Information Warfare: August 8, 2003



Internet security firm Qualys Inc., recently released the results of a year long research project that examined 185,000 computer systems and some 1.1 million vulnerabilities (flaws in their software that allow a hacker to get into the system.). Qualys came up with "Law of Vulnerabilities" that should be unnerving for all those involved in cyberwar. The scariest finding is that some vulnerabilities are never fixed. This is so for two reasons. First, half the flaws discovered are replaced by similar flaws within a year. This is because every time you fix a flaw in software, there is a chance that you will create a new one. Second, the most dangerous vulnerabilities tend to get fixed first. This makes sense. But the least dangerous flaws often never get fixed. Thus there have been cases where some low level flaws just never get attended to. On the bright side, half the vulnerable systems are fixed with 30 days of a flaw being publicized. But half the systems are not fixed, and months later, there are still a significant percentage of systems that are still vulnerable. 

And there will always be flaws, as this extract from the book; "The Next War Zone" makes clear.

"As the Internet population grew, along with the number of people probing the net for vulnerabilities, the number of opportunities for mischief grew enormously. This happened because the number of key software programs available for hacking did not grow much at all. In fact, the different types of Internet software available for hacking shrank considerably as competition drove out a lot of competitors during the 1990s. This explains why Internet software gets combed over so thoroughly for defects by hackers. Find a flaw and you can make a lot of money exploiting it. It comes down to this; theres not much software to be had, currently. There's the server software that sits on millions of PCs and serves up the web pages, but only two different programs power nearly 90 percent of the worlds web servers. Apache has 56 percent of the market and Microsoft IIS has 30 percent. Then there are the PC operating systems and browsers that are used to contact the servers. Microsoft operating systems are on some 90 percent of PCs, and Microsoft's Internet Explorer browser controls 80 percent of the market. 

When you have several million software professionals working with a handful of programs, flaws cant help but be found. The hundreds of millions of users are also more likely to uncover flaws in the software, but they usually won't know exactly what they've stumbled across. And because of the nature of the Internet, information travels fast. People talk. From the beginning of the Internet, it was customary to be helpful. For the cybercrooks, this turned out to be paradise. There was all that open, and often detailed, talk about software flaws on the Internet, free for the taking. During the 1980s, hackers were exploiting known flaws in server and operating system software. Dangerous programs, that took advantage of the flaws, were being written as innocent exercises to see what could be done. These were classic "hacks." Then the Morris Worm got loose in 1988 and did a whole lot of damage. That particular "attack" was actually an accident. By the 1990s, black hat hackers, who exploited software flaws just for the hell of it, or to steal, became common. Their malicious hacks were no accidents.

It's not just that there are a lot more programmers around looking for trouble, but there's a lot more for black hats to work with. In addition to lots of people picking apart fewer programs, the Internet server and browser software is larger and more complex. Make anything larger and more complex and you automatically get more things that can go wrong. There you have it, an unholy combination of more people scrutinizing fewer flavors of more buggy software, which continues to introduce more flaws as it is updated.

From one angle, all this is for the good. The vast majority of software professionals poking around in the server, operating system and browser software are just trying to get these programs to work reliably and efficiently. When they find a flaw, they report it. And with a lot of bug reports, the software publisher will fix the damn thing quickly. Well, not always. Software publishers make money by creating new software, not repairing the old. Microsoft, in particular, is vulnerable here. Microsoft not only produces new software, but comes out with new versions of existing product so frequently that there are always a lot of older programs still in use. The older versions are even less likely to be patched. Ironically, the two best maintained (bug free and quickly patched) bits of Internet software (Apache server software and the Linux operating system) are the Open Source software. In effect, no one owns them, but a coalition of users and volunteers maintain them. Sounds weird, but it works. Linux is no threat to Microsoft in the operating system area, but Apache actually has a majority of its market. 

Microsoft software is not Open Source and they don't like fixing all those bugs (it's expensive). The longer the time between a new bug getting discovered and a patch being sent out, the more opportunity the criminals will have to figure out how to exploit the bug and set loose some nasty program on the Internet to take advantage of the bug. Malicious mischief like that cause over half the hacker attacks you hear about. 

Microsoft's solution to the problem is to push for a law that makes it illegal to report a bug to anyone but the government or the publisher. Post it openly and you're toast: FBI at the door and indictment to follow. Microsoft's logic is that when these bugs are announced publicly, the bad guys have time to concoct a criminal way to exploit the problem. That makes sense, but often the worst flaws are discovered by several different people or groups at about the same time. This worries most users because they believe that without the pressure generated by publicity their bugs get, Microsoft will drag its feet in getting a fix out. People see that more than they see any down side to public announcement.

Make no mistake about it, there are a lot of bugs. In 2000, 1,090 flaws in Internet software were found, of which four percent of them could be used for serious hacking (and serious damage). In 2001, 2,437 flaws were found, of which 13 percent could be exploited by hackers. You could say that the age of cyberwar was created by growing quantities of flawed software and malicious hackers."




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close