SAN MATEO (05/14/2001) - Last week I probably put myself on the hit list of most anti-virus vendors when I spoke of SyBard/Mail, a product due later this year from the U.K. defense research spin-off-to-be QinetIQ. SyBard/Mail essentially adds a layer of protection by screening outbound e-mail traffic. I cited it because it was a different approach, one that didn't assume the infallibility of the almighty virus scanner. I hope that none of you assumed that I thought that the development of SyBard/Mail instantly turned the McAfees and Nortons of the world into cat food. Far from it.
The real problem isn't behavior blockers vs. content scanning -- the highest abstraction I can use to define the argument. It's much worse. There's a drawback to Microsoft Corp.'s official Outlook patch, to SyBard/Mail, and to just about everything else that uses a dialog box. An informed, skilled attacker can subvert a computer process and imitate the behavior of an end-user responding to a dialog box. Martin Carlisle and Scott Studer of the U.S. Air Force Academy computer science faculty are about to present a paper that demonstrates this in greater detail, but you can read it today at www.usafa.af.mil/dfcs/papers/mcc/ieeesmc2001.pdf.
Carlisle and Studer make a number of valid points and offer practical suggestions for software developers in general, Microsoft in particular, and they even suggest a simple step that IT managers can take. This last suggestion should come as no mystery: Disable Visual Basic (VB) scripting on all workstations that don't need it, which means doing so on all but a handful of developer machines. Even on those machines, it's a simple task to change the default behavior of a double-clicked VB script from Run to Edit.
Call out the Guard
A bill in the Arizona legislature proposes the creation of a Statewide Information Protection Center (SIPC). Although the bill may not reach the governor this session, a number of other states and the District of Columbia are considering similar plans. Wes Marsh, a state representative from Scottsdale, Ariz., and a member of his state's National Guard, introduced the bill in his state's lower house where it passed by an overwhelming margin. The bill calls for a heavy National Guard presence in a newly established computer emergency response team with strong links to the U.S. Department of Defense and also mandates that the SIPC serve as a statewide coordinating body for computer security issues.
Although I'm not sure that the National Guard is the best choice for this sort of work, the basic idea is sound. Statewide or regional bodies can often provide an intermediate level of support, but the unfortunate reality is that SIPCs are likely to get mired in the oldest bureaucratic game known to humankind -- turf wars.
