In the fall-out from the Sony root-kit affair, here's an interesting view:
Sony Rootkits: A Sign Of Security Industry Failure?Nov. 18, 2005 By Gregg Keizer TechWeb News
One analyst wonders why it took so long to catch onto Sony's use of rootkits on CDs and whether customers may have a false sense of security.Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.
"[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.
"Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?
"Or is it in how data is collected by security companies and how they're analyzing to catch trends?"
Ouch! I wondered before who was attacking who, but this is a good point that goes further. Why didn't anti-virus programs detect the attack from Sony? We rely on the anti-virus sellers in the Microsoft field to protect from the weakness of the underlying OS.
It shouldn't be a surprise to discover that there is some form of selective detection going on in the Microsoft security world - the rest of the article identifies that their source of information is problem reports, honeynets, and a vague but interesting comment:
"Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."
This is probably as it should be. Microsoft creates the vulnerabilities and the rest of the industry follows along cleaning up. It isn't possible to be more than reactive in this business, as to be proactive will lead to making mistakes - at cost to the company selling the security software. So companies will routinely promise to clean up 100% of the viruses on their list of viruses that they clean up 100% of.
(Note that this still leaves the cost of missed attacks like the Sony rootkit, but that is borne by the user, a problem for another day.)
The next interesting question is whether Sony, or the inevitable imitators that come along, are going to negotiate a pass with the anti-virus sellers. That is, pay blood money to anti-virus scanners for their rootkit. In the spam world, these are called "pink sheets" for some obscure reason. Will an industry in acceptable, paid for attacks on Microsoft's OS spring up? Or has it already sprung up and we just don't know it?
If so, I'd have to change the title of this rant to "Security is getting more economic..."
Addendum:
According to http://www.heise.de/newsticker/meldung/66791 F-Secure detected the Rootkit and alarmed Sony about it, several weeks before. They went the way of disclosing it only to the vendor first.
Posted by: Philipp Gühring at December 2, 2005 08:30 AM