Posted on 07/25/2005 12:16:25 PM PDT by holymoly
Attackers are also focusing on Web browsers and media players, SANS says
JULY 25, 2005 (REUTERS) - Flawed backup software has emerged as the latest target for hackers looking for corporate secrets, according to a survey released today.
The survey by the nonprofit SANS Institute found new holes in widely used software products, even as computer users are getting better at patching some favorite hacker targets.
Attackers are now focusing on desktop software, like Web browsers and media players, that may not get fixed as frequently as Microsoft Corp.'s Windows operating system and other software widely used by business, the cybersecurity research organization found.
More than 422 significant new Internet security vulnerabilities emerged in the second quarter of 2005, SANS said, an increase of 11% from the first three months of the year. Details about the survey and a question-and-answer session involving cybersecurity experts have been posted on the SANS Web site.
Particularly troubling are holes in backup software made by Computer Associates International Inc. and Veritas Software Corp., which together account for nearly one-third of the backup-software market, said Ed Skoudis, founder of the security company Intelguardians.
"If you think about it, people back up information that is their most important information, otherwise they wouldn't back it up at all, right?" Skoudis said on a conference call. "By exploiting one of these vulnerabilities, an attacker can get in there and exploit some of the most sensitive information for some of the most sensitive organizations."
Fixes are available for all the problems outlined in the SANS report, but many of the new flaws aren't patched as quickly as older ones.
Administrators take an average of 62 days to fix backup software and other software inside their firewall, compared to an average of 21 days for e-mail servers and other products that deal directly with the Internet, said Gerhard Eschelbeck, CTO of business-software maker Qualsys.
Home users typically take even longer to fix problems, said SANS chief executive Allan Paller.
Many of the new vulnerabilities were found in products popular with home users. Flaws in media players like Apple Computer Inc.'s iTunes and RealNetworks Inc.'s RealPlayer could enable a hacker to get into a user's computer through a poisoned MP3 file.
Users of Microsoft's Internet Explorer Web browser could be compromised simply by visiting a malicious Web site, SANS said.
Even the open-source Mozilla and Firefox Web browsers, which have gained in popularity thanks to security concerns, had flaws, Paller said.
Of course missing in this report is the fact that you FIRST have to break into the os security to get to the backup software.
Not correct.
Veritas etc. work by chatting w/a remote client running as a privileged user.
These and other similar products are just accidents waiting to happen.
But only within your trusted network. You have to break into the trusted domain before you have access to these packets.
Now I suppose some fool might deploy backup services over the internet in an insecure connection, but that's another story.
An unauthorized wireless access point in an office somewhere is an easy way to get past the best firewall/IDS you can name.
In which case its pointless to pin the blame on backup software!. Thanks for making my point for me.
Jumbo Shrimp. Military Intelligence. Trusted Network.
If you were employed to ensure that sensitive data was not compromised, it's unlikely your employer would be receptive to your assumptions and sophistry.
I wonder how much of this can be simply chalked up to job security? I mean, in my programming circles, it is not unusual for people who write code to put their own "safeguards", "personality" and "loopholes" into code just so they are the only ones who "know about it".
Eventually, when one gets fired or outsourced (which happens a lot in this day and age), you have a ready-to-order means of instant revenge.
Wouldn't surprise me to find out that many of the people who create viruses and take advantage of the weaknesses in security are the very people who designed the software and systems intended to provide protection in the first place.
Never attribute to malice that which can easily be explained by sloth :-)
That said, I've seen many cases of what you describe.
Until some strong authentication and transport encryption is built into network backup utilities, they probably should not be used for sensitive data.
We kinda-sorta "solved" much of the problem by doing semi-annual audits, having all our programmers review every byte of code we have to look specifically for things like this. One of the rules is that you cannot review your own code, someone else has to put their eyeballs and brain to the test. We also encourage the profligate use of comment fields to explain why this or that piece of programming was included. Naturally, accurate documentation of changes and additions is paramount to this process.
I have seen a ton of this "job security" stuiff in the last decade. It usually jumps out to bite you after a merger and after the newly-acquired company's programmers all take their golden parachutes or move on to the next job. Now you have sit and figure out the quirks in systems that you've never seen before with no help, or at best, grudging help.
Only from less creative types :-)
Read "Reflections on Trusting Trust" by Ken Thompson, Communications of the ACM, Vol 27, No. 8, August 1984
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.