Lazy security makes life easy for hackers

A study of internet security flaws has revealed that half of vulnerable systems remain unfixed after 30 days - making life easy for hackers.

The data - released at the Black Hat Briefings security Conference in Las Vegas - also showed that some flaws don't completely die out over time but actually make a comeback. The vulnerabilities exploited by the Code Red and SQL Slammer worms, for example, are allowing those threats to reassert themselves on the internet, said Gerhard Eschelbeck, chief technology officer for vulnerability-assessment company Qualys.

"There is something going on that is bringing vulnerabilities back to life," Eschelbeck said, adding that the main theory is that companies continue to install systems that include out-of-date software.

The study, which correlates nearly 1.5 million scans done by Qualys over a year and a half, underscores the need for customers to be more proactive about patching systems and for software makers to weed out vulnerabilities during development.

The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious - as much as 60 days longer - by which time, in 80 per cent of the cases, security researchers and hackers had released programs to exploit the flaws.

The data seems to support assertions by the Organisation for Internet Safety that companies need time to fix flaws and patch vulnerable systems.

Security researchers also attacked software vendors' seeming inability to eradicate the most serious bugs from their applications, saying that was a key problem in dealing with server insecurities.

Mary Ann Davidson, chief security officer for database maker Oracle, said her company takes good software seriously, but that many other companies still haven't learned the lesson.

"If you [a software company] do the maths and you are serious about your reputation, you have every incentive to treat your customers' systems as if they were yours," Davidson said.

Davidson said better quality could come about through US government requirements that call for federal purchasers to go with certified software.

"If the government is serious about demanding secure software, then the industry is going to have to change and provide it," Davidson said.

Davidson added the private sector should take a similar tack.

Robert Lemos writes for News.com