UW Computer Security Research and Course Blog

On Slashdot and Finance and Commerce

Survey says that most of the Fortune 1,000 companies are not prepared for IT security attacks. The article suggested that companies can start monitoring the networks. If it’s too costly, outsourcing the monitoring job can be an option. With the current economic recession, IT related crime rate is likely to increase.

Factors that led to the lack of protection include optimism, lack of funding to enforce good protection, and people’s ignorance about the IT security world. Companies could’ve started thinking about security risks in the beginning, during its early ages. As companies grow, things get more complex, and it’s harder for them to protect themselves from attacks. Despite the complexity of enforcing good protection, the cost is also high for large companies.

With the recession in progress, companies probably have many problems (e.g. layoff, VC funding, etc.) to worry about other than security. Not focusing on those problems can directly lead to increased crime rate. Companies should focus more on problems that may cause security attacks than worrying about protecting themselves from security attacks. For instance, if the company doesn’t have to lay off employees, then it doesn’t have to worry about jobless employees trying to harm the company. If the company has enough resources to handle both security and other problems then that’s the best case. The cost of preventing security attacks versus protecting against attacks really depends on the individual companies. Also, there are some relatively cheap ways to increase security protection such as not giving employees more privileges than they really need.

From an article in Infoworld via Slashdot, two researchers from Invisible Things Lab have discovered a method to circumvent Intel‘s Trusted eXecution Technology (TXT). The TXT system (PDF), part of Intel’s vPro hardware-assisted security product, is designed to allow software to run while protected against attacks from other software programs. However, the researchers at Invisible Things Lab discovered a two-phase attack that exploits a bug in Intel software in the first phase and then uses a deficiency in the actual TXT specification in the second stage, to successfully attack software designed to use the TXT system. While such software is currently rare, it may become more prevalent as more software aims to increase security.

This event is a result of researchers working to verify the security properties of Intel’s vPro hardware-based security system. Hardware is much more difficult to revise than software, if revision is possible at all. This may mean that all current implementations of TXT are essentially obsolete, and may remain so in perpetuity.

This security cloud does have a silver lining, however: TXT is a platform that Digital Rights Management (DRM)-enabled software is likely to use, and by showing that hardware-based security is as fallible as software-based security, this new revealation may guide companies towards less restrictive, more user-friendly approaches to security and intellectual property protection.

Software vendors considering using the TXT system will undoubtedly be turned off by this event. However, it is better to know that something is not totally secure than it is to think that it is secure when it is not, so in the long run, it is better for Intel, despite the current press, that this exploit was discovered early rather than after many software packages depended on the TXT system. Companies such as AMD may also learn that security is a difficult problem and that attempting to “solve it” may be more trouble than it is worth.