Open Source Concerns: Trojan Horses In the Code

crisco writes to us with an article from InternetWeek addressing the concern of "trojan horse programs concealed inside open source code that could create new security headaches for IT managers", as the article says. The article deals mainly with the BO2K issue, which makes the whole open source connection a bit of a stretch.

Where to begin...

[J4]

Trojan horse programs concealed inside open source code could create new security headaches for IT managers. One such program released last week, BackOrifice 2000...

BO2k isn't concealed inside another program..

When virus writers moved to an open source model in 1996, there was an explosion in macro viruses,...

Ah yes, I remember the good old days of proprietary virii...NOT.
The explosion in macro virii wouldn't have anything to do with a program that
could _host_ them now, would it?
Like, I don't know, maybe MS Office?
No mention of how much easier it is to construct
a macro virus as opposed to a real virus done in, say, x86 assembler.

Organizations "absolutely should be putting
security measures in place if they use NT to a
great degree" to thwart BO2K-specific attacks,
said Drew Williams, director of Axent Technologies'
SWAT Team.

Hmm, not quite sure what to say about this one...
Are they saying:
A)You don't need security if you don't use NT
B)You shouldn't use NT (I'll buy that)
C)If you only have one NT box you don't have to worry
D)Win9x, 3.1 aren't vulnerable

Internet Security Systems researchers have
already decoded BO2K protocols and encryption
algorithms.

Nice trick...somebody must have sent them the source
code in an encrypted email, yeah, thats
the ticket...

Jason Garms, product manager for NT security at
Microsoft, said the company will fix any known
security vulnerabilities in its operating
systems. "There's nothing wrong with [Microsoft]
systems until Back Orifice is installed.

Oh my.... Somebody should start
a 12 step group for folks like this
I detect some serious denial problems here.
How much are these fixes going to cost?
When can we expect delivery?
Thats what I thought...

Users on NT networks that
exchange files and use Internet chat systems
are at the highest risk....

So..don't use your network to
transfer files..just look at the pretty lights....

The elite hacker group is banking on tools
such as BO2K to eventually force Microsoft
to correct security weaknesses in its operating
systems.
Security experts don't see the logic.
"They didn't have to write code and
release it to the public," said ICSA's Thompson.

The bastards, how _dare_ they try
to push around Micros~1!
Who's the real victim here? Micros~1
or the "Security Experts" who have to get
off their well padded rear ends and do some work now?
Oh wait, I guess security expert is a synonym for pundit now.

Once the program is released,
Axent's Williams expects an "immediate
spike" in hacking activity
on NT systems, but expects it to trickle down to
some level of manageability.

The program is already released, Sparky...
I expect this is true if we use hacking in the
proper sense as in "Micros~1 programmers fixing
things up a bit"..
Though I expect if you replace "hack" with "kludge"
it'd be a little more accurate

Now _this_ is the kind of story I expect to see on /...
Just like backinaday ;P

possibly misinterpreted

[pridkett]

I think that you might have misinterpreted what this article is about. It is merely an article about Bo2k and how the fact that IS open source will cause problems for people. Meanwhile, it eludes the somewhat minor problem of people writing patches for legitimate software that turns in into trojan like software.

However I did glean a few bits of interesting stuff. Mainly that Microsoft is saying that if its a real remote admin tool that it wouldn't hide from the administrator. Umm, excuse me, I have the displeasure of having an NT server box here at work that I'm pseudo responsible for and NT Server Manager hides.

Secondly it doesn't mention the fact that if NT were written worth a damn, then it wouldn't be POSSIBLE to do this sort of stuff to it. There was the comment about it preying on users and not administrators, which is partially true, but its really MSs fault in the first place.

There was only one other thing that I disagreed with. It said something about when virus writers switched to open source in 1996 (like it was some sort of heavenly revelation) that there was proliferation in macro viruses. This may be true. But its more likely due to the rise of people who are using IE and Outlook for their net browsing and email reading.

Oh well, if nothing else the cDc by releasing the source code will actually FORCE microsoft to patch the whole and release patches that detect the software.

Serious mis-interpretation going one here

[Bruce+Perens]

The article does not say that Open Source has more security problems.

The article says that because Back Orifice is open source, there will be more variants of Back Ofifice, and that this will be more of a problem for virus detection vendors.

However, the security problem exploited by Back Orifice is Microsoft's fault. The release of Back Orifice is an attempt to force Microsoft to deal with its security problems.

Folks, if you are running software that has wide-open security problems, like Back Office, and the vendor won't help you except to give you sorry band-aids like virus detection software, it's time for you to lean on that vendor. There is no reason for Microsoft to continue to leave the barn door open - they are every bit as guilty as the computer criminals who exploit that, and in a just world MS executives would be charged, tried, and jailed for the computer crime they have facilitated.

Thanks

Bruce Perens

Re:The real Trojan Horse

[methuseleh]

So, the article is saying, essentially:

"Beware of GEEKS bearing gifts"

Sorry ;)

--

The real Trojan Horse

[Farce+Pest]

People never seem to remember the important lesson of the original Trojan horse. The Trojans left this nice horse statue as a gift, and the suckers (can't remember who the Trojans were at war with) take it inside their secured area. Later that night, the Trojans hidden inside the horse jump out and kill them.

The lesson: Look inside the friggin' horse, you stupid idiots! And THAT is something you can do with open source that you cannot do with closed, proprietary software.