FYI: Antivirus software is like low-hanging fruit to hackers

Tue Aug 2 20:09:05 CEST 2005

REPLY TO: D66 at nic.surfnet.nl

"
Antivirus insecurity at Black Hat confab

By Joris Evers
http://news.com.com/Antivirus+insecurity+at+Black+Hat+confab/2100-7355_3-5805750.html

Story last modified Wed Jul 27 04:00:00 PDT 2005

Experts are warning that the popularity of antivirus software could turn
the defensive measure into a security risk.

The technology is commonly installed on PCs, servers, network gateways
and mobile devices. As it becomes more widespread, the more attractive a
target it becomes for cybercriminals, said researchers at Internet
Security Systems.

"Antivirus could potentially be the weak point hackers might exploit to
break into your network," said Neel Mehta, the team leader of X-Force
Research at Internet Security Systems in Atlanta. "It is a key security
mechanism, and it is important to have it. But at the same time, it
could also be an attack vector."
News.context

What's new:
ISS researchers plan to outline flaws in antivirus products at Black Hat
Briefings, saying the software's popularity is making it more attractive
to hackers.

Bottom line:
The discussion is among the many topics up for discussion at the
security conference and the DefCon event that follows it in Las Vegas
this week.

More stories on security research

Mehta and fellow ISS researcher Alex Wheeler plan to outline
vulnerabilities in antivirus products on stage at the Black Hat
Briefings, which kicks off on Wednesday. The security conference draws
hackers and security experts to Las Vegas every year. The event is
followed by the DefCon, the security industry confab famous for its
hacker activity, which starts Friday.

The ISS researchers will demonstrate hacking into systems using known
and fixed flaws in antivirus products, not new security holes that have
not been publicly disclosed yet, Mehta said. "We're going to show that
it is a credible threat and demonstrate exploits," he said.

In the past year, ISS has discovered bugs in products from security
software makers Symantec, McAfee, Trend Micro and F-Secure, he noted.
Earlier this week, several flaws discovered by ISS were disclosed and
fixed in Clam AntiVirus, a popular open-source virus scanner.

At the moment, the problem is just an emerging threat. Only isolated
cases have been seen of malicious code writers using holes in antivirus
software to attempt to break into computer systems, Mehta said. "There
used to be no exploits for antivirus products, but we see some now," he
said. "There is the potential for more."

Antivirus software is like low-hanging fruit to hackers, Yankee Group
analysts wrote in a research paper released last month. As the pool of
easily exploitable security bugs in Microsoft Windows dries up,
attackers are looking to security software for holes to get into
systems, the analysts said.

"As the core of the operating system gets more secure, hackers are
diverting their attention to other targets," Mehta agreed.

Show time in Vegas
The lineup of papers and presentations at Black Hat this week bears out
that trend. Few of the topics in the sessions deal with hacking attempts
on Windows, Microsoft's dominant operating system, which has come under
heavy attack from malicious code writers in the past.

Weaknesses in antivirus software is only one of the topics on the
conference agenda. Researchers will also cover the use of USB keys to
get into Windows PCs, intrusions into Oracle products and the security
of Cisco Systems routers.

Experts from SPI Dynamics, which specializes in Web application
security, plan to highlight problems with the drivers that make USB
devices work on computers in a session titled "Plug and Root, the USB
Key to the Kingdom." They will delve into how an attacker could gain
access to an otherwise locked system via such security holes.

Oracle, which once called its products "unbreakable," will also see its
security scrutinized. Alexander Kornbrust of Red Database Security will
give a presentation on how to circumvent Oracle's database encryption,
and Esteban Martínez Fayo, a researcher at security company Argeniss, is
slated to show new ways to attack Oracle databases. Kornbrust, a German
security researcher, earlier this month published details on a number of
unpatched security flaws in Oracle software.

[ "As the core of the operating system gets more secure, hackers are
diverting their attention to other targets."
--Neel Mehta, X-Force Research team leader, ISS ]

Cisco's routers are part of the core plumbing of the Internet, and
Cisco's IOS, or Internetwork Operating System, runs on those routers. At
Black Hat, ISS researcher Michael Lynn will probe IOS security for
possible weaknesses. Large-scale router attacks could disrupt the
performance of the Internet.

Black Hat attendees can also get some legal advice. Jennifer Granick,
the executive director of the Stanford Law School Center for Internet
and Society, plans to offer a practical and theoretical tutorial on
legal issues related to computer security practices.

While Black Hat is more like a traditional trade show, DefCon is a
celebration of hacker culture and security knowledge. It brings together
experts from the hacker underground, security industry stars and geek
groupies. Word on the street is that most hotels in Las Vegas refuse to
host DefCon because of all the hacking mischief that takes place.

As the focus on cybercrime has increased, Black Hat and DefCon have also
become a fixed item on the calendars of many law enforcement agents. A
few years back, conference-goers would challenge each other to spot the
"Fed." This year, some in the security industry say the task could be to
spot the hacker.

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********