An independent consultant in Israel has released the results of one of the first exhaustive surveys of Internet security, hoping to provide a wake-up call for Internet companies.
With the help of a piece of homemade scanning software, Liraz Siri probed nearly 36 million Internet hosts worldwide over a period of eight months. Siri and his program, the Bulk Auditing Security Scanner or BASS, went looking specifically for UNIX systems that were vulnerable to 18 widely known security vulnerabilities — holes for which vendors have already released patches and other fixes.
Siri discovered that about 450,000 servers were susceptible to attack — among them banks, e-commerce sites, nuclear weapons research centers, and even computer security companies. While they comprise less than 2 percent of the total, Siri says they’re the tip of the iceberg.
“Statistically, we’re OK. But you can do anything you want with those 2 percent, including using them to penetrate affiliated systems, which you really don’t want. One group organized and funded could write the right software and really take control of a really impressive arsenal of computers on the Internet.”
Besides ignoring security bulletins, Siri says many companies fail to think of the Internet as an organic system, in which a disease or security penetration in one remote section can spread throughout the entire organism.
Siri’s report, titled “The Internet Auditing Project,” has already generated considerable interest among information security professionals since it was released last week. But some experts say that despite its significance, Siri’s work is unlikely to catalyze companies into action.
“The fact that he’s found these things and no one cleans them up is absolutely no surprise. Customers have been told these things before, but they don’t want to hear about it,” said Bill Hancock , chief technology officer for Network-1, a Massachusetts firm which develops firewall and other security software.
“There’s no return on investment from security, so all they want to hear about is how to open up their database to e-commerce. There’s total denial of just how dangerous things can be,” Hancock said.
On the other hand, some firms appear to be paying attention. During the course of the scan, Siri says he received legal threats from several companies who thought he was up to no good.
Siri, who just turned 18, said he would have liked to continue his unfunded research a bit longer before going public, but he had a looming deadline.
“I am going to be drafted very soon and will have very little personal freedom. I wouldn’t be able to publicize my work until 2004, so there was a window of opportunity I needed to exploit.”
The full report, as well as the source code to BASS, the scanner developed by Siri, are available for free download from the Security Focus Web site.