Truth About Computer Security Hysteria

Another telephone conference to warn of an Internet threat

FINJAN CEO BILL Lyons warned the Wall Street Journal of a new threat dubbed Russian New Year, saying "we think this is probably the biggest security hole in Internet history." The warning came as Lyons' firm staged a press conference to announce their discovery. Finjan's media circus came just two weeks after Network Associates held their own Chicken Little press conference and you could almost hear Lyons sing those immortal words: "anything you can do, I can do better..."

Finjan believes Microsoft Excel can destroy the Internet. They asked security experts to offer quotes for a press release. Sadly, Finjan forgot to notify Microsoft's computer security team...

Forget last year's Win95.CIH, the supposed "mother of all viruses." Forget last month's Remote Explorer, a virus with the power to "literally destroy the Internet." Those childish pranks pale in comparison to Russian New Year. Finjan posted a teaser notice on their website, surrounded it with corporate hype, and promised to "unveil" all the details at their press conference.

Finjan didn't truly unveil everything because they feared Snidely Whiplash would use it to hack into a GPS satellite. Oddly, though, they let reporters try out a Russian New Year demo. God help us if a cyberterrorist disguised as a journalist used a packet sniffer to reverse-engineer Finjan's dangerous technology.

What did Lyons call "the biggest security hole in Internet history"? Microsoft Excel. "We believe this could affect tens of millions of users." Hurwitz Report researcher Steve Foote participated in the press conference and told reporters "if this vulnerability does not make you go weak at the knees, then you do not fully comprehend the security threat."

Other experts must not recognize its severity, then — they dismissed Finjan's & Foote's statements as hyperbole. Forrester Research analyst Ted Julian questions how any lab experiment could outclass the historic Internet Worm of 1988. "There is no comparison between a malicious code incident with no fallout and what was one of the seminal hacks of all time," Julian countered. CERT analyst Jim Ellis categorized Russian New Year as only the latest in a string of Internet security holes discovered over the last few years. I myself wonder how it could outclass the Michelangelo virus in 1992. A worldwide media fiasco by any standard, Michelangelo nonetheless erased 10,000 or more hard disks on its original trigger date.

Critical comments like this led Finjan to revise their claims. First they appended "since the Internet worm" to statements; later they called Russian New Year only "the worst vulnerability in five years." These revisions placed it safely beyond 1988 or 1992, but five years still pits it against Good Times, the seminal virus hoax of all time. Frightened users overloaded numerous email servers throughout 1995 when they forwarded the alert to everyone they knew.

One Finjan employee who spoke to reporters berated Microsoft for sending their security alert to only a million email addresses. How many email alerts did Finjan send out?

Rumors say Finjan conducted research in secret and demanded non-disclosure agreements from outsiders. This veil of secrecy stretched all the way to Redmond — a source (excellent reliability) says Microsoft's computer security team never heard of Russian New Year before the Wall Street Journal caught wind of it. One source (reliability unknown) provided a statement which indicates Finjan demanded his silence after they started leaking details to the media.

Technically, it doesn't matter if Finjan notified anyone in Redmond ... because Russian New Year relies on the Excel CALL exploit. Microsoft released a patch to defeat Excel CALL one month before Lyons talked to the Wall Street Journal. Even Finjan's announcement admits the patch works as advertised. Microsoft employees shrugged their shoulders when asked about it — a gesture which made Finjan look stupid.

Finjan moved to "Plan B" in an attempt to save face and focus media attention back on Microsoft. The press conference, um, served primarily to spread the gospel of computer security. As for Microsoft's patch, it only works for certain Excel users in certain cases, so, uh, the world needs Finjan's free protection software. "Plan B" actually achieved moderate success.

The Res exploit takes full control of your computer if you merely read a web page with your eyeballs. Why didn't Finjan hold a press conference about it thirteen months ago? How can they claim Russian New Year accomplished this feat first?

FINJAN'S DEMO OF the Russian New Year exploit created a folder (among other things) with the word "hacked" in its name, leaving no doubt where it came from. So? A hacker named Dildog did the same in 1997 with the Res exploit. It takes full control of your system just like Russian New Year. Dildog, like Finjan, constructed a demo web page; unlike Finjan, Dildog published his research on a well-known website for all to see. Many computers remain vulnerable to Res even though Microsoft quickly released a patch.

Dildog's exploit takes full control of your computer if you merely read a web page with your eyeballs. Why didn't Finjan hold a press conference about Res thirteen months ago? How can Finjan claim Russian New Year accomplished this feat first?

Finjan's announcement quotes various experts about the threat Russian New Year poses to Excel users. Among them: Dr. Gary McGraw, the expert I turn to for Java security advice. (Finjan also quoted a vice president of marketing, but let's not digress.) McGraw's comments passed my "realism" test with flying colors and I urge you to read what he said. He could quite literally say the same things about Res.

Finjan's and AXENT's vice presidents of marketing provided ominous quotes to reporters

McGraw's quote implies Lyons erred when he called Russian New Year "probably the biggest security hole" for any given period. If any piece of code (malicious or otherwise) gains unrestricted access to your computer, then it can do all of the things Lyons described to reporters. It could reformat a hard disk, inject a virus, change CMOS settings, reprogram a FlashBIOS chip, transfer your paycheck to a Swiss bank account, blah blah blah.

Every single day, naïve AOL users get tricked into running software which transmits their passwords to someone else. These password-stealing programs could do so much more if the perpetrators desired. They could reformat a hard disk, inject a virus, change CMOS settings, reprogram a FlashBIOS chi-- hmmm, I already said that. Well, I hope you know what I mean.

DO I SMELL the stench of another trend? Two major Internet security firms unveiled new Internet security threats over the telephone. In an industry where paranoid customers demand lightspeed software updates, two major players decided the world could wait for staged media events. "Join us in six hours when we describe a virus scheduled to erase your hard disk eight hours from now!"

Why did two Internet security firms suddenly unveil new Internet security threats over the telephone? Why did they tease reporters & CIOs for hours with hints of an immediate threat?

We need to ask ourselves why. Answer: I think the security industry envies the Y2K industry. (Hear me out...)

Y2K received gobs of valuable media exposure in 1998. A lot of money will flow this year as penny-pinchers finally make some harsh spending decisions. The security industry would love it (and I would too!) if buyers demanded secure computers at the time of purchase ... but it looks like they really only care about Y2K compliance.

Penny-pinchers don't read PC Magazine or surf to news.com — they learn about computer security from the likes of CNNfn and the Wall Street Journal. A telephone press conference actually begins to make sense if you want to impress, say, a financial reporter. I wrote it years ago, but it bears repeating:

Never underestimate the mainstream media's role in the spread of False Authority Syndrome. Empirical Research Systems (a computer industry polling firm) conducted a survey in 1991 of corporate employees tasked in some way with computer security. 43% of respondents — almost half — formed their opinions about viruses just by reading newspapers!