New software vulnerabilities are announced all the time. In fact, according to the NITS database, last year a new software vulnerability was announced every 57 minutes.
A software vulnerability is defined as a flaw in a software program which may allow a third party or program to gain unauthorized access. Some experts say that over 70% of the nearly 7,000 vulnerabilities discovered last year were exploitable remotely. This remote capability makes them valuable assets for cyber attackers.
The ability to rapidly respond to and mitigate the risks posed by these vulnerabilities is one of the most important parts of computer and network security. Vendors rapidly respond to the reports of newly discovered vulnerabilities in their products. But wouldn’t we all be better off if the vulnerabilities did not exist in the first place?
I consulted a 25 year veteran of the software industry that hails from one of the icons of the software industry and posed the following question to him: Based on your experience, how often do software vendors investigate the root cause of reported vulnerabilities? He said, “They Don’t — they jump in and try to create a patch.”
I followed up and asked so you are saying they do not look to see if the vulnerability was purposefully programmed? After a significant pause he said, “We never considered that possibility, we only worked to respond to the vulnerability.”
If that’s not bad enough think about the amount of software being developed offshore. Product liability exists in virtually every other category except software. How would you react if every 57 minutes your car dealer called you and said there is a problem with your car? We have been conditioned to accept software products with these problems and have allowed organizations to protect themselves by hiding behind the armor of the “Software License.”
If software vendors, whose products run our critical infrastructure, do not investigate if these vulnerabilities are actually acts of espionage, that would seem to be a critical flaw in our efforts to protect ourselves against cyber attack.
{ 27 comments… read them below or add one }
What if those “holes” are inherently placed in the software,you know,like “on purpose”?
Once is an accident,
Twice is coincidence,
Three times is enemy action…
You know – I have to admit I never gave a second thought to software error vs espionage. That is one hell of an observation Kevin. I hope (HEY YOU GOVERNMENT GUYS – LOOK OVER HERE) Homeland Security and the Defense Department are reading what you are posting here! Better yet, I hope for our sake you are advising them directly
>I hope (HEY YOU GOVERNMENT GUYS – LOOK OVER HERE) Homeland Security and the Defense
>Department are reading what you are posting here!
May you add US CERT, NSA, FBI and CIA if you wish?
That’s an interesting possibility but I think it’s highly unlikely. I don’t doubt that it’s possible for software vulnerabilities to be purposefully placed into software. However, critical systems are subject to thorough code review, proofs and persistent quality control. Software like Windows and Word are not mission critical and therefore not subject to the same rigour. However, code that makes its way into missiles and other military technology usually has 3 times as many test cases and comments and is thoroughly reviewed. Financial software is scrutinized in a similar fashion. And yes, I am a software developer.
Addressing the Developer
Hi Kevin,
One thing I forgot to mention was that most critical systems run behind very secure firewalls, so even if an exploit was maliciously created, one still needs to be able to access it through the firewall. This would require a planned attack involving internal and external groups. This _does_ happen, and is almost always at the heart of those financial break-ins which result in customer information being leaked. It’s simply not possible to exploit such systems remotely without inside help.
As you pointed out, software that was so thoroughly examined would not be marketable, and this is true for _consumer_ software like Windows Vista. However, for mission critical applications that cost many millions of dollars, it is viable.
P.S. Windows Vista is really an exception in the software world, bloatware like Vista rarely exists.
I guess my point is we need R&D funding to create tools that effectively and efficiently detect potential vulnerabilities in all software. Enemies can attack us where we live – in our financial marketplace and our economy. The stories I could tell you about security in our financial systems would make you put your money in a box under your bed. If the internet were to be taken down for one day, lost retail sales would be in the tens if not hundreds of millions of dollars.
I enjoy your comments. If we are ever at the same conference look me up.
I guess my point is we need R&D funding to create tools that effectively and efficiently detect potential vulnerabilities in all software. Enemies can attack us where we live – in our financial marketplace and our economy. The stories I could tell you about security in our financial systems would make you put your money in a box under your bed. If the internet were to be taken down for one day, lost retail sales would be in the tens if not hundreds of millions of dollars.
I enjoy your comments. If we are ever at the same conference look me up.
I’m not sure if it would be appropriate to discuss it here, but just in case I will hide when, and where it happen. Regarding Kevin’s concern, there was one case in the past in country X succeeded to send in agents in country Y to secretly embed lines of source code to cause failures of the program of a military related equipment. However, the trends today are more remote, meaning attempts to send virus and trojan horse that will let the target PC spit out valuable information. This was the techniques used by China for years. At the same time, what I fear the most is Chinese Americans and Chinese that came to US with working Visas are potential danger. I am most concerned about Chinese agents that may have succeeded to hide some sort of security hole in Microsoft operation systems and other software applications as well. Chinese have a identical identity and strong ethnical awareness similar to the Muslims. So, Kevin’s scenario is not unrealistic.
Alright, there are vulnerabilities everywhere. I got that. I don’t know the scope of how much is wrong, but as a consumer, how could I better protect myself? In addition, how could I become part of the solution and not part of the problem? (Is this even possible?)
Lloyd,
“Once is an accident,
Twice is coincidence,
Three times is enemy action…”
Does that mean enemy action in exploiting the system and hacking a person’s system OR enemy action in leaving 3+ vulnerabilities in the software? Excellent quote though to what you are specifically referring with enemy actions.
Business Week had whole article about Chinese companies using cyberwarfare to tap US defense secrets. April 21 issue, Business Week, Eye opening.
One article mentioned that Die Hard 4 was very credible in some areas.
Art follows Life???
You can tell the true security profesisonals from the rest of you loud mouths. MAC get a clue! There was a case way back in the late 80s where the US enbedded malicious code in a McroVax that was exported to another country. As for you being a senior architect in a a Financial services company – I was just involved in an investigation into security issues in your industry and if you are like the rest – you have a long way to go to even catch up to the rest of the us. We asked a simle question about the way your industry acquires computer assets and they failed to ensure the integrity of the computer assets – a basic security requirement.
Get off you High Horse and become part of the solution. This is a blog to promote discussion so why don’t you contribute to the solution?
A couple of points.
1. A couple of metrics I just received from someone who read the blog. The average time form when a vulnerability is reported until a patch is available is 61 day. (Excluding one that took over a year) The average time for corporations to test the patch and deploy it enterprise wide is 41 days. SO add the two together and a publically reported vulnerability remain exploitable for 102 days.
2. I chose the car because it is a collection of systems much like the corporate and government computer infrastructure. With so many components in a system of systems architecture the fact that multiple components from different vendors seemed appropriate.
3. I think everyone should contribute so Mac fell free to offer solutions to this problem. By the way, the latest stats show the Financial Services Industry has slipped to number 3 in thte top targets for professional cyber attacks.
4. Pedestrian please feel free to contribute a scenario you think is realistic. By the way – that scenario actually took place in another country. Just for the record.
I think MAC should be blocked and forced to go back to school. He is the one who does not know what the HEll he is talking about. He is not a developer or not a good developer that is for sure. Anyone in the software industry knows that companies do not track software development close enough. Nor do we spend enough on testing and the complexity of the code now days demands tools to assist in validation to make a significant improvement in quality and security. Mac you are an amature. Shut your mouth and open you ears and all of us will try to educate you.
“… open you ears and all of us will try to educate you.”
That is why I am here. I readily admit that I know hardly anything about cyperspace security, am not a software developer, and not a security professional. However, I am eager to learn about this!
Whooooooo What does MAC have to hide? I thnk we need to look at his code. After a dozen years being an investigator I always look at who is protesting the loudest. Come on MAC let me come look at your code
While R&D into vulnerability detection and protection is certainly a good idea, I think the industry could gain a lot from education and training, too.
There are a heck of a lot of software developers out there who have negligible or only cursory awareness of the kinds of coding and architectural practices that could reduce the number of vulnerabilities in the systems they’re making. Even assuming that they’re working on projects where security is given a high priority, which it often isn’t.
A whole bunch of companies out there are writing code that’s barely secure enough to avoid them being sued – and are too busy patching and fighting fires to be building proper firewalls. Commercial software security can improve, but it’ll take more than R&D: it’ll take education, awareness, and a threat to the commercial bottom line.
(Oh, and I agree with Mac on the “cyber-” thing. Prefixing everything with that went out of fashion in the late ’90s. Calling a hole in software a “cyber-hole” is redundant at best.)
I have a question to everyone but I want to address it to Dr. Curiosity. I received and interesting phone call that asked this question.
Should there be liability for those that produce products that are used as a cyber weapon?
And the second question was -
Should there be liability for an organization who has their systems taken over and used to attack another entity?
What do you think
As I stated in my closing comment, we believe it’s an issue. The point was that this article is pretty much crap when it comes to telling you anything useful about it.
I attempted to provide some insight about why publicly-discovered exploits are not “investigated” to see if they were intentional.
None of the subsequent criticisms even come close to addressing either of those points, which are directly related to the topic of the article.
Reading for comprehension: try it.
MAC – the only thing that is pretty much crap is you! This article brings to light the fact that NO ONE is exploring the accident/error vs intentional. Your excuse is out and out lame. Attitudes like yours helps prolong the problem – get with it and become part of the answer.
So I take my all cheap kamas to help you, because it is unworthy much money.
So I take my all cheap kamas to help you, because it is unworthy much money.
In order to make a little bit of hundreds of thousands of eve isk, I commanded all of the staff hung up the number on the computer, and help me mine the mining.
Of course the Metin2 yang can bring funs. I believed that you will love this Metin2 gold new game.
If you want to Buy metin2 gold you can go to the company. I hope that we will become good friends in the Cheap metin2 gold game.