Security expert blasts shoddy software

Security experts and so-called "white-hat" hackers meeting at the Black Hat Security Conference in the U.S. lambasted current corporate security and the companies that make security products that are anything but.
Written by Robert Lemos, Contributor

"Do hackers have root [control] of all your systems? Well, yes, they do," said Mudge, the head of L0pht Heavy Industries -- a collection of hackers bent on improving the Internet's security -- during a Thursday keynote. The security "firm" accepts contracts from companies to break into systems as well as to write security products.

Mudge's comments hit on a common theme at security conferences -- that, in the rush to beat competitors to market, product security plays second fiddle to adding new (and possibly insecure) features. The solution: Don't let software vendors hide behind licenses that stipulate that software is sold "as is."

"We need to hold all these software vendors liable," said Mudge. "But as soon as you say the word 'liability,' software lobbyist hit Washington to prevent any legislation." Instead, the security world needs to design incentives for software makers to test and certify their security, he said.

Mudge, an old-school hacker who does not give out his real name, testified in front of the Senate last year to garner support for better security and to criticise the Digital Millennium Copyright Act, which was a piece of legislation that would have had the unintended consequence of making it illegal to test security products.

Rebecca Bace, president of security penetration testing firm Infidel Inc., agreed with Mudge's criticisms. "We really need methods to push for software quality," she said. She pointed out examples of major security flaws in many products from Microsoft Corp., including SiteServer 3.0, Windows NT and demo code that ships with IIS 4.0.

In fact, pounding on Microsoft's insecurities became a common theme at the conference as well.

On Wednesday, Mudge and noted cryptographer Bruce Schneier, president of Counterpane systems, published a paper critical of Microsoft's software for creating virtual private networks. VPNs use encryption to create secure channels across insecure networks like the Internet. However, Microsoft's protocol -- known as PPTP and included free with Windows NT -- creates virtual private networks that can be hacked, said both Mudge and Schneier. "If security actually matters, (Microsoft's product) is unacceptable," said Schneier, who is frequently contacted by companies to test the security of encryption software.

A year ago, Mudge and Schneier released a paper on the original Microsoft PPTP software. At that time, Schneier called Microsoft "security charlatans" and pointed out that the encrypted network created by the software could be easily broken.

Today, the situation is a bit better, he admitted, adding that Microsoft fixed the most major issues. "It sucks less," he said. "Before you had something that was completely broken, but now it's a bit better." Microsoft could not be reached for comment by press time. However, a Microsoft Network administrator at the conference, who asked to remain anonymous, pointed out that other operating systems have just as many problems. "Every distribution of Linux, and Sun's Solaris, have all had just as many security holes," he said, adding that like Windows 2000's much-criticised code bloat (it's up to 40 million lines), Linux and Solaris have been growing bigger.

During his keynote, Mudge relented to some degree as well. "I use Microsoft as an example, because everyone knows them," he said. "Others have these problems as well."

Until we get them fixed, we can look forward to more break-ins, Web defacements, and perhaps worst of all, viruses, said Infidel's Bace. "Melissa and ExploreZip only begin to scratch the tip of the iceberg," she said.

Editorial standards