Schneier on Security

Most people don’t understand the real lessons of Code Red II.

Code Red II could have been much worse. As it had full control of every machine it took over, it could have been programmed to do anything, including dropping the entire Internet. It could have spread faster and been stealthier. It could have exploited several vulnerabilities, not just one. It could have been polymorphic.

Code Red II left a lot of questions unanswered. What will come in when Code Red II installs a back door and drops a Trojan program in vulnerable computers? Will there be a Code Red III? What will it do? What about Code Red XXVII?…

One of the key reasons businesses have yet to link their business applications with telephone services is there’s no common interface. While two standards under development promise to let businesses integrate and control telephony services, such as call forwarding and automatic number identification, with software, such as Web-based call center apps, these standards could introduce huge security risks.

These standards address key issues. One organization working in this space is The Parlay Group (www.parlay.org), a consortium of software, hardware and telecommunication service providers. The group is creating a specification and an application programming interface that will enable phone-system control from outside the secure telco network. This interface can be embedded in applications to reroute calls, provide notification of call attempts, retrieve the location of mobile users and link to telco billing systems, among other features…

In warfare, information is power. The better you understand your enemy, the more able you are to defeat him.

In the war against malicious hackers, network intruders and the other black-hat denizens of cyberspace, the good guys have surprisingly little information. Most security experts-even those who design products to protect against attacks-are ignorant of the tools, tactics and motivations of the enemy.

The Honeynet Project, a group of 30 researchers from academia and the commercial sector, is trying to change that. The group obtains information through the use of a Honeynet-a computer network on the Internet that’s designed to be compromised. The network is made up of various production systems complete with sensors as well as a suitably enticing name and content. (The actual IP address changes regularly and isn’t published.) Hackers’ actions are recorded as they happen: how the culprits try to break in, when they’re successful and what they do when they succeed…

Despite numerous efforts over the years to develop comprehensive computer security standards, it’s a goal that remains elusive at best.

As far back as 1985, the U.S. government attempted to establish a general method for evaluating security requirements. This resulted in the “Orange Book,” the colloquial name for the U.S. Department of Defense Trusted Computer System Evaluation Criteria. The Orange Book gave computer manufacturers a way to measure the security of their systems and offered a method of classifying different levels of computer security…

Despite huge investments by corporations in computer security infrastructure, an overwhelming majority of companies are finding that their networks are still being compromised. And there’s no reason to believe this will change anytime soon.

About 64 percent of companies’ systems have been victims of some form of unauthorized access, according to a recent survey by the Computer Security Institute (CSI). While 25 percent said they had no breaches and 11 percent said they didn’t know, I’d bet the actual number of companies that have been compromised is much higher…