Skip to main content.


Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.

Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.

A Week For Security - 30 May 2005

Purdue University in the United States has reported its third theft of electronic information this calendar year. In this case, 11,360 past and present employees may have had their records accessed. Although smaller than a number of other security breaches reported this year, it is the latest in a disturbing trend of University breaches. In an identity theft case which used employees instead of system breaches to steal identity data, New Jersey police are reporting that the largest breach of banking security in the United States has grown to encompass at least 676,000 individuals. In this case, it was employees of banks who manually copied out account information which was then forwarded to a holding firm. Where a normal bank employee would be accessing 40 to 50 account searches per day, the accomplices were accessing ten times that amount. The data was being sent to a company which then sold the information to legal firms, private detectives and other third parties. The key difference between this case and the ChoicePoint breach reported earlier is that ChoicePoint obtained the data legally and sold to unknown parties.

A recent deconstruction of the Witty worm has revealed some interesting information about the possible source of the worm which was one of the fastest spreading Internet worms to date. The Witty Worm was targeted at systems that ran a specific firewall application from ISS, a security product vendor. Designed to disable the firewall, spread itself automatically, then overwrite sections of the local hard drive, the Witty worm was not only fast spreading, but actually possessed a malicious delivery payload. A flaw in the method used to generate new addresses to attack meant that 10% of the available internet address space would never have been attacked, as the addresses would never appear. A common IP address to all samples of the worm, even after observing the random address generation, indicated that the infection originated from a client system in a large European ISP. The attack from the worm targeted a number of systems at a US military base in Europe in the initial attack spread. The intentional targeting of systems at the US military base suggests that the creator of the worm had specific inside knowledge of the client list for ISS products. In addition, the use of an undisclosed vulnerability also suggests that the hacker had access to ISS or a security company such as eEye, and the unpublished research into vulnerabilities for that application.

The uniqueness of the vulnerability, which effectively could not be scanned for without exploitation, indicates that the rapid spread of the worm was due to a-priori knowledge of the install location for the affected ISS product, which would have been hardcoded into the worm. People claiming to be ISS company representatives, posting on various internet forums, believe that the author was an insider, but have not been able to identify them. Witty was unique in its ability to fit inside a single UDP data packet and not impede it's ability to spread, even with a malicious payload. For such a malicious, nasty worm it is quite a beautiful creation (in a horrid sort of way), and quite possibly indicates a new breed of malware creator, the talented, motivated malicious individual who is an expert at their skillset.

Continuing with the theme of the big bad Internet, an old extortion technique has resurfaced. A Trojan-downloading infection tool, known as download-aag or Pgpcoder, utilises known flaws in Microsoft Internet Explorer to retrieve the malicious content on to the local system. Once in place, the malicious tool actively searches the local system for files with certain filetypes (such as Word documents and Excel spreadsheets), encrypts them, deletes the original, then leaves a message demanding $200 USD for a tool to decrypt the documents. This technique was originally tried as the payload of a virus several years ago, but the weak encryption implementation was easily bypassed, and the financial extortion led to a concerted effort to track down the originator. The original site that hosted the malicious downloader has since been taken offline, but, as with all things on the internet, once the information is out there, it can never be removed. The other good news is that the distribution of victims has been small, and doesn't seem to be increasing significantly.

In online safety news, the Bank of America (BoA) has announced their new authentication technique, designed to reduce the effectiveness of phishing attacks against their customers. BoA are partnering with PassMark Security to provide this service to their customers. With more than 13 million customers accessing their BoA accounts via an online interface, the bank is claiming that the extra authentication methods are going to alleviate the risk of phishing attacks succeeding. The not so good news is that it only solves one class of phishing attack, that which is obviously a fake site. It forces phishers to become more technical in their approach to phishing BoA customer data, making their sites more difficult to sort out from the legitimate sites.

The name of the BoA solution is 'SiteKey' and is comprised of a known password authentication, along with secondary authentication of a known secret / image / human voice contact. Once a computer has been used for authentication it will remain authenticated for future contact, presumably from a specially crafted internet cookie. If a computer is stolen, this authentication mechanism would presumably not require re-authentication, allowing the thief to effectively bypass it. The additional system resources required for the storage of unique images for every customer would not be trivial, and forces users who browse without the use of images or visually impaired users to use one of the remaining authentication methods, weakening the apparent strength of the design. If there are not unique images for every customer, there is a finite chance that a phishing site is going to be able to guess the image when trying to authenticate to victims (if it doesn't already pass it through from the real site).

One of the key claims from the BoA site is that the 'SiteKey' solution allows users to validate that the BoA site is the real site, and not something fraudulent. This claim is false. At best, it gives the customer a better feeling about what they do with their online banking information without actually increasing the security. In real terms, it may actually decrease the security as customers become used to entering their account data into web pages that appear to be correctly implementing the 'SiteKey' solution. Encryption and information security guru, Bruce Schneier, has opined that these sort of attempts at improving security merely shifts the problem to other areas, and can only serve to frustrate legitimate users. The analogy that he uses is motor vehicles. As cars have become more difficult to hotwire and include more anti-theft devices, it forces the criminals to move from theft when the owner is not present, to theft when the owner is present and the antitheft devices have been deactivated. Thus, partially solving the problem of car theft when no one is present has led to the significant increase in violent carjackings as the thieves effectively bypass the antitheft systems.

The Esperanto Security Suite, as discussed in the column on Knoppix CD usage in banking from last month, neatly solves all of these problems, with a secure implementation of two-factor authentication which can not be spoofed.

Another online safety story from the week is news that the founder of a site designed to assist consumers in avoiding CNP Credit Card fraud, has fallen victim to the very fraud that he is trying to raise awareness about. This does not mean that his efforts are worthless, instead, it highlights how easy it is for this type of fraud to be carried out without a lot of interaction from the victim. CNP fraud is carried out when there is no need for the physical presence of the customer to process a credit transaction. Online purchases, telephone payments, and a range of other transactions can be susceptible to this type of fraud since they do not require a physical presence to enact the transaction. The lack of a verifiable customer signature for these types of transaction removes one of the security measures that exists in face to face transactions.

Further to last week's report about the Australian Democrat's bill before Federal Parliament about introducing fines for unauthorised installation of software on a user's computer, the US House of Representatives has recently passed similar bills, the SPY Act, and the I-SPY Act. While not passed into law, yet, the I-SPY Act allows for jail terms of up to five years to be awarded as punishment for an unauthorised breach of a computer system which is then used to commit another US Federal crime.

While two wrongs do not make a right, sometimes watching natural justice take its course is quite pleasing. Website defacers have recently gone after phishing sites with a greater rate of effort. Although there have been examples from 2003 where defacers have targeted phishing sites, it seems that there is a growing trend where the defacers actively seek to exploit the phishing sites. On one level, this is a positive thing, as it could serve to warn phishing victims that they are not visiting the legitimate site that they think they are. Although the site defacements may be the result of good intentions, this activity remains illegal. Overall website defacement on the internet is reported to have grown by 36 percent over the last 12 months, so the targeting of phishing sites could help divert the attention of those who deface websites from valid sites. Simple advice, which is still the best way to avoid losing data through phishing attempts, is to never give out personal or sensitive data in response to an unsolicited email, even if it appears to be from a company that you do have dealings with.

A recent court case in the United States of America may have widespread consequences for the use of encryption software by consumers. The particular case involved a prosecution for child pornography images, where the suspect was using the PGP application to encrypt certain communication. The judge ruled that having encryption software on a system was able to be ruled as relevant to the prosecution's attempts to prove criminal intent. The use of encryption software and tools is recommended for all computer users as it helps to keep private data safe from misuse in the case of unauthorised access to their systems. For most users, who will never be arrested, this is not a problem. However, for those users who might be arrested at some time for a computer related crime, the presence of any encryption software may be ruled to be relevant to the prosecution case for establishing intent.

Also of interest in the last several days is reporting that the CIA is running a paper exercise where terrorist attacks conducted by anti-American and anti-Globalisation groups are channeled through the Internet. Dubbed 'Silent Horizon', the exercise is designed to identify and theorise how government agencies and industry bodies might respond to escalating attacks and disruptions over the period of many months. The exercise is based on theoretical events happening five years into the future, so the infrastructure and capabilities of the Internet should not be all that different from the current technologies. The concept of an unannounced major attack against a specific group of interests has been mentioned numerous times by various information security figures, and has been dubbed a digital Pearl Harbour. The concept of a digital Pearl Harbour is similar to the surprise Japanese aerial attack which brought the USA into World War II. Essentially, a massive surprise network attack is launched and timed to use new vulnerabilities that have not been made public, with the goal of causing major havoc on a system or network. The digital Pearl Harbour concept has been considered extremely unlikely by a number of security researchers, and has not attracted a lot of mainstream attention as a result. Some forum commentators humorously opine that, while a digital Pearl Harbour might be nice, they are waiting for a digital Hiroshima.

In terms of overall threats, the threat of cyberterrorism is considered a lower threat than physical attacks against infrastructure. The unique nature of the Internet means that a 'cyberterrorism' attack could be anything from a dedicated hostile government, through to a group of bored teenagers, with the same results from either group. The real threat posed to systems is a source of frequent discussion, with various known criminal interests, rumoured military hacker units in North Korea (and possibly other countries), hacker groups, and bored teenagers all posing real threats to current infrastructure.

Criticism targeted at the exercise was largely centered around a claimed lack of imagination by the organising agencies. Critics felt that the exercise was too limited in scope and did not necessarily reflect what the situation might be like in the case of an attack. They also claim that the agencies fail to recognise and adequately prepare for what is happening today. The recent Cisco network breach was estimated to have been the responsibility of a single individual who then also managed to gain root-level access to more than half of the computers that they tried to penetrate in a two day period. Root level access allows them to do anything they want with a system, and once this is compromised, all assurances of data and system integrity are removed.

Unfortunately, there wasn't enough column space this week to cover the malicious software posing as a Window update. Expect to see it next week, along with a rundown on the effect that patent laws are having on the ability of companies to develop new and innovative software applications, unless, of course, more pressing news needs to be reported on.

German Spam - 23 May 2005

The recent spate of German Spam, and the announcement by the Australian Democrats about an anti-spyware bill are the main topics of discussion for this week's column. If readers have any requests or suggestions for further topics or areas of discussion, please send an email to

The problem with having non-technical people managing and directing technical progress / capability, whether it is in a corporate setting or a government, is that the best intentioned concepts may be doomed to fail due to a lack of understanding of the technology. Recently, on May 12, Australian Democrats Senator Brian Greig submitted a bill to the Federal Parliament proposing that any entity that installed software on a user's computer without consent would face a fine of $10,000. The immediate issue is that the people and companies involved in spyware / adware / malware creation and distribution will ignore this if it becomes law, merely shifting their base of operations to countries outside of the reach of Australian law enforcement. The other, more critical, issue is the use of 'click through' EULAs with the installation of these applications, which then move the responsibility for the installation to the user and makes it a consenting installation, such as used by Gator and Bonzi Buddy, two nasty pieces of malicious software.

These licence agreements have yet to be tested in a court of law, and it is rare that users actually read through the content of these agreements, which can be quite restrictive or allow scary levels of access to the system by the company that developed the application. For example, the EULA associated with the Windows Operating System absolves Microsoft of any responsibility should the failure of their operating system cause major financial loss and damage to the user. Some EULAa even go so far as to exclude the use of the software in safety critical areas, claiming that it will be at the user's own risk if they choose to proceed with such an installation. A major issue with EULAs is that people just don't read them when they install software. This is sometimes the desired effect from the software companies, with the EULA attached to one piece of spyware being more than 5,000 words. PC Pitstop actually went as far as to offer money to users who read through one of their EULAs. It took more than 3,000 downloads before someone contacted them about the money. The lucky user was given a cheque for $1,000 USD.

The Democrats Anti-spyware bill is likely to be as successful as the Anti-spam laws in Australia and the USA, which have been seen to be completely ineffective in practical terms, that of reducing spam email traffic, despite a significant proportion of spam originating from the USA.

Of greater immediate concern to most users is the recent announcement of a major flaw with Microsoft Internet Explorer (MSIE), Outlook and several other miscellaneous titles (not named). Apparently the flaw exists with the default installation of these applications, and allows remote execution of code with minimal user interaction. Existing users of Internet Explorer and Outlook should already be very careful with their application usage habits, however this announcement should serve to reinforce that idea, and prompt those who haven't already done so to install a firewall and system monitoring software. Users should expect more information to be released in the coming weeks.

German language spam is not a common occurrence in most English speaking countries, but there has been a run of spam emails in German flooding inboxes over the last week, starting on 14 May. Although they don't usually deliver spam, the culprit was an email worm that spreads through Microsoft Windows based systems. The Sober email worm has been around for a while, and is now up to the 17th incarnation, identified as Sober.Q by various anti-virus vendors, and it was this version which released the German spam on the world. It was actually the 16th variant, Sober.P, which then downloaded the 17th which then spewed spam out across the internet. Oddly enough, the spam was not for any commercial product, but was timed to coincide with the 60th anniversary commemorations of the end of World War II in Europe. Many of the sites linked in the emails were classified as 'extreme right wing' and 'NeoNazi propoganda'. In addition to the anniversary, the German state with the greatest population will be holding an election on May 22, and some observers believe that the spam release may have been motivated by that occurrence.

The 7th variant of Sober, Sober.G, was released last June to coincide with the European Parliament elections, and also spammed related messages, so there is a precedent which also happens to use the same family of worm. Like the Sober.P - Sober.Q relationship, Sober.G downloaded Sober.H, which was the spamming variant. Technically, Sober.Q is not a worm or virus, but a spam engine. Some reports were even made that mobile phones and Blackberries (hand held email devices) were being spammed via SMS as a part of this attack, although it is likely that this was merely an email - SMS gateway sending on messages as it is supposed to, and not a direct SMS attack against devices that can not access email.

Like a lot of current email spread malware, the Sober family of worms uses forged headers when sending out messages, which means that the From: line in the email message is not who sent it. Forged headers hide the source of the message from the average user, and can make it look like it is from someone they know. A forged header also serves another purpose, as when anti-virus / anti-spam monitoring applications may bounce / auto-reply to infected messages. This then sends pointless emails to the unsuspecting victim who was set up as the From: line. In internet parlance, this is known as a 'Joe Job', and can cause a problem when over-zealous administrators, or frustrated users complain to / about the victim. There have been cases where ISPs have suspended accounts due to complaints received about a customer who was the victim of a 'Joe Job'. If you are the victim of a 'Joe Job', it doesn't necessarily mean that you have any malware on your system, although it couldn't hurt to check, anyway, and it can get annoying receiving abusive emails about being responsible for sending out viruses.

Next week's column will discuss the recent spate of fake Microsoft patches, which are Trojan Horse applications in disguise, and another spate of Identity theft cases in the United States, including the highest number of bank account breaches to date.

Cisco Theft 12 Months On - 16 May 2005

Twelve months ago Cisco was the victim of a network penetration, which resulted in their IOS source code being compromised. The IOS is the operating system used by Cisco networking hardware, a large number of which effectively form the backbone of the Internet. At the time, there was little news about it, with only some minor reporting on various security and technology related websites. There was little information being made available, with the public reporting starting once a 2.5 MB section of code was posted to a Russian IRC channel. Cisco was keeping quiet, only confirming that they had a compromise, and the details were being left to the hacker, who posted a code sample to prove his story. The complete size of the code copied out was reported at 700 MB, including IOS 12.3 and 12.3t. Although the breach was not widely reported at the time, the New York Times recently ran a story purporting to describe how the network intrusion and compromise took place.

The author of the New York Times article was John Markoff, known for his novel CyberPunk and the Kevin Mitnick story. He is regarded as being responsible for the fear and paranoia surrounding Kevin Mitnick (a gifted conman who also had a decent level of technical skill). While he writes articles that are good reading, there are many information technology people operating in the grey areas of the law who regard him as being obsessed with money and story before factual reporting. In his defence, it is difficult to accurately report technical news in a non-technical manner, but his methods and reporting have been called suspect by the people he reports on (i.e. the people operating in the grey areas of the law).

John Markoff describes the mechanism of the attack as resulting from a compromised university network in Uppsala, Norway. Apparently a teenage hacker managed to exploit a known flaw in an application used to establish a SSH connection between computers. Basically, a SSH connection allows a user to log in remotely to another computer on which they have an account, and do so over an encrypted connection. With this application compromised, the hacker caught the login process from someone who was connecting to an internal Cisco system, which he then grabbed and used to eventually grab the source code to IOS. Eventually the hacker got caught, after he was bragging and taunting users on other networks that he managed to penetrate.

While the details may or may not be true, it does highlight how major security breaches can come from unexpected directions. Information security professionals, who are expected to be paranoid as a part of their job, fear about the network intrusions that are not reported, or never found. With increasing attention payed by organised crime interests to online crime, it is only a matter of time until a hacker, or group of hackers, refine their art to the point that they are effectively undetectable, and work to stay invisible with their crimes. It is possible that such capability already exists, but it would be impossible to know, as they would have made themselves invisible. Technically, it is not possible to be completely anonymous, however, practically, it is relatively simple.

Theoretically, if the hacker who had stolen the IOS source code had kept quiet, and not posted the sample, this probably never would have been reported on. If they had then gone on to find a set of major vulnerabilities in the source code, which they could exploit efficiently, there is no limit to the amount of damage that they could have caused to the Internet. Although the Internet is designed to be decentralised, and able to route around failures, an accurate attack on Cisco hardware would effectively cripple the Internet, especially if a corresponding failure was found in Juniper network hardware. This information could have sold for an immense amount of money to criminal interests or rogue nation-states. The power that could be wielded with such knowledge is almost beyond belief. Being able to pull the plug on the Internet for any country / agency / company at will would just be the start of it. Like any computer based attack, once it is used, it is in the wild and can be deconstructed and disabled. Using such a powerful weapon would also be a one-off, it is unlikely that the flaw exploited would last for long, and the attack source would be traced and wiped out by a number of very annoyed governments.

For the more technical readers who maintain an IDS of some sort, recent reports have indicated that one of the more popular security applications, Ethereal, has had two exploits made public. An IDS, and other related network analysis tools, can be amazingly useful to help administrators determine what is happening on networks of interest, and can be used to highlight malicious traffic as it starts to happen, so action can be taken before it destroys systems and networks. Because these tools can be used to detect major disruptions before they have a major effect, some malicious software aims to disable these tools as a part of the infection. A lot of malicious software is already designed to shut down firewall software, anti-virus software and other protective applications, before continuing with the remainder of the negative payload. The next major problem would be a 'killer packet'. Information being transmitted across any network is broken down into 'packets', transmitted, and then reassembled into a copy of the original information (much as parcels go through the postal system). A 'killer packet' is a specially created parcel of information that enters a network and is designed to disable any application that is monitoring network traffic, which then allows the rest of the malicious software through without being noticed.

Related to the recently reported issues with a Trend Micro anti-virus definitions file, Symantec's Norton Anti-Virus (NAV) on the Apple Macintosh OS X platform has experienced a similar problem, as reported by The Register recently. A recent virus definitions file update falsely identified the swap files (files on the hard disk used to augment the physical RAM in a computer) as containing "Hacktool.Underhand", and led to system crashes for some users. The NAV versions affected by this issue included:

Symantec advises current NAV users to update to the latest versions of the virus definition files, which have been corrected.

Microsoft just don't seem to have a lot of luck with the security of their delivered products. The Register reported recently on an online security competition known as 'The Gatekeeper Test' that Microsoft was running for people from Africa, Europe and the Middle East. While the concept of the competition was sound, and the questions appeared to be reasonable, the implementation of the test left a little to be desired. Users found that sometimes their responses were not accepted (a 404 page was returned), and in other cases users discovered that even if they had submitted an incorrect answer, use of the back button in the browser would allow them to try again without penalty. Apparently similar methods could be used to inflate scores above the maximum daily allowable points allowance.

After disabling the competition interface, Microsoft released a statement which described the source of the issues as being a technical malfunction in their server farm, when several servers lost state information (e.g. the total number of points for a particular user, or their progress through the test), however the test would be reinstated at a later time.

Beware of Clicky, and Where is Google? - 09 May 2005

Instant Messaging (IM) applications, such as MSN Messenger, ICQ, AIM and iChat have grown in popularity in recent years as they allow near realtime text communication between two or more people across the internet (or local networks). Some applications even include voice chat, video chat, games, file transfer, and a range of other features.

While computer users are slowly becoming more aware of the risks of clicking random links in unsolicited or strange looking emails, the perceived increased personalisation of IM means that some users let down their guard slightly and will click links suggested by other IM users. Worms, viruses and trojan horses are now taking advantage of this mannerism by hijacking, or creating new, IM sessions and sending suggested links to other users listed in the 'Buddy Lists'. When these links are clicked, a range of malicious software is downloaded such as spyware, adware and viruses. The malware installs itself at this time, and then looks to propogate itself again using the new list of IM users on the victim's computer.

Unless a computer user is expecting to be sent a link as part of the normal conversation flow, the same caution should be applied as that which should be applied to unsolicited email message links. That is:

               Beware of the Clicky.

In further news, Time Warner has had 600,000 of its employees' Identities compromised when an external storage company lost the tapes that they were stored on. The tapes contained identifying information for employess, dependents and beneficiaries dating back as far as 1986.

The latest in a long list of US Universities suffering from network intrusion is Florida University, which effectively had its network compromised recently. Although only 5% of the computers were compromised, 3,000 systems are being inspected, upgraded and updated on the basis that the intrusion could have gained access to all systems easily. This intrusion was only discovered when a single file was discovered on one of the compromised systems. Given the number of files on an average computer, this would be an extremely fortuitous discovery for Florida University.

The SANS Institute has released their list of the top 20 most critical vulnerabilities discovered or patched in the first quarter of 2005. In addition to the expected Microsoft vulnerabilities, the DNS cache poisoning issue (subject of previous columns) was mentioned, as well as buffer overflow vulnerabilities for various anti-virus products and media players. The anti-virus vendors affected included Symantec, F-Secure, Trend Micro and McAfee. The media players affected included RealPlayer, iTunes and Winamp.

A buffer overflow is where specially crafted content is forced into the memory allocated to an application. This content overflows the amount of memory allocated (i.e. overflows the buffer) and allows the attacker to execute the commands now placed in the overflowed area of memory, effectively compromising a system.

In other, more recent, news, popular Internet browser Firefox has been found to be vulnerable to arbitrary code execution in all versions, which would allow a remote attacker to execute code at will on a victim's computer with the victim only needing to click on a link / visit a website to activate the attack. There is currently (at time of writing) no known solution except to disable JavaScript in the browser.

DNS issues continue to be reported, with Google creating their own nightmare over the weekend. Although temporary, and with the details still being resolved, it appears that the records for Google were modified, with different results delivered to users depending on how their local DNS servers were responding. As well as the site not appearing, some users were directed to (which identified as This was not a hack, but a result of being sent to Sogosearch owns the domain records for * (i.e. any, and this is actually correct behaviour. Google is denying that it was an attack, and it appears that it was the result of modifications by Google to their own DNS record.

My AntiVirus Killed My PC - 02 May 2005

In rare circumstances auto-updating software, such as Anti-virus applications, can act as security weaknesses rather than strengths. Recently such a case occurred when the Trend Micro Anti-Virus application had a buggy identification file released. The culprit, version 594 of their virus definitions file, would result in affected Windows PCs slowing down significantly as their CPU usage ramped up to 99%, or greater.

This issue struck late on Friday afternoon, US time, after most personnel had departed for the weekend. This saved a lot of obvious heartache, as there were not as many end users as there otherwise might have been suffering from the slowdown. Unfortunately, however, this meant that a lot of administrators and other technical personnel were scrambling to diagnose, isolate, and repair the issues, costing them their Friday evenings, and into the weekend.

This is a practical example of why a completely homogenous environment, coupled with a lack of proper testing procedures, is a dangerous situation. The danger of completely homogenous environments, in particular those created by a monopoly presence, was elaborated in the now famous White Paper "Cyber Insecurity: The Cost of Monopoly". The paper specifically focussed on the potential for damage caused by the effective monopoly that Microsoft has, and how a 'monoculture', where one software provider, or one software type has absolute dominance, creates a single point of failure for a complex system.

A real world example where a lack of diversification caused a major catastrophe was the Irish Potato Famine of 1845 - 1850. In this case, the Irish farmers were only growing one primary crop, the potato, due to its dense energy storage and the best return per acre for any food available at the time. This also encouraged rapid population growth, as sufficient food was available to support the population density. Initially, airborne fungal spores from North America (via England) infected potato plants around Dublin, then rapidly spread to surrounding areas. As the infection vector was airborne, and the weather conditions were suitable for transmission of the fungus, the Irish potato crop soon failed nationally, and seed stores were destroyed by the fungus. Previous crop failures were limited in reach due to infection vectors being stopped by geography, different failure mechanisms, climate variations and so on. The complete loss of the primary food crop, linked with the exportation of the remaining food crops (cash crops), led to the mass starvation and emigration flows. Modern day equivalents are found in lesser developed countries, where cash crops are the primary agriculture and fluctuations in global demand and price leave countries vulnerable to minor shifts in the market.

Like the potato famine, failing to diversify your systems, or at least failing to properly test, quarantine, and protect against externally introduced material, will result in a single point of failure which can easily bring down whole networks. Not only is this important from an Operating System point of view, but also with the applications being run on them. While cost and effective interoperability concerns will limit the ability to diversify, an effective quarantine and test environment should be in place, before implementing any application on protected networks. Likewise, networks should be protected against external risks.

Several public system failures, particularly in Japan, came about as the result of the incorrect virus definitions file. East Japan Railways were affected by the recent virus definitions file problem, along with Osaka's municipal subway system, when various LANs went offline. A number of Japanese news services and the Tottori Prefectural Government were also affected, along with absentee voting for a number of prefectures.

The lesson to learn here is to always be careful with applications and Operating Systems which automatically update themselves, as they could be the vector for destroying your data or network.

If you are still looking for the April columns, they have been archived, and you can find them via the navigation link for Archives, on the left of the screen.

Copyright © 2005, Sûnnet Beskerming Pty. Ltd.
Home | Contact Us