Vulnerability is our business

David Litchfield's conversion to information security came from an unlikely source. While studying zoology at Dundee in the late 90s, he saw The Net, a low-brow movie about a virus that could infect every computer in the world. Litchfield was hooked. "I was amazed by the amount of control you could get over people's lives," he says. "It was frightening and I wanted to find out more – I don't like being frightened."

Only later did he discover the film's many technical shortcomings, but by then he had quit the zoology course and thrown himself into his new love.

By 2001, he was running Next Generation Software with elder brother Mark and their father Dave Snr, and by 2002 he had started earning an international reputation for finding vulnerabilities in some of the most widely used software.

Fastforward four years and NGS is doing vulnerability research for major software firms (including Microsoft), 25 international banks and the British and US governments.

Between them, David and Mark are considered the world's foremost vulnerability researchers, exemplified by the fact that NGS currently holds more than 150 vulnerabilities waiting to be patched by software companies.

Despite its growing international reputation, NGS operates from premises in suburban Sutton on the edge of London. Inside the building, however, are all the trappings of a Silicon Valley start-up, along with a 'relaxation room' with pool table, huge TV, Playstation and futons.

Sitting with father Dave and brother Mark, David does most of the talking, but is coy about his achievements. "People say what we do is difficult, but it's not," he says. "I think you need quite an artistic mind to discover new vulnerabilities. But essentially, security is easy."

They certainly seem to have the knack of unearthing software weaknesses, and in 2002 they first came to international attention when they found 24 vulnerabilities in Oracle software the day after the company launched a bold ad campaign, claiming its products were "Unbreakable".

Since then NGS has been a thorn in the side of Oracle, which appeared to view the revelations as unwarranted criticism, rather than useful feedback.

Other companies have been more responsive, and Litchfield picks out Microsoft for praise. "The industry in general has made steps," he says.

"If you contrast Vista [when it arrives] with Windows 2000 or XP, then there will be no comparison."

Reporting a vulnerability to Microsoft, he says, elicits a response far removed from what would have happened five or six years ago. Each report is carefully analysed and dealt with as fast as possible. But some companies still lag behind.

"Oracle still hasn't got it completely right," he says. "They still seem to think we're the enemy, rather than working with them. The patches they apply take too long, and they're often not actually tackling the problem as a whole."

Brother Mark chips in to underline that while Oracle is still slow to react, it is by no means alone. Several other companies still fail to follow the Microsoft example.

But the outlook is looking rosier than in 2003, when the Slammer worm cost businesses billions of dollars after exploiting a hole in Microsoft's SQL Server.

It was David who found that vulnerability, reported it to Microsoft and helped produce a patch. Assuming firms would have already applied the patch, David gave a presentation on the vulnerability at the big Black Hat conference in the US, complete with dummy code. But users and companies hadn't patched, and virus writers used the code to produce Slammer.

"When [US emergency] 911 systems went down, that completely changed my view," says David. "What I had done, in trying to educate people, was to possibly put people's lives in danger. It made me step back and rethink my position."

That little disaster explains why vulnerability researchers are often seen as the mavericks of infosec. Ostensibly they are doing a "good" thing, but to do so they have to understand the dark side of the internet – how to break computer software and exploit it. Perhaps to redress the balance, NGS is now considering discontinuing its public disclosure policy.

"We used to have two weapons," says David. " The first was to beat the vendor over the head by publicly disclosing its vulnerabilities. The second was education.

"But most vendors don't need to be hit over the head with a stick any more. Sure, on the educational side you can have white papers telling people what to do, but if they haven't got the message now they never will. Unless there is a vendor refusing to fix itself, then the valid reasons for disclosure are no longer true."

If all vulnerability hunters changed their disclosure policies, the relationship between them and vendors would fundamentally change. But for that to happen, then the vendors themselves would have to raise their game.

"The vendors are trying, but there's a problem at the grass roots," says David. "I bought a book called Teach yourself C in 21 days. Its very first lesson taught me to code in a way that could introduce buffer overflows. We have to teach security from lesson one."

While his two starlets have their picture taken, Dave Snr details NGS's recent successes. Top of the list is the UK's most prestigious charity event, Red Nose Day, where NGS was in attendance to ensure that all went well.

"More transactions go via the donation site in one day than anywhere else in the world. We had a team of 12 making sure it ran smoothly," says Dave Snr.

But when the fundraising started, viewers were sent to the BBC instead of the Red Nose website. "It was a real head-in-hands moment," he adds, "but it turned out the BBC address directed traffic to the official site, so it was okay. But for a moment..." His face says it all.

When David and Mark return from the photo session, they detail exactly why vulnerabilities are still a problem, and say the current obsession with regulatory compliance is a dangerous distraction.

"There's a focus on compliance which has a lot of people spending money on security," says Mark. "They think they are secure because they are compliant. That is not the case. It's a dangerous assumption."

David agrees: "Everyone has pretty much secured the entry point, hardened web servers and so on, but the problem is that the applications on those servers are vulnerable to things like SQL injection. A firewall is not going to stop that. Once they're on the inside, that's the crown jewels. That's everything you have."

NGS's rise seems destined to continue – new offices in Australia and the US are mooted and David has co-penned a book The Database Hacker's Handbook, aiming to stop hacking by showing how it's done.

It sounds as if some of the world's software companies should buy a copy.