Ethical Boundaries in Information Security Research
With Information Security being such a broad field, without any formalised coordinating or licensing body, appropriate boundaries for ethical and professional behaviour and activity can be difficult to determine. What is ethical to one researcher may be completely inappropriate to another. What may be generally accepted as appropriate behaviour at one point in time might be shown later to be completely inappropriate.
When the burden of becoming the Information Security specialist falls to people who have little idea of the issues within the field, it can lead to further problems, as they attempt to reduce the problems and issues that they face into a format that they recognise and understand (which isn't always a bad thing - they just need to recognise when that approach breaks down).
Unfortunately for the Information Security field, the strongest supporters can also sometimes become the threat that they continually warn about - a lot of the time completely by accident. The development and limited release of proof of concept tools is often a means to rapidly demonstrate a set of risks and aid in the development of techniques to address them.
It was recently disclosed that one such tool, created by noted Information Security firm eEye, has had its techniques morphed into an attack tool by malware authors. In this particular case it had taken two years for the proof of concept to be morphed into an attack tool (or at least be publicly discovered).
While it is likely that the techniques would have eventually been discovered independently, and there is no definitive proof that the eEye tool was the basis for the new attack code, it does raise the question as to how much assistance the publication of proof of concept materials provides to attackers.
It can be argued that the previous example is more beneficial to the field of Information Security than it is harmful, and that similar examples are just as valuable. A less clear example has come to light in recent days, with noted web security expert RSnake issuing a call for entries in a contest designed to create the smallest XSS worm that can functionally replicate itself across a network. Arguments for the contest are centred on the benefits that it will bring to those studying how such worms can be created and how to defend against their potential. With increasing coverage of the contest, there are plenty of arguments being put forward that the approach is unethical and contributes to the image of Information Security being full of people who are just as willing to create the problem as they are to solve it (especially if they helped create it in the first place).
That isn't the only ethical concern facing Information Security workers. One of the big selling points that Antivirus companies try to beat each other on is the number of malware types that they can detect and handle. Although there are plenty of examples of rootkits, viruses, and other malware that can easily slip past up to date antimalware defences, and there are plenty of cases where up to date antimalware tools have gone off the rails or companies have over-reported on critical problems (despite what some companies initially claimed, the exploit code was not publicly released), companies are still pushing to be number one in detection of numerous malware samples.
F-Secure recently laid claim to one of the largest detection sets, at half a million distinct malware samples. Although this seems to correlate to other industry reporting the question posed is just how many of those samples can truly be claimed as distinct malware. If the same signature pattern will trigger on multiple variants, that might only differ in where they send their malicious data or where they report to, does it really mean that those variants are distinct? It also seems that antimalware companies are more than happy to move the boundaries of where they measure their malware from, and with the inclusion of malware based on JavaScript, HTML, PHP, and which targets those technologies, it means that their claims for numbers of malware types detected can be massively increased. This is even more beneficial for the antimalware companies as the change of a simple couple of bytes in a lot of these recently added malware types will allow them to slip past detection relatively simply without radically changing the exploit effectiveness (which means more added detection opportunities).
The other interesting point raised by the claims of detections is that it suggests that efforts to arrest malware developers, close down their control networks, and provide other legal and paralegal means of limiting their activities are ineffective. Either that or malware authors are the biggest growth industry in software development and they have solved many of the efficiency problems plaguing large software development firms.
As that is plainly not the case, and the legal efforts are starting to have some effect on the various malware industries (the Russian Business Network has effectively been forced offline in the last 12 months), it suggests that the antimalware companies are not being completely honest in how they identify distinct malware samples.
9 January 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.