Skip to main content

McAfee out of ideas - blames internet for rootkits.

The recent article Does open source encourage rootkits? [NetworkWorld] discusses a McAfee report, "Rootkits", in which McAfee lays the blame for rootkits at the door of the open source community by name, security researchers by implication, and unwittingly at the very doorstep of information sharing -- books, libraries, and printed material. The report was issued due to a large jump in the number of rootkits they detected (nine times as many this quarter as the year ago quarter - a dramatic increase). They specifically blame rootkit.com. The unstated basis for their argument is a classic tension between open sharing of information about security vulnerabilities on the one hand and secret cabals of security research on the other. McAfee is clearly coming down for the "keep it secret to be safe" camp. Most independent security researchers reject this argument, because industry has a very long track record of totally ignoring security issues until they are made public. Most researchers also practice a policy of advanced notification -- give the vendor a reasonable notice before publishing the findings to the world and attempt to work with them so that a fix is available when the notice is published. However, the threat of publication is sometimes the only thing that motivates software companies to fix security problems. Blaming open source, web sites, and information sharing by implication is misguided. The folks who are writing the real malware could (and do) use secret members-only web sites to share ideas and code and whatnot in their pursuit of malfeasance. It's better for the community of researchers to have open sites sharing these ideas. The fact is that you don't need a web site. There are books that do a pretty good job of explaining how rootkits work and how to build them. Are libraries now to blame? Is the publishing division of McAfee's competitor, Symantec Press to blame? ( The Art of Computer Virus Research and Defense). No. Information sharing is not to blame. Symantec is not to blame (at least not in this respect). Books are not to blame. The internet isn't to blame, web sites are not to blame, security researchers are not to blame. I wonder if instead we can attribute the continuing and expensive thorn of malware to humanity's continuing struggle to ride a rapid wave of expanding technology while simultaneously attempting to preserving civil liberties and limit the destruction and damage that can be caused by Evil Doers(TM)? Frankly, we're not very good at it, and we will soon face analogous problems in the much more serious realm of biological engineering. Recall that open source specifications for the 1918 influenza have already been published. We need to get better at this stuff pretty quick, because the clock is ticking. The information genie can't be put back in the bottle, we had better figure out how to tame it. * NOTE: Evil Doers is a Trademark of The Bush Administration.

Technorati Tags: , , , , , , , , ,

Comments

kurt wismer said…
unfortunately the 'full disclosure is always good' argument doesn't hold up under closer inspection... while it's true that we all benefit from full disclosure of some types of vulnerabilities, that doesn't mean we benefit from full disclosure of all types of vulnerabilities...

you're clearly making the assumption that vulnerabilities are all fixable and/or avoidable mistakes... for those that are, full disclosure works wonders, but the reality is that some are not fixable and/or avoidable... some vulnerabilities are inherent to the general purpose computing platform and publishing tools to exploit such vulnerabilities (whether under the banner of full disclosure or some other information sharing dogma) increases the public's risk of exposure without doing anything to close the (unclosable) window of exposure...

not all vulnerabilities are created equal - don't treat them like they are...
Hi Kurt,

Actually I'm not making the assumption that all vulnerabilites are fixable. In fact, those which are not easily rectified are those which provide the strongest argument for public awareness.

If a web server vendor is hiding a vulnerability in their product which could expose me (and millions of others) to identity theft or other fraud because they can't fix it, as a customer of their customers (banks, etc.), I want to know about that. In such cases one could argue in favor of keeping the details of the exploit confidential, but it's difficult to support keeping the vulnerability itself a secret from the potential victims. If they know about a "non fixable" defect in a critical product, the banks could respond by switching web servers, for example, or the cutomers could respond by switching to banks that have systems without the vulnerability. "Fixable" is sometimes a matter of perspective, then.

Not that many years ago, vulnerabilites were sometimes known to both white hat and black hat hackers for months or years before vendors acknowledged them and fixed them. The most notorious example of this was the "ping of death" which was known to me and reported by some of my colleagues to the vendor literally years before it was fixed. It was only when the defect became widely known that the vendor acknowledged and fixed the problem.
kurt wismer said…
if you're in favour of keeping the details of the exploit secret in your hypothetical example then i want you to take a good hard look at rootkitDOTcom...

they distribute source code and compiled binaries... fu rootkit that greg hoglund claims is the most widely deployed 'rootkit' was written by his co-author james butler... hoglund further claims that people are using the exact binary available for download from his site rather than recompiling the source...

we can quibble over the finer details of what constitutes full disclosure if you like, but from what i'm reading now i think you'd probably agree that what i described above constitutes arming the bad guys...

i'm not suggesting people keep the vulnerabilities themselves secret, and frankly that's not what the mcafee report was getting at either... people are publishing exploit code under the banner of full disclosure... that doesn't increase security, it doesn't close any window of exposure, all it does is arm the bad guys...

as for your example, it's a poor one... when i say non-fixable, i include switching products as a means of fixing things - 'rootkits' are possible under all platforms so switching to a different one doesn't really fix the problem...

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom...

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com] Viruses leap to smart radio tags [BBC.co.uk] RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID devic...

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber