This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

Are Security Companies Secure Investments?

Jul 06 2001 08:48 AM PDT

And are hackers good or bad news for your Internet security stocks?

If you're an investor who reads the tech press, you may have taken positions in Internet security companies. The press can't seem to resist stories about hackers, crackers and security exploits. There's been a good sprinkling of such stories this week, but don't ignore those cautionary notes.

MSNBC ran a story this week on how easy it is to find Web merchant sites that have not patched their PDG Software shopping carts. The PDG flaw was revealed last April with a bigger splash than usual - the FBI got involved in warning customers of PDG Software's wares. The company has several thousand customers, but according to MSNBC's Bob Sullivan, many bought through resellers and couldn't be reached with a warning. Sullivan reported that descriptions of the PDG flaw were so widespread in underground circles that they have begun showing up in search engines. Sullivan wrote that finding a system to exploit has become as simple as "using a particular search term on a search site like Google or Yahoo, followed by one additional cut-and-paste operation." He didn't detail the exact search to use (aw shucks).

CNET was among several outlets to carry yesterday's news that Oracle's 8i database software contains an exploitable buffer overflow. Stephen Shankland pointed out that Windows systems running the Oracle software are more vulnerable than comparable Unix systems, because Oracle runs on Windows with a high level of system privilege. Another CNET story, this one unsigned, warned that a Japanese hacker who goes by the name of HighSpeed Junkie has posted a script to exploit a serious hole in Microsoft's Web server software. The exploit went up three days after the security hole was first described in public.

InternetNews summarized a new study by marketing consultant Frost & Sullivan that sees the market for encryption products growing to half a billion dollars by 2007. But a Reuters story in the New York Times might give the security companies pause. Despite the floodtide of exploits, break-ins and headlines, security companies are getting their share of scrutiny in the turbulent tech economy. Reuters quoted Wall Street analysts who said the market segment was until recently "thought to be safe from the tech bloodbath," but that one security provider after another has warned on 2001 earnings. Still, Reuters concluded that makers of anti-virus and virtual private network software "may prove to be uniquely positioned for long-term success."

Oracle patches high-risk security hole

Program may exploit Microsoft server hole

Hackers pounce on Web site flaw

Of Hackers, Spies and E-Terrorists

Security Software Firms Battle Economic Realities
The New York Times
(Registration required.)