Essays in the Category "Computer and Information Security"
Page 28 of 32
Insurance and the Computer Industry
View or Download in PDF Format
In the future, the computer security industry will be run by the insurance industry. I don’t mean insurance companies will start selling firewalls, but rather the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.
Consider security and safety in the real world. Businesses don’t install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates. Hotels and office buildings don’t install sprinkler systems because they’re concerned about the welfare of their tenants, but because building codes and insurance policies demand it. These are all risk management decisions, and the risk-taker of last resort is the insurance industry…
PGP's Vulnerabilities Reveal the Truth about Security
Reports that PGP, a standard used to encrypt e-mail, is broken are greatly exaggerated. Although a recent criminal investigation has led some to conclude that flaws in the PGP protocol helped the FBI nab its suspect, the truth is that no one has broken the cryptographic algorithms that protect PGP traffic. And no one has discovered a software flaw in the PGP program that would allow someone to read PGP- encrypted traffic. All that happened was that someone installed a keyboard sniffer on a computer, letting that someone eavesdrop on every keystroke the user made. The sniffer let the eavesdropper pick up the PGP passphrase and the text of a victim’s messages as he typed…
The Insurance Takeover
Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.
Consider security, and safety, in the real world. Businesses don’t install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates. Building owners don’t install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry…
Gimmicks Won't Protect Your Digital Assets from Being Copied
Hacking contests are a popular way for software companies to demonstrate claims of how good their security products are in practice. But companies looking to protect their digital assets shouldn’t give too much credence to these challenges.
These contests typically involve a group or vendor offering money to anyone who can break through its firewall, crack its algorithm or make a fraudulent transaction using its technology. The Secure Digital Music Initiative (SDMI), an industry group that’s developed encryption methods to protect the copying of digital music files, issued a hacking challenge in September, offering $10,000 to anyone who could strip various copy-protection technologies out of songs provided as examples. SDMI put forth six different technologies, and already researchers from Princeton and Rice Universities and Xerox’s Palo Alto Research Center claim to have broken four of them. The SDMI disagrees, saying that only two were successfully hacked. Finger- pointing and jeering continue…
Security Research and the Future
Security threats will continue to loom
For the longest time, cryptography was a solution looking for a problem. And outside the military and a few paranoid individuals, there wasn’t any problem. Then along came the Internet, and with the Internet came e-commerce, corporate intranets and extranets, voice over IP, B2B, and the like. Suddenly everyone is talking about cryptography. Suddenly everyone is talking about computer security. There are more companies and products, and more research. And a lot more interest.
But at the same time, the state of security is getting worse. There are more vulnerabilities being found in operating systems-not just Microsoft’s, but everyone’s-than ever before. There are more viruses (or worms) being released, and they’re doing more damage. There are nastier denial-of-service tools, and more effective root kits. What research is necessary to reverse this trend? How can we make security work?…
The Fallacy of Trusted Client Software
Controlling what a user can do with a piece of data assumes a trust paradigm that doesn’t exist in the real world. Software copy protection, intellectual property theft, digital watermarking-different companies claim to solve different parts of this growing problem. Some companies market e-mail security solutions in which the e-mail cannot be read after a certain date, effectively “deleting” it. Other companies sell rights-management software: audio and video files that can’t be copied or redistributed, data that can be read but not printed and software that can’t be copied. Still other companies have software copy-protection technologies…
Debunking Virus-Based Fixes
The latest tale of security gaps in Microsoft Corp.’s software is a complicated story, and there are a lot of lessons to take away … so let’s take it chronologically.
On June 27, Georgi Guninski discovered a new vulnerability in Internet Explorer (4.0 or higher) and Microsoft Access (97 or 2000) running on Windows 95, 98, NT 4.0 or 2000. An attacker can compromise a user’s system by getting the user to read an HTML e-mail message (not an attachment) or visit a Web site.
This is a serious problem, and it could result in new and virulent mailware. But it requires Microsoft Access to be installed on the victim’s computer, which, while common, is by no means universal. A virus that exploits this vulnerability will not spread as widely as, say, Melissa. In any case, Microsoft published a fix on July 14, and I urge everyone to install it…
The Process of Security
I’ve been writing the CryptoRhythms column for this magazine for a little over a year now. When the editor and I sat down a couple months ago to talk about topics for 2000, I told him I wanted to expand the focus a bit from crypto-specific topics to broader information security subjects. So even though the column still falls under the CryptoRhythms banner, you can expect some (but not all) of this year’s columns to address broader security issues that in some way incorporate cryptography. This month’s article does just that, focusing on the process of security…
Risks of PKI: Electronic Commerce
Open any popular article on public-key infrastructure (PKI) and you’re likely to read that a PKI is desperately needed for E-commerce to flourish. Don’t believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order if you don’t have a certificate and even if you don’t use a secure connection. Fortunately, you’re protected by credit-card rules.
The main risk in believing this popular falsehood stems from the cryptographic concept of “non-repudiation”.
Under old, symmetric-key cryptography, the analog to a digital signature was a message authentication code (MAC). If Bob received a message with a correct MAC, he could verify that it hadn’t changed since the MAC was computed. If only he and Alice knew the key needed to compute the MAC and if he didn’t compute it, Alice must have. This is fine for the interaction between them, but if the message was “Pay Bob $1,000,000.00, signed Alice” and Alice denied having sent it, Bob could not go to a judge and prove that Alice sent it. He could have computed the MAC himself…
Sidebar photo of Bruce Schneier by Joe MacInnis.