Essays Tagged "InternetWeek"

Page 1 of 1

Efforts to Limit Encryption Are Bad for Security

  • Bruce Schneier
  • InternetWeek
  • October 1, 2001

In the wake of the devastating attacks on New York’s World Trade Center and the Pentagon, Sen. Judd Gregg (R-N.H.), with backing from other high- ranking government officials, quickly seized the opportunity to propose limits on strong encryption and “key-escrow” systems that insure government access. This is a bad move because it will do little to thwart terrorist activities and it will also reduce the security of our critical infrastructure.

As more and more of our nation’s critical infrastructure goes digital, cryptography is more important than ever. We need all the digital security we can get; the government shouldn’t be doing things that actually reduce it. We’ve been through these arguments before, but legislators seem to have short memories. Here’s why trying to limit cryptography is bad for e-business:…

The Real Lesson of Code Red: Insecurity Is a Way of Life

  • Bruce Schneier
  • InternetWeek
  • September 3, 2001

Most people don’t understand the real lessons of Code Red II.

Code Red II could have been much worse. As it had full control of every machine it took over, it could have been programmed to do anything, including dropping the entire Internet. It could have spread faster and been stealthier. It could have exploited several vulnerabilities, not just one. It could have been polymorphic.

Code Red II left a lot of questions unanswered. What will come in when Code Red II installs a back door and drops a Trojan program in vulnerable computers? Will there be a Code Red III? What will it do? What about Code Red XXVII?…

Arrest of Computer Researcher Is Arrest of First Amendment Rights

  • Bruce Schneier
  • InternetWeek
  • August 6, 2001

The arrest of a Russian computer security researcher was a major setback for computer security research. The FBI nabbed Dmitry Sklyarov after he presented a paper at DefCon, the hacker community convention in Las Vegas, on the strengths and the weaknesses of software to encrypt an electronic book.

Although I’m certain the FBI’s case will never hold up in court, it shows that free speech is secondary to the entertainment industry’s paranoia about copyright protection.

Sklyarov is accused of violating the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing design information on nuclear weapons…

Marriage Of Phone Services, Biz Apps Could Be A Security Risk

  • Bruce Schneier
  • InternetWeek
  • July 9, 2001

One of the key reasons businesses have yet to link their business applications with telephone services is there’s no common interface. While two standards under development promise to let businesses integrate and control telephony services, such as call forwarding and automatic number identification, with software, such as Web-based call center apps, these standards could introduce huge security risks.

These standards address key issues. One organization working in this space is The Parlay Group (www.parlay.org), a consortium of software, hardware and telecommunication service providers. The group is creating a specification and an application programming interface that will enable phone-system control from outside the secure telco network. This interface can be embedded in applications to reroute calls, provide notification of call attempts, retrieve the location of mobile users and link to telco billing systems, among other features…

In War Against Cyberspace Intruders, Knowledge Is Power

  • Bruce Schneier
  • InternetWeek
  • June 18, 2001

In warfare, information is power. The better you understand your enemy, the more able you are to defeat him.

In the war against malicious hackers, network intruders and the other black-hat denizens of cyberspace, the good guys have surprisingly little information. Most security experts-even those who design products to protect against attacks-are ignorant of the tools, tactics and motivations of the enemy.

The Honeynet Project, a group of 30 researchers from academia and the commercial sector, is trying to change that. The group obtains information through the use of a Honeynet-a computer network on the Internet that’s designed to be compromised. The network is made up of various production systems complete with sensors as well as a suitably enticing name and content. (The actual IP address changes regularly and isn’t published.) Hackers’ actions are recorded as they happen: how the culprits try to break in, when they’re successful and what they do when they succeed…

Computer Security Standards Aren't Scoring In The Commercial World

  • Bruce Schneier
  • InternetWeek
  • May 14, 2001

Despite numerous efforts over the years to develop comprehensive computer security standards, it’s a goal that remains elusive at best.

As far back as 1985, the U.S. government attempted to establish a general method for evaluating security requirements. This resulted in the “Orange Book,” the colloquial name for the U.S. Department of Defense Trusted Computer System Evaluation Criteria. The Orange Book gave computer manufacturers a way to measure the security of their systems and offered a method of classifying different levels of computer security…

IT Must Be More Vigilant About Security, Survey Shows

  • Bruce Schneier
  • InternetWeek
  • April 16, 2001

Despite huge investments by corporations in computer security infrastructure, an overwhelming majority of companies are finding that their networks are still being compromised. And there’s no reason to believe this will change anytime soon.

About 64 percent of companies’ systems have been victims of some form of unauthorized access, according to a recent survey by the Computer Security Institute (CSI). While 25 percent said they had no breaches and 11 percent said they didn’t know, I’d bet the actual number of companies that have been compromised is much higher…

Back Door Security Threat in Interbase Teaches Broader Lessons

  • Bruce Schneier
  • InternetWeek
  • March 12, 2001

When a hacker adds a back door to your computer systems for later unauthorized access, that’s a serious threat. But it’s an even bigger problem if you created the back door yourself.

It seems that Borland did just that with its Interbase database. All versions released for the past seven years (versions 4.x through 6.01) have a back door. And, by extension, so do all their customers. How it came about and how it was discovered should serve as a lesson to all IT managers.

Versions of Interbase before 1994 didn’t have any access-control mechanisms. When the company added access control in version 4.0, it used a peculiar system. The engineers created a special database within Interbase for account names and encrypted passwords. This solution created a new problem: In order to authenticate a user, the program had to access the database; but before the program could access the database, it had to authenticate a user…

PGP's Vulnerabilities Reveal the Truth about Security

  • Bruce Schneier
  • InternetWeek
  • February 12, 2001

Reports that PGP, a standard used to encrypt e-mail, is broken are greatly exaggerated. Although a recent criminal investigation has led some to conclude that flaws in the PGP protocol helped the FBI nab its suspect, the truth is that no one has broken the cryptographic algorithms that protect PGP traffic. And no one has discovered a software flaw in the PGP program that would allow someone to read PGP- encrypted traffic. All that happened was that someone installed a keyboard sniffer on a computer, letting that someone eavesdrop on every keystroke the user made. The sniffer let the eavesdropper pick up the PGP passphrase and the text of a victim’s messages as he typed…

Gimmicks Won't Protect Your Digital Assets from Being Copied

  • Bruce Schneier
  • InternetWeek
  • January 22, 2001

Hacking contests are a popular way for software companies to demonstrate claims of how good their security products are in practice. But companies looking to protect their digital assets shouldn’t give too much credence to these challenges.

These contests typically involve a group or vendor offering money to anyone who can break through its firewall, crack its algorithm or make a fraudulent transaction using its technology. The Secure Digital Music Initiative (SDMI), an industry group that’s developed encryption methods to protect the copying of digital music files, issued a hacking challenge in September, offering $10,000 to anyone who could strip various copy-protection technologies out of songs provided as examples. SDMI put forth six different technologies, and already researchers from Princeton and Rice Universities and Xerox’s Palo Alto Research Center claim to have broken four of them. The SDMI disagrees, saying that only two were successfully hacked. Finger- pointing and jeering continue…

Sidebar photo of Bruce Schneier by Joe MacInnis.