This year’s Black Hat conference offered more than its
organizers bargained for when a researcher’s presentation instigated a court
battle with Cisco. But don’t let the controversy detract from the conference’s
theme of security vulnerabilities in antivirus software, which could become
hackers’ next big target.


This summer’s Black Hat
USA 2005 Briefings
, which just wrapped up in Las Vegas, focused on taking advantage
of known vulnerabilities in antivirus software
to penetrate systems. But
the really hot news this year was the court battle spurred by Michael Lynn’s presentation.
Lynn allegedly decompiled Cisco code and used the information to exhibit how to
hack into Cisco routers, exposing a problem that could potentially place the
entire Internet at serious risk.

In response, Cisco and Internet Security Systems (ISS), Lynn’s
former employer, sought
a temporary restraining order
from a U.S. District Court after Lynn’s
presentation because of the disclosure of the information. The next day, Lynn
and Black Hat organizers agreed to a
permanent injunction
, which forbids any further discussion of the
presentation or dissemination of any information or recordings.

Lynn reputedly resigned from his ISS position when the
company opted to cancel his presentation. So, while his lecture was apparently
an open job application—he displayed his resume at the end of it—it was one
that showed a new way to exploit known (and recently patched) flaws in Cisco’s
Internetwork Operating System (IOS).

Whether Cisco likes it or not, the information is now out
there. And, if nothing else, it should serve as a strong encouragement to
update IOS.

A recent
report from Yankee Group
reveals that vulnerabilities are now showing up in
security software more than the traditional Microsoft targets. As a result, these
holes are becoming the latest target of opportunity for hackers. According to
the report, 77
new vulnerabilities in major security programs
emerged in the 15-month
period between January 2004 and March 2005.

And the rate of discovery of new flaws appears to be accelerating.
In fact, a critical
vulnerability surfaced
in the widely used GPL Clam Antivirus Library in
July. Buffer overruns in several components could allow a remote attacker to
take over a system.

The vulnerabilities affect ClamAV 0.86.1 and prior versions;
version 0.86.2 fixes the problems. Secunia has rated the vulnerabilities as highly critical.

For more information on how hackers exploit a vulnerability
in a security product, check out the SANS tutorial, “Exploiting
BlackICE: When a Security Product has a Security Flaw.”
(Remember: You
can’t fight ’em if you don’t understand them.)

Final word

It’s rock-and-a-hard-place time, folks: We can’t safely
connect to the Web without antivirus software and a firewall, but now it turns
out that the very security software we’re using could become our biggest
enemy—at least for those of us who took the plunge and upgraded Windows XP to
the more secure SP2 version. Ever since a flawed Symantec automatic update
locked me out of Office applications for a few days, I’ve stopped updating my
antivirus software—just the programs, not the signatures—but I may have to
reevaluate my position.

In other news, the Financial
reported in its July 27 edition that 64-bit computers are about to
flood even desktops. Of course, when the financial papers get hold of a
technology story, you know it’s getting old, but I find myself in agreement
with its brilliant acknowledgement of the incredibly obvious.

PCs are now a commodity, and the industry is struggling to
find the next killer app, which will probably require faster hardware. However,
in the same week, posted a report that security software
vendors aren’t ready to meet the demand
for anti-malware software that runs
on 64-bit platforms.

While the first big wave of 64-bit malware hasn’t yet hit,
it can’t be far behind Symantec’s discovery of the first-known proof-of-concept
virus, W64.Shruggle.1318,
which was almost a year ago. Personally, I think the vandals are just waiting
at the gates—salivating over the fact that the flood of new 64-bit computers
will be less protected than the average office PC was before Windows XP’s

Also watch for …

  • If you’ve
    ever wondered just how annoying spam can get, consider this: In Russia,
    where spam is legal, authorities recently found the savagely beaten body
    of major
    spammer Vardan Kushnir
    . Moscow police are looking for a motive in the
    death of the big-time spam purveyor.
  • Meanwhile,
    back in the United States, disgruntled Phillies fan Allan Eric Carlson recently
    received a four-year federal prison sentence
    for spoofing thousands of
    e-mail addresses in spam messages. Technically, the conviction was for
    identity fraud due to the use of other people’s account names in the From
  • Pretty
    Good Privacy (PGP) creator Phil Zimmerman is setting out to do for voice
    over IP (VoIP) what he already did for e-mail security by developing
    a PGP for IP telephony
    . Programs are already available that capture
    VoIP conversations, so companies need to be aware of the need for
  • Last
    week, the Mozilla Foundation marked the 75-millionth
    download of its Firefox Web browser
    .That includes every update
    download—of which there have been many recently—but it doesn’t take into
    account a single download distributed throughout an organization. So,
    while the browser’s popularity obviously continues to grow, we can’t
    really determine the number of Firefox users.
  • And
    finally, for those of you still waiting for UNIX to take over the world—beware
    of what you wish for; as adoption increases, it will become a bigger
    hacker target—Linux Today reports that Asian users have seen the light.
    The lower cost seems to be the main
    driver of a Linux adoption surge
    in Asia. Of course, UNIX is
    inherently more hacker-friendly due to the availability of all the open
    source tools and code for learning about computers.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.