Monday, July 31, 2006

Security: Open Source Gets Ugly

Magazine News Story/ July 31, 2006


Proponents may believe that the movement can do no wrong, but could open-source tools and techniques be doing more harm than good? A July 17 report from security giant McAfee poses that question and reaches some disturbing conclusions. Open-source systems that help companies create efficient and inexpensive software can become instruments of online mayhem in the hands of hackers and cyber criminals, say McAfee security researchers.

“The open-source code-sharing model has contributed to the rise of malware,” or malicious code, says Dave Marcus, security research and communications director for McAfee AVERT Labs. “Without source-code sharing, we would not see the massive virus families today.”

Increased availability of the source code of viruses like W32/Mydoom has led to more types of malware. Bots, or a network of infected computers controlled by hackers, are on the rise, replacing legacy viruses for DOS and Windows 3.1, because of greater collaboration among malware writers.

Transparency and openness are generally considered essential when it comes to finding and fixing software vulnerabilities. Mailing lists are devoted to sharing information about security loopholes in popular products and finding patches.

But McAfee says some of those techniques can backfire. Malware writers are using open-source development models and software to share malicious code and collaborate on projects, increasing the efficiency of the malware creation process. “There are times when the community needs to show some restraint, some public responsibility, before sharing with the world,” writes Jimmy Kuo, a senior fellow with McAfee Avert Labs, in the report.

For example, cyber criminals are making available source code with documentation so that viruses can be easily modified to create more variants. They are also using open-source project management software, such as a Content Versioning system, to keep track of their nefarious projects, says the report.

Still, stifling conversation may not be the answer, says Mike Rothman, an analyst with consulting firm Security Incite. “Open source is a wonderful thing from the standpoint of building up a community to help troubleshoot and magnify development efforts,” he says. Instead, he suggests security experts be made responsible for the kind of disclosures they make and work better with the companies to fix loopholes faster.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)