a theoretical attack is not responsible," Ms Davidson said.
Oracle has a team of "ethical hackers" on its books and works with other hackers to minimise the impact of security flaws in its products.
The company's hackers tried to find problems before someone less ethical did, Ms Davidson said. "They're remarkably adept at it and seem to take a fiendish pleasure in it," she said.
The external hackers Oracle works with preferred to think of themselves as "researchers", she said. They gave the company a chance to fix flaws rather than exploiting them immediately just to get the credit.
"Sometimes the researchers who haven't worked with us before say 'well, my policy is to tell everyone on the internet within five days' ... I'm really pretty straight with them and say 'look, sometimes if vendors don't fix things immediately it's not bad faith it's because we want to make sure everyone is protected. We're trying to do the right thing here, work with me'," she said.
Ms Davidson said vendors should not be forced to tell the world about a flaw in their system unless it was a widely used protocol, a controversial theory in computer security circles. "If it's a protocol that everyone uses, then you need to be a good corporate citizen and work with the larger community," she said. But if it was just a company product, only customers who used it should be told.
She said a lot of vendors did not have policies for handling flaws and might not notify their customers sneakily trying to slip fixes in instead. Others lumped vulnerabilities together to make up artificial numbers. "We don't play that game," Ms Davidson said.
The nasty secret in security is that no one really knows what it costs to patch vulnerable systems. An estimated $US900 ($1467) per server and $US700 for a client would soon add up if someone had 800 servers and two patches were released weekly.
Some customers doubled their licence cost to secure products, Ms Davidson said.
"Anything we can do to avoid that anything hackers find, any better way we train people, better coding standards it is all cost avoidance to us and to customers," she said.
Copyright 2003 John Fairfax Publications Pty Ltd
[an error occurred while processing this directive]