Forwarded From: bluesky@rcia.com
Planning for the Applet Threat
by Chris Oakes
6:31pm 30.Jun.98.PDT
The latest security threat to corporate networks and computers on the
Internet has been identified and, on Tuesday, an industry consortium came
into being to combat it.
The threat? Small software programs, or applets -- distributed via the
Internet mainly as Java and ActiveX programs -- that steal or damage
electronic data.
Over the next few months the new group, calling itself the Malicious
Mobile Code Consortium, plans to set up a Web site detailing its findings
and proposing policies and guidelines for defeating the threat. The
consortium was formed by the International Computer Security Association
(ICSA), and charter members include Advanced Computer Research, Computer
Associates (CA), Dr. Solomon's Software, eSafe Technologies, Finjan,
Quarterdeck Corp. (QDEK), and Symantec (SYMC).
The consortium's name is derived from the generic term it uses for hostile
Java applets and other "malicious mobile code." The code is defined as any
Internet-delivered auto-executable program, delivered in the form of
ActiveX, Java, or other HTML-based plugins, that employ so-called helper
programs on a user's hard disk to access unauthorized files and deliver
them to the applet's author.
"Numerous attacks have already been publicly reported," said consortium
manager Dave Harper at a Tuesday press conference. He cited a computer
club's demonstration of an ActiveX control that could electronically
transfer funds without a user's knowledge and another program capable of
working through America Online software to steal account information and
delete local files.
The functions that mobile code can perform are potent, added Bill Lyons,
CEO of Finjan, a company offering detection software. "They're all
legitimate functions. They can open network connections, read a file,
write a file, destroy a file. But typically this isn't destruction. It's
more espionage and copying files."
Lyons says there is no doubt about the arrival of the "mobile code"
threat. "It's not something you can prevent or stop. It's coming, so what
you want to do is manage it. And you're not going to manage it by denial."
Security expert Peter Neumann says the ICSA is probably performing a
useful function in pulling together the consortium. However, he warns
that, as with any risk, companies should beware of easy answers. "There
are many weak links," he wrote in an email. "Efforts to close up just a
few holes are not satisfactory."
For now, the threat posed by these next-generation electronic demons is
largely hypothetical. "You can't get around the fact that there are not
any known threats today," said Ted Julian, analyst for Forrester Research.
Still, Julian is convinced of the threat posed by applets, and the
demonstration applets he's seen have shown impressive capabilities.
"They're pretty scary demos," he said. "They'll shut down your system,
erase your hard drive, take password files.... It's a big issue." He says
Forrester is convinced that these kinds of attacks will definitely become
more real than hypothetical.
Forrester's research shows that over 90 percent of security managers in
corporations are concerned about Java and ActiveX security, but 72 percent
are allowing them in without a defense strategy.
Truly effective defense, Julian said, will come from building
code-monitoring detection utilities into currently installed antivirus
software. Companies working on such technology include Finjan, eSafe, and
Security Seven.
"Given the absence of known threats, we don't think it makes sense to buy
a separate product," he said. "Our advice is that [security managers]
wait until antivirus providers include code monitoring protection."
Vendors are currently showing inadequate interest in addressing the threat
of malicious mobile code, Julian said. Yet he thinks that the smaller
companies now offering stand-alone monitoring products are only likely to
see great success through acquisition by antivirus software companies.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Jul 2 10:12:58 1998