Latest Essays
Page 71
IT Must Be More Vigilant About Security, Survey Shows
Despite huge investments by corporations in computer security infrastructure, an overwhelming majority of companies are finding that their networks are still being compromised. And there’s no reason to believe this will change anytime soon.
About 64 percent of companies’ systems have been victims of some form of unauthorized access, according to a recent survey by the Computer Security Institute (CSI). While 25 percent said they had no breaches and 11 percent said they didn’t know, I’d bet the actual number of companies that have been compromised is much higher…
Cyber Underwriters Lab?
Underwriters Laboratories (UL) is an independent testing organization created in 1893, when William Henry Merrill was called in to find out why the Palace of Electricity at the Columbian Exposition in Chicago kept catching on fire (which is not the best way to tout the wonders of electricity). After making the exhibit safe, he realized he had a business model on his hands. Eventually, if your electrical equipment wasn’t UL certified, you couldn’t get insurance.
Today, UL rates all kinds of equipment, not just electrical. Safes, for example, are rated based on time to crack and strength of materials. A “TL-15” rating means that the safe is secure against a burglar who is limited to safecracking tools and 15 minutes’ working time. These ratings are not theoretical; employed by UL, actual hotshot safecrackers take actual safes and test them. Applying this sort of thinking to computer networks—firewalls, operating systems, Web servers—is a natural idea. And the newly formed Center for Internet Security (no relation to UL) plans to implement it…
Back Door Security Threat in Interbase Teaches Broader Lessons
When a hacker adds a back door to your computer systems for later unauthorized access, that’s a serious threat. But it’s an even bigger problem if you created the back door yourself.
It seems that Borland did just that with its Interbase database. All versions released for the past seven years (versions 4.x through 6.01) have a back door. And, by extension, so do all their customers. How it came about and how it was discovered should serve as a lesson to all IT managers.
Versions of Interbase before 1994 didn’t have any access-control mechanisms. When the company added access control in version 4.0, it used a peculiar system. The engineers created a special database within Interbase for account names and encrypted passwords. This solution created a new problem: In order to authenticate a user, the program had to access the database; but before the program could access the database, it had to authenticate a user…
Insurance and the Computer Industry
View or Download in PDF Format
In the future, the computer security industry will be run by the insurance industry. I don’t mean insurance companies will start selling firewalls, but rather the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.
Consider security and safety in the real world. Businesses don’t install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates. Hotels and office buildings don’t install sprinkler systems because they’re concerned about the welfare of their tenants, but because building codes and insurance policies demand it. These are all risk management decisions, and the risk-taker of last resort is the insurance industry…
PGP's Vulnerabilities Reveal the Truth about Security
Reports that PGP, a standard used to encrypt e-mail, is broken are greatly exaggerated. Although a recent criminal investigation has led some to conclude that flaws in the PGP protocol helped the FBI nab its suspect, the truth is that no one has broken the cryptographic algorithms that protect PGP traffic. And no one has discovered a software flaw in the PGP program that would allow someone to read PGP- encrypted traffic. All that happened was that someone installed a keyboard sniffer on a computer, letting that someone eavesdrop on every keystroke the user made. The sniffer let the eavesdropper pick up the PGP passphrase and the text of a victim’s messages as he typed…
The Insurance Takeover
Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.
Consider security, and safety, in the real world. Businesses don’t install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates. Building owners don’t install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry…
Gimmicks Won't Protect Your Digital Assets from Being Copied
Hacking contests are a popular way for software companies to demonstrate claims of how good their security products are in practice. But companies looking to protect their digital assets shouldn’t give too much credence to these challenges.
These contests typically involve a group or vendor offering money to anyone who can break through its firewall, crack its algorithm or make a fraudulent transaction using its technology. The Secure Digital Music Initiative (SDMI), an industry group that’s developed encryption methods to protect the copying of digital music files, issued a hacking challenge in September, offering $10,000 to anyone who could strip various copy-protection technologies out of songs provided as examples. SDMI put forth six different technologies, and already researchers from Princeton and Rice Universities and Xerox’s Palo Alto Research Center claim to have broken four of them. The SDMI disagrees, saying that only two were successfully hacked. Finger- pointing and jeering continue…
Technology Was Only Part of the Florida Problem
In the wake of the presidential election, pundits have called for more accurate voting and vote counting. To most people, this obviously means more technology. But before jumping to conclusions, let’s look at the security and reliability issues surrounding voting technology.
Most of Florida’s voting problems are a direct result of “translation” errors stemming from too much technology.
The Palm Beach County system had several translation steps: voter to ballot to punch card to card reader to vote tabulator to centralized total. Some voters were confused by the layout of the “butterfly” ballot and mistakenly voted for someone else. Others didn’t punch their ballots in such a way that the tabulating machines could read them…
Security Research and the Future
Security threats will continue to loom
For the longest time, cryptography was a solution looking for a problem. And outside the military and a few paranoid individuals, there wasn’t any problem. Then along came the Internet, and with the Internet came e-commerce, corporate intranets and extranets, voice over IP, B2B, and the like. Suddenly everyone is talking about cryptography. Suddenly everyone is talking about computer security. There are more companies and products, and more research. And a lot more interest.
But at the same time, the state of security is getting worse. There are more vulnerabilities being found in operating systems-not just Microsoft’s, but everyone’s-than ever before. There are more viruses (or worms) being released, and they’re doing more damage. There are nastier denial-of-service tools, and more effective root kits. What research is necessary to reverse this trend? How can we make security work?…
Sidebar photo of Bruce Schneier by Joe MacInnis.