It is tempting to think of hackers as twisted geniuses. Tinseltown sure does: Show me someone who's a hacker in a movie, and I'll show you a brilliant, enterprising nerd who has gone bad--someone who is fueled in equal parts by caffeine, cunning, and native technical skills.
In the real world, most hackers aren't that clever, and they aren't that industrious. They're more like looters, using brute force to break into PCs via weaknesses others have exposed. Oftentimes, they do so after developers have released patches, but before many users have installed them.
The Defender: Security reporter (and former Marine intelligence officer) Verton. Photograph: Rick Rizner"Biography of a Worm" is the moment-by-moment tale of one of the most notorious of those lootings, the invasion of the Sasser worm last spring. Author Dan Verton, a newcomer to this magazine but a seasoned senior writer at our sister publication Computerworld, knows his security, and not just of the digital variety: He's a former intelligence officer for the U.S. Marine Corps.
"Security isn't just about bits and bytes. It's about public safety as well," he explains. "Every insecure home computer is an attack vector waiting to be turned on by a sophisticated hacker." In other words, determined cyberterrorists could someday use the worms or viruses they plant on our PCs to launch assaults on government or private-sector infrastructure.
From Weakness to Worm
Sasser, luckily, was more colossal headache than national crisis. Its appearance is the climax of Verton's article: By the time a German teen pounded out the code, most of the heavy lifting had already been done. Months earlier, a California security researcher had discovered the Windows flaw it attacked, and Microsoft had acknowledged it and released a patch.
Shortly after Microsoft's security alert appeared, a Russian hacker made the flaw the subject of an "exploit," a sort of do-it-yourself worm recipe. The exploit became a building block of Sasser, which has infected at least 700,000 systems--so far.
Other attacks have similar biographies, and some are uglier still. Not every sleuth who finds a flaw discreetly alerts the developer. Some simply release the details to the world at large; hackers get their hands on it before a fix exists.
Microsoft's message to security researchers is simple: Help us, don't surprise us. "Providing information on vulnerabilities [to the public] only ends up putting customers at risk," says Stephen Toulouse, a senior program manager at the Microsoft Security Response Center.
To that end, the company is a member of the Organization for Internet Safety, a group that encourages researchers and developers to work together to identify and patch vulnerabilities. Sounds like a worthy cause to me.
But the danger in this sort of low-key, secretive approach is that it reduces the pressure on software companies to release important fixes as quickly as possible. In the case of the Windows hole that Sasser attacked, for instance, Microsoft didn't provide a patch until 188 days after it knew about the problem.
Of course, a hasty, buggy fix can be worse than the flaw it purports to correct. Still, for more than six months, even Windows users who diligently patched their machines were running an operating system with a gaping hole. That's enough to make any PC user squirm.
And when users squirm, says Verton, software companies must feel their pain. Real improvements in security may come only if users demand them: "If customers say, 'We won't buy your software unless it meets certain conditions,'" he believes, "that would make developers change."
Even Microsoft's Toulouse says that software buyers have every right to be demanding, nowadays. His response to users who think that Microsoft's security practices leave something to be desired?
"Keep telling us that," he requests. "We're working hard, and we need to hear how we can do better."
Tell us what you think, too. As long as there's a security mess, we'll keep covering it--and we need your feedback.
Visit Editor in Chief Harry McCracken's Weblog at blogs.pcworld.com/techlog; contact him at mageditor@pcworld.com.
Ad Choices