Return of the Guru

Who Knew What, When Did They Know It, and Why Didn’t They Tell Us?

Ara Trembly
Insurance Experts' Forum, August 23, 2010

The battle against cyber-crooks is a grind and the bad guys never seem to rest in their efforts to compromise systems and steal valuable information. Yet the minds that apply themselves to stopping crime are just as astute as those who seek to perpetrate it—so why do we seem to be losing the battle?

One reason is that the good guys, while obviously trying to do good, are—first and foremost—out for themselves. The latest example of this is an Internet report that

Microsoft has known since at least February that dozens of Windows applications, including many of its own, contain bugs that hackers can exploit to seize control of computers, according to an academic researcher.

Taeho Kwon, a Ph.D. candidate at the University of California Davis, said in a paper published in February, and presented last month at an international conference, that at least 19 of the Windows bugs can be exploited remotely. The report goes on to claim that many have warned that a large number of Windows programs are vulnerable to attack because of the way they load components.  

Meanwhile, a U.S. researcher, H.D. Moore, said he had found at least 40 vulnerable applications, including the Windows shell. The next day, Slovenian security firm Acros announced it had uncovered more than 200 flawed Windows programs in an investigation that began four months ago, the report notes.

But here’s where the fun begins … depending on your definition of fun. On Saturday, the report says, Kwon claimed his work preceded Moore's and Acros'. In the paper he presented last month at the International Symposium on Software Testing and Analysis (ISSTA), Kwon said that he had submitted a bug report to the Microsoft Security Response Center (MSRC).

So while the various malware sniffers tussle over who said what first and who knew what when, enterprises worldwide are vulnerable to a host of problems that are too numerous to detail here. Microsoft, meanwhile, seems only to have acknowledged that it is looking into the problems mentioned by the various researchers.

That gives the bad guys plenty of rope with which to hang enterprises out to dry—and with financial services enterprises increasingly being targeted by cyber criminals, that could mean major problems. Now I’m not suggesting that we should “all just get along,” but I am wondering what happened to common decency and common sense. If vulnerabilities are publicly posted by reliable sources, why are we still “investigating?”

In the end, this happens because each of the parties concerned is looking out for No. 1, and Nos. 2 and up be damned. We probably will never know who really knew what, when they knew it, and what they did about it, but we do know one thing—for those who become victims, we knew too late.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Mobile Device Management – Find That Middle Ground

There's a tug of war over BYOD, but neither those in favor nor those against should tug too hard.

Vendors Embrace Mobile Technology

IT leaders at software firms clearly recognize the importance of mobility to drive their businesses forward. Almost 70 percent see mobility as mission critical or important to their organization today.

Digital Vision vs. Harsh Reality

Much work remains to reconcile insurers' digital vision with the digital reality that seems to be arriving for other industries.

Big Data Is Paying Off

Insurers are getting business benefit out of their big data projects, but these projects alone won't grow their business.

What Can Insurers Learn from Home Depot?

The latest cyber-attack highlights the importance of helping policy holders defend themselves.

Not Your Father’s Insurance Company

Carriers need to look at new and impactful ways to be there for their customers.