tite: Antivirus: who is going to watch the watchers

Antivirus: who is going to watch the watchers?

By Scott Bradner

If you are running a Windows computer and you are not running some sort of antivirus package then you are likely not the one running your computer. It is very likely that some hacker half way around the world can do anything they want to with "your" computer. In a Windows environment running an antivirus to protect the computer from worms and viruses is what is euphemistically called "a required option." So what do you do when the very tool that is supposed to protect you from attack turns out to be enabling attacks?

That is just what happened with two Symantec security products. On May 25th Symantec confirmed (http://www.symantec.com/avcenter/security/Content/2006.05.25.html) a report from eEye Digital Security that the Symantec Client Security and Symantec Antivirus Corporate Edition products have a vulnerability that could "allow a remote or local attacker to execute arbitrary code with System level rights." (http://www.eeye.com/html/research/upcoming/20060524.html) as I write this Symantec has not yet announced a patch to block the vulnerability but I would expect such a patch before Microsoft gets around to patching a Word vulnerability that was announced about the same time. (It's no non-neat that Microsoft almost always waits until it's regularly scheduled monthly patch date to issue a patch even if its customers are getting hurt by the vulnerability -- I do not expect that Symantec will show such a callous disregard for the safety of its customers.)

It makes a lot of sense for the bad guys to target a product like an antivirus package considering the almost ubiquitous deployment from such a few players. A successful exploit will leave a lot of systems ripe for the picking.

This episode does bring up the age-old question in the security field "who will watch the watchers?" In this case it was an independent security company, one that has gotten rather good at ferreting out these sorts of things, but we can not depend on having such a resource in all cases.

The same question pops to mind when reading the headlines of the past few weeks about the NSA and the secret equipment rooms in AT&T data centers. (http://www.wired.com/news/technology/0,70944-0.html) Who is going to make sure that the NSA is actually doing only what it almost says it is doing. I say "almost" because the information that the administration lets out is far from precise about the NSA effort in this case as well as the case of looking for calling patterns (or whatever they are doing) with all the phone records some of the phone companies so kindly gave them.

Security expert Bruce Schneier explores this area in a very insightful (as he normally is) May 18th column in Wired. (http://wired.com/news/columns/0,70886-0.html?tw=wn_columns_7)

The big-brother style communications world being brought to us by governments in the name of protecting us from terrorists or protecting children from the evils of the Internet is a world that would be have seen by the old East German Stasi as close to the ideal. Tie this world to the Internet from, for and by the phone companies, as the FCC seems to want, and you wind up with a nightmare I'd rather wake up from.

disclaimer: "Harvard" and "nightmare" are related concepts in a few people's minds but the university did not express an opinion on watching watchers, I did.