Truth About Computer Security Hysteria
Another telephone conference to warn of an Internet threat
Monday, 11 January 1999
FINJAN CEO BILL Lyons warned the Wall Street Journal of a new threat dubbed
Russian New Year, saying "we think this is probably the biggest security hole in Internet
history." The warning came as Lyons' firm staged a press conference to announce their discovery. Finjan's
media circus came just two weeks after Network Associates held their own
Chicken Little press conference and you could almost hear Lyons sing those immortal words:
"anything you can do, I can do better..."
Forget last year's Win95.CIH, the supposed "mother
of all viruses." Forget last month's Remote Explorer, a virus with the power
to "literally destroy the Internet." Those childish pranks pale in comparison to Russian New
Year. Finjan posted a teaser notice on their website, surrounded it with corporate hype, and promised to
"unveil" all the details at their press conference.
Finjan didn't truly unveil everything because they feared Snidely Whiplash would use it to hack into a GPS
satellite. Oddly, though, they let reporters try out a Russian New Year demo. God help us if a
cyberterrorist disguised as a journalist used a packet sniffer to
reverse-engineer Finjan's dangerous
What did Lyons call "the biggest security hole in Internet history"? Microsoft Excel.
"We believe this could affect tens of millions of users." Hurwitz Report researcher Steve
Foote participated in the press conference and told reporters "if this vulnerability does not make you go
weak at the knees, then you do not fully comprehend the security threat."
Other experts must not recognize its severity, then — they
& Foote's statements as hyperbole. Forrester Research analyst Ted Julian questions how any lab
experiment could outclass the historic Internet Worm of 1988. "There
is no comparison between a malicious code incident with no fallout and what was one of the seminal hacks of all
time," Julian countered. CERT analyst Jim Ellis categorized Russian New Year as only the latest in a
string of Internet security holes discovered over the last few years. I myself wonder how it could outclass the
Michelangelo virus in 1992. A worldwide media fiasco by any
standard, Michelangelo nonetheless erased 10,000 or more hard disks on its original trigger date.
Critical comments like this led Finjan to revise their claims. First they appended "since the Internet
worm" to statements; later they called Russian New Year only "the worst vulnerability in five
years." These revisions placed it safely beyond 1988 or 1992, but five years still pits it against
Good Times, the seminal virus hoax of all time. Frightened
users overloaded numerous email servers throughout 1995 when they forwarded the alert to everyone they knew.
Finjan believes Microsoft Excel can destroy the Internet. They asked security experts to offer quotes for a press
release. Sadly, Finjan forgot to notify Microsoft's computer security team...
Rumors say Finjan conducted research in secret and demanded non-disclosure agreements from outsiders. This veil
of secrecy stretched all the way to Redmond — a source (excellent reliability) says Microsoft's computer security
team never heard of Russian New Year before the Wall Street Journal caught wind of it. One
source (reliability unknown) provided a statement which indicates Finjan demanded his silence
after they started leaking details to the media.
Technically, it doesn't matter if Finjan notified anyone in Redmond ... because Russian New Year relies on
the Excel CALL exploit. Microsoft released a
patch to defeat Excel CALL one month before Lyons talked to the Wall Street
Journal. Even Finjan's announcement admits the patch works as advertised. Microsoft employees shrugged
their shoulders when asked about it — a gesture which made Finjan look stupid.
Finjan moved to "PlanáB" in an attempt to save face and focus media attention back on Microsoft.
The press conference, um, served primarily to spread the gospel of computer security. As for Microsoft's
patch, it only works for certain Excel users in certain cases, so, uh, the world needs Finjan's free
protection software. "PlanáB" actually achieved moderate success.
One Finjan employee who spoke to reporters berated Microsoft for sending their security alert to only a
million email addresses. How many email alerts did Finjan send out?
The Res exploit takes full control of your computer if you merely read a web page with your eyeballs. Why
didn't Finjan hold a press conference about it thirteen months ago? How can they claim Russian New Year
accomplished this feat first?
FINJAN'S DEMO OF the Russian New Year exploit created a folder (among other things)
with the word "hacked" in its name, leaving no doubt where it came from. So? A hacker named Dildog did
the same in 1997 with the Res exploit. It takes full control of your system just like
Russian New Year. Dildog, like Finjan, constructed a demo web page; unlike Finjan, Dildog
published his research on a well-known
website for all to see. Many computers remain vulnerable to Res even though Microsoft quickly released a
Dildog's exploit takes full control of your computer if you merely read a web page with your eyeballs. Why didn't
Finjan hold a press conference about Res thirteen months ago? How can Finjan claim Russian New Year
accomplished this feat first?
Finjan's announcement quotes various experts about the threat Russian New Year poses to Excel users. Among
them: Dr. Gary McGraw, the expert I turn to for Java security advice. (Finjan also quoted
a vice president of marketing, but let's not digress.) McGraw's comments passed my "realism"
test with flying colors and I urge you to read what he said. He could quite
literally say the same things about Res.
McGraw's quote implies Lyons erred when he called Russian New Year "probably the
biggest security hole" for any given period. If any piece of code (malicious or otherwise)
gains unrestricted access to your computer, then it can do all of the things Lyons described to reporters. It
could reformat a hard disk, inject a virus, change CMOS settings, reprogram a FlashBIOS chip, transfer your
paycheck to a Swiss bank account, blah blah blah.
Every single day, na´ve AOL users get tricked into running software which transmits their passwords to
someone else. These password-stealing programs could do so much more if the perpetrators desired. They
could reformat a hard disk, inject a virus, change CMOS settings, reprogram a FlashBIOS chi-- hmmm, I already said
that. Well, I hope you know what I mean.
Finjan's and AXENT's vice presidents of marketing provided ominous quotes to reporters
DO I SMELL the stench of another trend? Two major Internet security
firms unveiled new Internet security threats over the telephone. In an industry where paranoid customers
demand lightspeed software updates, two major players decided the world could wait for staged media events.
"Join us in six hours when we describe a virus scheduled to erase your hard disk eight hours from
We need to ask ourselves why. Answer: I think the security industry envies the Y2K
industry. (Hear me out...)
Y2K received gobs of valuable media exposure in 1998. A lot of money will flow this year as penny-pinchers
finally make some harsh spending decisions. The security industry would love it (and I would
too!) if buyers demanded secure computers at the time of purchase ... but it looks like they really only
care about Y2K compliance.
Penny-pinchers don't read PCáMagazine or surf to news.com — they learn about
computer security from the likes of CNNfn and the Wall Street Journal. A telephone
press conference actually begins to make sense if you want to impress, say, a financial reporter. I wrote it
years ago, but it bears repeating:
Why did two Internet security firms suddenly unveil new Internet security threats over the telephone? Why
did they tease reporters & CIOs for hours with hints of an immediate threat?
Never underestimate the mainstream media's role in the spread of False Authority Syndrome.
Empirical Research Systems (a computer industry polling firm) conducted a survey in 1991 of corporate employees
tasked in some way with computer security. 43% of respondents — almost half — formed their opinions about
viruses just by reading newspapers!
(sniff) Yes, it smells like another trend all right...