Essays in the Category "Computer and Information Security"
Page 25 of 33
We Owe Much to DES
It was a historic moment when, last month, the National Institute of Standards and Technology proposed withdrawing the Data Encryption Standard as an encryption standard.
DES has been the most popular encryption algorithm for 25 years. Developed at IBM, it was chosen by the National Bureau of Standards (now NIST) as the government-standard encryption algorithm in 1976. Since then, it has become an international encryption standard and has been used in thousands of applications, despite concerns about its short key length.
In 1972, the NBS initiated a program to protect computer and communications data that included a standard encryption algorithm. IBM submitted an algorithm that used simple logical operations on small groups of bits and could be implemented efficiently in mid-1970s hardware. The algorithm’s key strength comes from an S-box, a nonlinear table-lookup specified by strings of constants…
Cryptanalysis of MD5 and SHA: Time for a New Standard
At the Crypto 2004 conference in Santa Barbara, Calif., this week, researchers announced several weaknesses in common hash functions. These results, while mathematically significant, aren’t cause for alarm. But even so, it’s probably time for the cryptography community to get together and create a new hash standard.
One-way hash functions are a cryptographic construct used in many applications. They are used with public-key algorithms for both encryption and digital signatures. They are used in integrity checking. They are used in authentication. They have all sorts of applications in a great many different protocols. Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography…
The Witty Worm: A New Chapter in Malware
If press coverage is any guide, then the Witty worm wasn’t all that successful. Blaster, SQL Slammer, Nimda, even Sasser made bigger headlines. Witty infected only about 12,000 machines, almost none of them home users. It didn’t seem like a big deal.
But Witty was a big deal (see story). It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did.
Witty was the first worm to target a particular set of security products—in this case Internet Security System’s BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running…
Microsoft's Actions Speak Louder Than Words
The security of your computer and network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks. It’s not enough for you to maintain a secure network. If other people don’t maintain their security, we’re all more vulnerable to attack. When many unsecure computers are connected to the Internet, worms spread faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. The more unsecure the average computer on the Internet is, the more unsecure your computer is…
Hacking the Business Climate for Network Security
Computer security is at a crossroads. It’s failing, regularly, and with increasingly serious results. CEOs are starting to notice. When they finally get fed up, they’ll demand improvements. (Either that or they’ll abandon the Internet, but I don’t believe that is a likely possibility.) And they’ll get the improvements they demand; corporate America can be an enormously powerful motivator once it gets going.
For this reason, I believe computer security will improve eventually. I don’t think the improvements will come in the short term, and I think that they will be met with considerable resistance. This is because the engine of improvement will be fueled by corporate boardrooms and not computer-science laboratories, and as such won’t have anything to do with technology. Real security improvement will only come through liability: holding software manufacturers accountable for the security and, more generally, the quality of their products. This is an enormous change, and one the computer industry is not going to accept without a fight…
Internet Worms and Critical Infrastructure
Did MSBlast cause the Aug. 14 blackout? The official analysis says “no,” but I’m not so sure. A November interim report a panel of government and industry officials issued concluded that the blackout was caused by a series of failures with the chain of events starting at FirstEnergy, a power company in Ohio. A series of human and computer failures then turned a small problem into a major one. And because critical alarm systems failed, workers at FirstEnergy did not stop the cascade, because they did not know what was happening.
This is where I think MSBlast, also known as Blaster, may have been involved…
Liability changes everything
Computer security is not a problem that technology can solve. Security solutions have a technological component, but security is fundamentally a people problem. Businesses approach security as they do any other business uncertainty: in terms of risk management. Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.
It makes no sense to spend more on security than the original cost of the problem, just as it makes no sense to pay liability compensation for damage done when spending money on security is cheaper. Businesses look for financial sweet spots—-adequate security for a reasonable cost, for example—and if a security solution doesn’t make business sense, a company won’t do it…
CyberInsecurity: The Cost of Monopoly
How the Dominance of Microsoft's Products Poses a Risk to Security
Table of Contents
- 1. Author Listing
- 2. Introduction by Computer & Communications Industry Association (CCIA)
- 3. CyberInsecurity Report
- 4. Biographies of Authors
Authors of the report
Daniel Geer, Sc.D—Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D—Master Security Architect, Exodus Communications, Inc.
Bruce Schneier—Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman—Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger—Independent Consultant
Rebecca Bace—CEO, Infidel
Peter Gutmann—Researcher, Department of Computer Science, University of Auckland…
Sidebar photo of Bruce Schneier by Joe MacInnis.