Suppliers come under pressure after hackers target applications

Call for a boycott to boost software security as criminals shift focus from operating systems.

Call for a boycott to boost software security as criminals shift focus from operating systems.

Criminal groups are exploiting security holes in desktop and enterprise software, government security officials from the US and the UK will disclose today.

Hackers have shifted the focus of their attacks over the past 12 months from exploiting weaknesses in Windows and Unix operating systems to weaknesses in commonly used corporate software, including back-up software, anti-virus tools and databases.

The shift, revealed by US-based security body the Sans Institute, highlights a new front in the battle to secure corporate and government IT systems from hackers.

"A significant shift has happened over the past year in the internet security space. Where the attacks used to focus on common vulnerabilities in services, they have switched to applications. It is a huge challenge to big business, small business and government," said Alan Paller, director of research at the Sans Institute.

Roger Cummings, director of the UK government's National Infrastructure Security Co-ordination Centre (NISCC), said organised groups and hostile governments had begun exploiting application vulnerabilities over the past 12 months in targeted e-mails designed to launch malicious code.

"The key thing we have seen is targeted attacks - people sending e-mails designed to make them attractive and encourage people to open them," he said.

The disclosures will place pressure on equipment and software suppliers to introduce the same kind of automatic security patching routines for application software that they offer for operating systems.

"The key action is for users to stop buying software where the supplier does not take responsibility for an automatic update," said Paller. "If all the supplier does is send out e-mail alerts, we have to stop buying their product, and it will not be long before they step back and accept that they have to take affirmative responsibility. There is no other solution."

The Sans top 20 list of security vulnerabilities revealed serious security flaws in the systems that companies are relying on to protect themselves, including a wide range of anti-virus and back-up software. According to Paller, these products are already being exploited by hackers.

"You have the worst possible situation. You have bought a product to protect you and it creates a vulnerability in your systems," he said.

Security weaknesses in routers present another headache for IT directors, allowing hackers to gain access to passwords and access rights to other parts of the network, the Sans research revealed.

Hackers are also exploiting an increasing number of configuration errors in software packages, ranging from default passwords left unchanged in databases to security features that are turned off by default.

Gerhard Eschelbeck, chief technology officer at IT security supplier Qualys, said software suppliers needed to simplify and improve the way they update the security of their products.

"There are clearly a lot of applications today where you have to be an expert in order to update those products. I think you have to move away from the thinking that software needs to be secured and managed by experts," he said.

Research by the NISCC found that 93% of the targeted attacks against the UK's critical national infrastructure over the past year made use of vulnerabilities that were already known, highlighting the importance of rapid patching.

Paul Dorey, vice-president for digital security at oil company BP, said businesses were already putting pressure on suppliers to improve their security, both individually and through the Jericho Forum security user group.

"Companies are starting to build security requirements such as patching service levels into their contracts with suppliers as a mandatory compliance requirement, particularly for critical systems," he said.

Dorey called for suppliers to extend their use of automated security patching. "Experience increasingly shows that automated patching systems linked to supplier service sites can beat managed corporate patch clients every time," he said.

"The Jericho Forum holds the view that systems looking after themselves is better than relying on the artificial protection of the company perimeter."

Read more on Hackers and cybercrime prevention