Hacker Lays Security Blame On Software Vendors

Software vendors need more incentives to secure their products, says iPhone hacker Charlie Miller

Security researcher Charlie Miller will deliver the keynote speech on 9 June at the International Conference on Cyber Conflict. The conference, in its third year, is sponsored by the NATO Cooperative Cyber Defence Centre of Excellence and will take place in Estonia.

Miller’s keynote, entitled “Why the Bad Guys are Winning the InfoSec War”, will use the recent security breaches at PBS.org, RSA Security and HBGary Federal as examples, Miller told eWEEK. Miller analysed recent events and determined that the common denominator across all the incidents was unknown vulnerabilities and zero-day exploits.

Zero-day bugs

“You are doing everything right, but the bad guys are coming in because they know about vulnerabilities no one else does,” Miller said.

Enterprises and governments for the most part have been doing security long enough that they know they have to keep their systems patched. But when most attacks involve a zero-day exploit, no patch is available. Organisations don’t even know they are vulnerable, Miller said.

In the case of PBS.org, Lulz Security, a group of cyber-pranksters usually out for laughs (or lolz) did not like the way whistleblower site WikiLeaks was portrayed in the Frontline documentary WikiSecrets. They uncovered a zero-day vulnerability in Movable Type 4, the content-management system used by PBS, and broke in, defacing the site and posting a fake news story about Tupac Shakur supposedly being alive.

Miller blamed the software vendors for the situation. Companies are shipping products with bugs and issues they haven’t fixed, and the ones suffering for it are the customers and end users, Miller said. The malicious Excel spreadsheet that attackers used to exploit a zero-day vulnerability in Flash did not affect Microsoft or Adobe, but instead, RSA Security, back in March, Miller said.

The company that actually makes the software has little incentive to make the investment to ship bug-free code, according to Miller. It’s difficult and expensive to write secure code. As long as companies don’t see a direct benefit to being secure, they won’t spend the extra time, resources and money to address bugs.

Better coding practices

Companies like Microsoft and Apple should be focusing on better coding practices and check for bugs during development. Before the product ships, they should have a security team or outside researchers come in as consultants to help look for bugs in the code, according to Miller.

Miller also suggested that the software industry and its customers have to give some incentive for researchers and security consultants to devote their time and effort to looking for security holes and then reporting them to the vendors. “Researchers can report to the company and get their names on a website when the patch comes out, or they can sell it to a bad guy on the black market and make some money,” Miller said. “We shouldn’t be putting people in that position to have to choose in the first place,” said Miller.

Miller said a bounty programme like the one Google has for its Chrome web browser is a step in the right direction because it gives researchers incentive to look for and report issues.

The battle is harder for the software vendors to fight, since they have to ensure every bug is addressed, while the attackers just have to find one, according to Miller.

Attackers aren’t using all the exploits they find at once, either. Many of them hold zero-day vulnerabilities in reserve so that they always have a backup attack method to fall back on after the company fixes the flaws that come to light.

Miller cited some statistics from an organisation that does penetration testing. The average lifespan of a zero-day vulnerability is 348 days, Miller said. That is, it takes nearly a year for a zero-day to be patched from the day it is reported. The fastest a zero-day that an organisation reported got fixed was 99 days, and the slowest was over three years, according to Miller.

If companies were doing a better job testing and fixing bugs before shipping each new version, it would be “harder to hang onto the zero-day”, Miller said.

Miller is currently a principal research consultant for Accuvant Labs, a company that specialises in penetration testing, application and enterprise security assessments, and vulnerability research. Miller is also well-known for hacking Apple products. He co-wrote The Mac Hacker’s Handbook with Dai Zovi and has won three Pwn2Own contests at CanSecWest for successfully compromising up-to-date, fully patched MacOS X systems and iPhones.