Return of the Guru

Who Knew What, When Did They Know It, and Why Didn’t They Tell Us?

Ara Trembly
Insurance Experts' Forum, August 23, 2010

The battle against cyber-crooks is a grind and the bad guys never seem to rest in their efforts to compromise systems and steal valuable information. Yet the minds that apply themselves to stopping crime are just as astute as those who seek to perpetrate it—so why do we seem to be losing the battle?

One reason is that the good guys, while obviously trying to do good, are—first and foremost—out for themselves. The latest example of this is an Internet report that

Microsoft has known since at least February that dozens of Windows applications, including many of its own, contain bugs that hackers can exploit to seize control of computers, according to an academic researcher.

Taeho Kwon, a Ph.D. candidate at the University of California Davis, said in a paper published in February, and presented last month at an international conference, that at least 19 of the Windows bugs can be exploited remotely. The report goes on to claim that many have warned that a large number of Windows programs are vulnerable to attack because of the way they load components.  

Meanwhile, a U.S. researcher, H.D. Moore, said he had found at least 40 vulnerable applications, including the Windows shell. The next day, Slovenian security firm Acros announced it had uncovered more than 200 flawed Windows programs in an investigation that began four months ago, the report notes.

But here’s where the fun begins … depending on your definition of fun. On Saturday, the report says, Kwon claimed his work preceded Moore's and Acros'. In the paper he presented last month at the International Symposium on Software Testing and Analysis (ISSTA), Kwon said that he had submitted a bug report to the Microsoft Security Response Center (MSRC).

So while the various malware sniffers tussle over who said what first and who knew what when, enterprises worldwide are vulnerable to a host of problems that are too numerous to detail here. Microsoft, meanwhile, seems only to have acknowledged that it is looking into the problems mentioned by the various researchers.

That gives the bad guys plenty of rope with which to hang enterprises out to dry—and with financial services enterprises increasingly being targeted by cyber criminals, that could mean major problems. Now I’m not suggesting that we should “all just get along,” but I am wondering what happened to common decency and common sense. If vulnerabilities are publicly posted by reliable sources, why are we still “investigating?”

In the end, this happens because each of the parties concerned is looking out for No. 1, and Nos. 2 and up be damned. We probably will never know who really knew what, when they knew it, and what they did about it, but we do know one thing—for those who become victims, we knew too late.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.

Modernizing Information Management

While better reporting and actuarial analysis help to support financial decisions, improved analytics and decision making greatly assist the rest of the organization.

Strategic Planning: Here and Now

Insurers’ annual strategic planning efforts can benefit from an infusion of tactical reality.

Advertisement

Advertisement