By Jonathan Krim
Washington Post Staff Writer
Tuesday, November 22, 2005
Hackers' attacks on computer networks are evolving, zeroing in on flaws in some of the very software programs designed to keep data secure and prevent break-ins, according to a report to be issued today by security experts who view the trend with alarm.
Among the programs targeted by hackers are those that back up -- or copy -- data, as well as anti-virus and firewall applications.
"During the past year, there has been a shift in focus to exploit security products used by a large number of end users," according to this year's annual Top 20 Vulnerabilities report by the SANS Institute of Bethesda, which monitors and researches cyber-security around the world.
The report, a consensus of private and corporate experts on the most critical programming weaknesses, said vulnerabilities have been discovered in software from some of the biggest names in security, including Symantec Corp., McAfee Inc., Computer Associates International Inc. and Trend Micro Inc.
Rarely is any piece of software free of weaknesses in the face of determined hackers. But the shift worries SANS officials because businesses and government agencies are not conditioned to look for problems in some of the targeted software, as they are with operating systems, Internet browsers and e-mail, which for years have drawn the most attacks.
Moreover, not all suppliers of the newly targeted programs have automated systems for issuing "patches" that fix the security holes, said Alan Paller, research director at SANS.
"The bottom line is that security has been set back nearly six years in the past 18 months," said Paller. "Six years ago, attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching. Here we go again."
According to a SANS statement, the U.S. Computer Emergency Readiness Team, or US-CERT, which monitors cyber-security for the Department of Homeland Security, found that products for backing up data are drawing intense attention from online criminals.
The report shows that a flaw in one product, Symantec's Veritas Backup Exec, opened a gateway for sustained, "unwanted" Internet traffic for months after a warning about the vulnerability was issued by US-CERT in August.
Unless flaws are fixed quickly, SANS said, hackers potentially can gain access to data being backed up by organizations using such programs. Paller said hackers often use automated harvesting systems to steal data.
In a statement, Symantec said, "When a vulnerability is found in a Symantec product, Symantec is quick to deliver security patches to customers and provide notification of vulnerabilities and patches available" through its Web sites.
The report also documents an increase in vulnerabilities in software that powers devices for moving traffic around the Internet, such as routers and switches.
Various Microsoft Windows programs, long the primary object of hacker attacks, continue to make the top 20 list, including Office, Outlook Express, Internet Explorer and the basic Windows system.
Competing "open-source" browsers, built with contributions from thousands of independent programmers around the world, made the list, as did Apple's Safari browser.
Peer-to-peer file-sharing programs for trading music online continue to be carriers of spyware and malicious "bots," computer code that can commandeer personal computers, the report said.
The report also warned about flaws in programs from major vendors for instant messaging and playing digital media such as Apple's iTunes and the Windows Media Player.