Software can be exposed to threats such as the insertion of malicious code
Commercial software opens cyber-terror backdoor
/v3-uk/news/1983022/commercial-software-cyber-terror-backdoor
22 May 2006, Robert Jaques , V3
US military, government, security and critical infrastructure agencies are being warned against using commercial software which could be hacked by foreign cyber-terrorists.
The warning was issued by Cyber Defense Agency (CDA), an information security consulting and research company specialising in services for the US government and infrastructure sectors.
CDA said that gas, electricity, telecoms, banking and water companies are among the critical service providers that could fall victim to cyber-terrorism caused by so-called life-cycle attacks buried deep within millions of lines of software code.
Life-cycle attacks occur when one line of code is rigged to open vulnerabilities within the software, thus exposing the software and the company to external threats, CDA stated.
The firm claimed that the US Department of Defense recently commissioned an evaluation for top security experts to report and analyse the threats of foreign influence on the government and military's use of commercial software.
It went on to suggest that software built by less expensive overseas labour is exposed to "several threats such as the insertion of malicious code".
These so-called "adversarial foreign interests" or "trans-national criminal and terrorist groups" will then be able to exploit these pieces of inserted code in "strategic attacks against the US".
"Outsourced commercial software used by the military and critical infrastructures poses a silent but significant security risk to the defence and welfare of the US," said Sami Saydjari, chief executive and president of CDA.
"The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes the US military and critical infrastructures to remedy the risks posed by using outsourced software."
The company advises governments, organisations and firms responsible for critical infrastructure to architect critical systems with defence-in-depth security mechanisms from different vendor sources under the assumption that some of the software contains life-cycle attacks.
It is also necessary to limit software privileges using fine-grained security control software technology already developed under government research programmes, and to configure intrusion detection systems to detect the activation and use of such life-cycle attacks.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Duh!
So, what are you doing about it?
Most do nothing either becuase ignorance is bliss and they have no clue or they belive they have some protection since they paid all that money for those high dollar IDS/IPS lumps of crap. Well guess what you don't have any protection, no matter how much you paid!
Posted by Not Glenn, 24 May 2006
Made absolutely no sense.
So, life cycle attacks = "Warning closed source binaries may contain intentional or unintentional vulnerabilities." ?
If so: Thanks, but everyone knew that already.
Posted by Glenn, 24 May 2006
Education is Important
Actually, Glenn, everyone doesn't already know that. That's the problem. You wouldn't believe the number of folks I talk to who are totally clueless and go into panic mode once you explain what the bad guys can really do. It's really good that you know though... perhaps you can help educate folks too!
Posted by Ms. Geek, 25 May 2006