They may not know anything about development or software, But they sure can deliver a mean pizza! As well as cute one liners.
The Breach That's Shocking the Firewall Industry
Network Associates' vaunted Gauntlet firewall system crumbled during an outside engineer's routine audit
In an age of increasing hacker attacks, calling any computer-security product "The World's Most Secure" would seem to be inviting disaster. But that didn't stop Network Associates (www.nai.com) from proudly making the claim about its flagship Gauntlet firewall system. In fact, this month's issue of Network magazine gives Gauntlet its prestigious "Security Product of the Year" award.
That was no consolation on May 19, when a San Diego computer engineer found a flaw in Gauntlet while performing a routine security audit, BW Online has learned. The flaw, if exploited, could allow hackers to break into tens of thousands of supposedly protected computer networks. The engineer, Jim N. Stickley, immediately notified Santa Clara (Calif.)-based Network Associates and helped it come up with a fix for the program.
But the breach was a shocker for the firewall industry as a whole. "If companies that specialize in security can't write secure software, what should we expect of the rest of the world?" says Elias Levy, the chief technology officer of computer security Web portal SecurityFocus.com (www.securityfocus.com).
NA quickly hustled out the corrective "patch" over the weekend of May 20-21. And Stickley says he still believes that the Gauntlet product, despite the flaw he discovered, will frustrate the vast majority of intruders. Still, the breach set off what NA says was a "massive response," as its sales reps scrambled to notify thousands of Gauntlet customers.
FIREWALLS ABLAZE. But some in the security field wonder if the response was large enough. They worry that NA hasn't sufficiently publicized the newly discovered flaws. As of May 25, the company still hadn't placed a notification on its primary homepage -- although it did place a clearly visible hyperlink to the Gauntlet patches on the product page for the NA group that makes Gauntlet.
Jim Ishikawa, a marketing vice-president at NA, says the company got out the word as quickly as it could, followed all proper notification procedures, and promptly posted a patch. Furthermore, says Ishikawa, Gauntlet customers would be far more likely to seek updates at the product's homepage as opposed to the NA homepage.
Businesses around the world are waking up to the importance of computer security in the wake of repeated security problems, such as the outbreak of the "Love Bug" virus earlier this month, the theft of online credit-card records, and denial-of-service attacks that have flooded computer servers at Yahoo!, Amazon, and other sites with bogus requests for Web pages.
Firewalls have become the cornerstone of most business-security efforts. These pieces of software prevent unwanted intruders from accessing a computer network. And firewall manufacturers have posted gangbuster growth of late. According to International Data Corp., companies spent $1.6 billion worldwide on firewalls last year, and spending is expected to increase by 38% this year.
BUFFER MANEUVER. Among firewall builders, Israel-based Check Point Software Technologies (www.checkpoint.com) holds the largest share of the market. But NA is No. 2 and gets top marks from security professionals, many of whom believe Gauntlet is the best product on the market.
Alas, its reputation proved scant protection against Stickley, a senior engineer at Austin-based Garrison Technologies (www.garrison.com). He used a "modified buffer overflow attack" to take control of a system protected by Gauntlet. This is a typical maneuver that involves typing large strings of characters into the dialog box in a Web interface such as a search box or a comment box. The long string overwhelms the system and allows the intruder to insert bits of his own code into the execution commands of the computer server running that Web site.
The inserted code gives the intruder easy access to the server and other computers that the firewall protects. In cases of malicious attacks, hackers that have successfully pried their way into systems can access large volumes of nonpublic information, including credit-card numbers.
CORRUPT GUARD. Stickley's benign attack points up a whole new angle of potential threat. "This is completely unprecedented, as far as I was able to determine," says Kevin Poulsen, a noted hacker and security expert at SecurityFocus. There have been flaws in firewall products, Poulsen explains, but most attempt to crash the firewall, or bypass it, rendering it useless.
Stickley's bug didn't just make the firewall ineffective in protecting the network, it actually turned the firewall into a way of attacking the network -- "like having a corrupt security guard willing to use his key to unlock the bank door for a crook. And the hole has been around for years," says Poulsen. For a security heavyweight like NA and the industry as a whole, it's another wakeup call in a field where continuous improvement isn't just a mantra, it's a matter of survival.
By Alex Salkever in New York |
