- Email: [email protected]
Web services set to provoke new threats
news
Web services set to provoke new threats Brian McKenna In a summer season of Internet worms eating corporate networks, Bill Cheswick, chief scientist at network testing company Lumeta and coauthor of security bible Firewalls and Internet Security: repelling the wily hacker, has been sanguine. "The Internet is a giant research project, and it has a certain resilience built into it in the shape of network security experts. When something really bad happens - not just another boring virus - but something really new and interesting, the experts come forward and get it fixed. "For example, when the Morris worm came out in 1988 groups came together, dissected it, and sorted it out in three days". As corporates move to a world of Web services - where programmes and data are made available from a business's Web server - then enterprise software, such as SAP or PeopleSoft, will become more of a target. Martin Sadler, director of security research at HP Laboratories in Bristol fails to share Cheswick's equanimity. "A lot of the new vulnerabilities will open up at the business process level, and most of the internet community is not even aware of what is going on in that space." Sadler says this is because most "traditional network security gurus who come up through computer science are focussed on the lower ends of the stack". And that is where most network security professionals learn their craft. Sadler says: "when
new vulnerabilities appear at the top there isn't an internet community that can get those things fixed. Ask those people what PeopleSoft does or what SAP systems do and you will probably draw a blank. "People worry about Microsoft code , but what about these enormous applications that sit on top - these are company powerhouses. And yet, how many people really understand the security behind these systems?" Mark Stevens, senior vicepresident at network security company WatchGuard believes the threats that web services will bring in train "will rush up on us faster than people realise. One aspect to this is that the transport of web services is often the SOAP protocol, and vendors are not really doing anomaly detection here". Evan Kaplan, chief executive officer at SSL (Secure Sockets Layer) VPN company, Aventail agrees that "web services do allow for much more direct application to application access and you could most certainly do more damage, but, for hackers there is a knowledge hurdle to get over. So, at present, you can develop a relatively sophisticated attack on Microsoft and a relatively crude attack on SAP." Chris Klaus, wunderkind founder and chief technology officer at internet security technology and intelligence company, ISS also says that "with organisations interacting more closely threats are indeed more bound to come from the business layer". And he believes that there are around 10 000 elite
hackers and virus writers ready to have a go. Moreover, with the large enterprise applications, it is not just a question of securing the software, he says. "These systems are also highly dependent on the databases that they sit on". One head of security at a City institution says that he hasn't seen any evidence so far of attacks on enterprise apps enabled by web services, but that "it sounds very credible and I would worry about that". He also worries about the growing threat of combined attacks. "If you have a bad apple insider at a bank with high-level network access they could do incredibly serious damage especially in combination with a skilled hacker from outside". Sadler, at HP Labs, concurs that the "next generation of attacks will be co-ordinated and focused - stacking up the vulnerabilities and using social engineering. It's not joined up at the moment - we've got sniping." On a more quotidian basis, the City security head worries about the daily threat change. "My big fear is of more sophisticated worms with nastier payloads, using several attack vectors. If you haven't patched, and, on a rational risk management basis you can't patch everything, then you've got a problem". Bill Cheswick, though, remains less alarmed. "If you do the best current practice and have a big enough hammer to hit malefactors with then you remain pretty much aloof of the problems. Spooks running classified government networks succeed - they don't have problems with viruses, if they do a good job". [email protected]
In Brief UK TEEN ACQUITTED OF HACK DUE TO TROJAN A UK teenager has been acquitted of attacking the Navy Port of Houston, US because he claimed a Trojan took control of his PC. Aaron Caffrey, 19, from Dorset was attacking another chatroom user on 20 September 2001 when he accidentally hit the Port of Houston system the prosecution claimed. He admits to being a member of the Allied Hoxor Elite hacking group.
VIRUS LEVELS REACH CRTICAL HIGH IN CHINA Viruses have infected 85% of computers in China this year. The Ministry of Public Security says the main reason for the surge is the increasing use of email and the Internet in China. Sobig. F hit one third of PCs.
FORENSIC TEC FOUNDER ARRESTED FOR US MILITARY HACK The president of security firm, Forensic Tec, has been arrested for hacking into US military systems. Brett Edward O'Keefe is accused of unauthorized intrusions into NASA, the Department of Energy and the Army among other government departments for the sake of publicity for his company. The Washington Post published the story in August 2002. Other Forensic Tec employees have also been arrested on related charges.
UK CRIME UNIT SEARCHES FOR VIRUS AND TERRORISM LINKS The UK National Hi-tech Crime Unit is investgating links between virus source code and terrorism according to Reuters.
3
Web services set to provoke new threats Brian McKenna In a summer season of Internet worms eating corporate networks, Bill Cheswick, chief scientist at network testing company Lumeta and coauthor of security bible Firewalls and Internet Security: repelling the wily hacker, has been sanguine. "The Internet is a giant research project, and it has a certain resilience built into it in the shape of network security experts. When something really bad happens - not just another boring virus - but something really new and interesting, the experts come forward and get it fixed. "For example, when the Morris worm came out in 1988 groups came together, dissected it, and sorted it out in three days". As corporates move to a world of Web services - where programmes and data are made available from a business's Web server - then enterprise software, such as SAP or PeopleSoft, will become more of a target. Martin Sadler, director of security research at HP Laboratories in Bristol fails to share Cheswick's equanimity. "A lot of the new vulnerabilities will open up at the business process level, and most of the internet community is not even aware of what is going on in that space." Sadler says this is because most "traditional network security gurus who come up through computer science are focussed on the lower ends of the stack". And that is where most network security professionals learn their craft. Sadler says: "when
new vulnerabilities appear at the top there isn't an internet community that can get those things fixed. Ask those people what PeopleSoft does or what SAP systems do and you will probably draw a blank. "People worry about Microsoft code , but what about these enormous applications that sit on top - these are company powerhouses. And yet, how many people really understand the security behind these systems?" Mark Stevens, senior vicepresident at network security company WatchGuard believes the threats that web services will bring in train "will rush up on us faster than people realise. One aspect to this is that the transport of web services is often the SOAP protocol, and vendors are not really doing anomaly detection here". Evan Kaplan, chief executive officer at SSL (Secure Sockets Layer) VPN company, Aventail agrees that "web services do allow for much more direct application to application access and you could most certainly do more damage, but, for hackers there is a knowledge hurdle to get over. So, at present, you can develop a relatively sophisticated attack on Microsoft and a relatively crude attack on SAP." Chris Klaus, wunderkind founder and chief technology officer at internet security technology and intelligence company, ISS also says that "with organisations interacting more closely threats are indeed more bound to come from the business layer". And he believes that there are around 10 000 elite
hackers and virus writers ready to have a go. Moreover, with the large enterprise applications, it is not just a question of securing the software, he says. "These systems are also highly dependent on the databases that they sit on". One head of security at a City institution says that he hasn't seen any evidence so far of attacks on enterprise apps enabled by web services, but that "it sounds very credible and I would worry about that". He also worries about the growing threat of combined attacks. "If you have a bad apple insider at a bank with high-level network access they could do incredibly serious damage especially in combination with a skilled hacker from outside". Sadler, at HP Labs, concurs that the "next generation of attacks will be co-ordinated and focused - stacking up the vulnerabilities and using social engineering. It's not joined up at the moment - we've got sniping." On a more quotidian basis, the City security head worries about the daily threat change. "My big fear is of more sophisticated worms with nastier payloads, using several attack vectors. If you haven't patched, and, on a rational risk management basis you can't patch everything, then you've got a problem". Bill Cheswick, though, remains less alarmed. "If you do the best current practice and have a big enough hammer to hit malefactors with then you remain pretty much aloof of the problems. Spooks running classified government networks succeed - they don't have problems with viruses, if they do a good job". [email protected]
In Brief UK TEEN ACQUITTED OF HACK DUE TO TROJAN A UK teenager has been acquitted of attacking the Navy Port of Houston, US because he claimed a Trojan took control of his PC. Aaron Caffrey, 19, from Dorset was attacking another chatroom user on 20 September 2001 when he accidentally hit the Port of Houston system the prosecution claimed. He admits to being a member of the Allied Hoxor Elite hacking group.
VIRUS LEVELS REACH CRTICAL HIGH IN CHINA Viruses have infected 85% of computers in China this year. The Ministry of Public Security says the main reason for the surge is the increasing use of email and the Internet in China. Sobig. F hit one third of PCs.
FORENSIC TEC FOUNDER ARRESTED FOR US MILITARY HACK The president of security firm, Forensic Tec, has been arrested for hacking into US military systems. Brett Edward O'Keefe is accused of unauthorized intrusions into NASA, the Department of Energy and the Army among other government departments for the sake of publicity for his company. The Washington Post published the story in August 2002. Other Forensic Tec employees have also been arrested on related charges.
UK CRIME UNIT SEARCHES FOR VIRUS AND TERRORISM LINKS The UK National Hi-tech Crime Unit is investgating links between virus source code and terrorism according to Reuters.
3