ad info

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
Computing

How security vendors use fear to sell protection software

Buying protection from Java applets, ActiveX controls, JavaScript

August 31, 1998
Web posted at: 11:10 AM EDT

by Matthew Nelson

From...

(IDG) -- Mobile-code programs pose an increasing threat that security vendors are having a difficult time illustrating to potential customers.

Mobile-code applications, in the form of Java applets, ActiveX controls, JavaScript, and other autoexecutable applications, can be powerful tools for distributing information. But with their increasing power, the potential also increases for those applications to be used for unscrupulous ends. Companies that offer products to protect against such threats sometimes must prove to end-users that the problems even exist before they will listen to possible solutions.

To impress security users with the dangers of mobile code, companies such as eSafe, among others, have placed links on their Web sites to third-party demonstrations of hostile ActiveX controls. Some security companies even work with consulting groups to create demonstration applets -- a practice that some analysts believe may do more harm than good. (See "Breach raises questions over security ethics"). However, some security companies insist the practice is necessary.

"We have demonstrated to a very large bank in the Boston area, using an applet that we had downloaded from the Internet. The management were watching as we downloaded the applet, and the ActiveX applet executed on their PC," said Asher Jospe, CEO and president of Security7. "Before we did this, they said they were completely secure."

Malicious mobile code is still an unknown in some users' minds, because it is fundamentally different from the more common viruses that can infect a system or the straight hacking attempts that may plague a network.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute
     

"[Users] know that mobile code is an issue and that it can do bad things, but what they don't know is how far encompassing a problem it is," said Penny Leavy, vice president for worldwide marketing and business development at Finjan. "If you are looking at deploying security, you should have a firewall, you should have a VPN [virtual private network], you should have intrusion detection, anti-virus, and mobile-code security."

Rogue applets do not replicate themselves or simply corrupt data as viruses do, but instead they are most often specific attacks designed to steal data or disable systems.

"In days past, you almost had to open a document or install software in order for some malicious entity to get into your hard drive, and now you don't even know what is happening," said Fiona Swerdlow, a digital commerce analyst at Jupiter Communication, in New York. "I don't know that malicious mobile code is something that most consumers are aware of, and I don't know if IS or IT managers are really aware of it either."

"The easiest way for a hacker to get into a company now is to write a vandal and have it do the job for them on the inside rather than trying to hack into a system," said Jerry Huyghe, global product manager for enterprise products at eSafe, a mobile-code scanning company.

The two most prevalent forms of mobile code, Java applets and ActiveX controls, have security features built in to the languages, according to their creators, JavaSoft and Microsoft, respectively.

Java includes a security model inherent to the language called the Java Sandbox. The Sandbox is designed to limit an application's access to unauthorized systems within a computer, and with the forthcoming release of Java Development Kit 1.2, access to systems will be more vigorously monitored. Sun executives insist that Java is a secure language that does not require special scanning, but they do admit that nothing is totally secure.

"In theory, the Sandbox is secure and everything is fine, but we cannot guarantee that to you," said Li Gong, Java security architect at Sun. "Any large and complex piece of software may have bugs and those may translate to be security holes."

Sun's addition of a security model with Java is generally applauded by the security industry, but analysts point out that nothing is totally secure.

Many analysts agree that ActiveX controls perhaps pose the bigger security threat, because the system has less than comprehensive security features that either let a control run completely or not at all.

"ActiveX is fairly scary, because it pretty much runs or it doesn't run," said Ted Julian, an analyst at Forrester Research, in Cambridge, Mass. "ActiveX has a far less granular security architecture than Java, but neither are secure."

The bottom line, of course, is that as more and more mobile code is put in use by businesses, malicious mobile-code attacks will gain more attention.

"If somebody is in security, this is not a hard sell -- they know this is an issue. The mass market, it usually takes a watershed event to sell to these people," Leavy said.

Matthew Nelson is a reporter for InfoWorld.

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

   
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.