Toward More Cybersecurity in 2002

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/bwdaily/dnflash/jan2002/nf2002012_6029.htm

By Alex Salkever 
JANUARY 2, 2002 

Here's a list of resolutions that, if put into action, would help make
the Net a much safer place

Call 2001 The Year of Living Dangerously. Router attacks brought down
major Microsoft sites, followed by the Code Red worm over the summer.  
Then came the Nimda worm-virus in the fall.

A sinister-sounding program called AirSnort allowed roaming
cybersnoops to hack vulnerable wireless networks using only a Linux
laptop and some free software. And Visa U.S.A. launched a policy
mandating merchants that accept online credit cards to take basic
security steps or lose their charging privileges.

Perhaps the biggest shock came on September 11, when terrorists
attacked the World Trade Center and the Pentagon. While Net security
wasn't at issue, the episode convinced many security-conscious
businesses that they had better lock down their networks against the
possibility of cyber-terrorism.

We've learned a lot. Today, even most cable-modem users understand
what a firewall is and why it's so important. People are finally
beginning to grasp that security isn't something that can be bought
out of a box, rather it's a process requiring a constant state of
vigilance.

So where do we go from here? Here's my list of four resolutions for
2002 to make the Internet more secure:

Gates & Co. Has to Get More Serious about Security

Yes, Microsoft has made a big effort to shore up security in its
software. But come on, guys. The most recent vulnerabilities detected
and announced in the new Windows XP operating system and Microsoft's
Internet Explorer (IE) Web browser go beyond the pale. The default
configuration in all XP systems leaves computers exposed to the entire
Internet. Malicious hackers could simply load a program into a Web
page that they want to execute on an unsuspecting Web surfer's
computer.

More than 90% of the world's PCs use some version of the Windows,
though a small portion use XP right now. And more than 80% of all PC
users surf the Web with IE. That's about as close to universal as it
gets in the computer world.

Serious holes in these programs could help spread havoc across the
entire Net. And they'll be harder to clean up since they affect
hundreds of millions of home users who are less likely to apply
software patches to their computers.

The bottom line: Microsoft should be held to a higher standard for
security in these programs. The Colossus of Redmond has a public duty
to ensure that these technologies are designed without gaping flaws.  
No, we can't expect IE or XP to be perfect. But let's try to make it a
little safer out there, please.

Mandatory Firewalls for All

Security experts can agree on one thing: Cable-modem and
digital-subscriber line (DSL) broadband users who aren't using some
kind of firewall are increasingly putting not only themselves at risk
but others as well. Having no firewall is akin to leaving your car
unlocked and hoping that the thief who steals it doesn't crash into a
crowd of people.

As Code Red illustrated with its coordinated attack on the White House
Web site, today's cybercrooks try to coordinate large networks of PCs
to magnify the assault's effect. Worse still, scanning tools and other
hacking software have become easier to use, often fronted by a
graphical interface that truly makes Net mischief point-and-click.

Installing a firewall isn't foolproof. But it will head off a
significant portion of attacks on desktop PCs and computer networks.  
Corporate firewalls are now almost mandatory. But on the consumer and
small-business side, Internet service providers have steadfastly
refused to force, let alone encourage, broadband customers to install
a firewall.

That won't do. Just as cars need a safety inspection to get on the
road, ISPs should require that their home and small-business customers
have a firewall up and running before they allow them to surf the Net.  
This would likely require additional customer support and might
increase service costs, but in the long run, it would create a much
safer Internet for all.

Lock Down Routers

Most garden-variety Netizens have never heard of border gateway
protocol. It's the lingua franca of the powerful routers from giants
such as Cisco Systems, Juniper Networks, Lucent Technology, and Nortel
Networks that ISPs and telecoms use to direct data and voice traffic
around the globe. When a company sends data from New York to New Dehli
across the networks of AT&T, France Telecom, and others, all the
routers speak BGP -- moving traffic easily without misrouting or
losing it.

Trouble is, BGP is becoming more hackable. The obscure protocol
requires router engineers with an arcane specialty that fetches a high
salary on the market. That's drawing increasing numbers of people to
learn BGP -- some of whom may not have the best of intentions. Add to
that software kits that allow those with a strong technical ability to
hack into routers, and it's high time to lock down these devices.  
While it hasn't happened yet, hacking a big router at a major telecom
could reduce capacity enough to cause major traffic jams on the Net.

Executing such a lockdown wouldn't take much. A secure version of BGP
-- dubbed S-BGP -- already exists that weaves the same types of
encryption and data-authentication processes now standard in online
purchases into data handoffs between routers. Not only will routers
pass along data efficiently but they'll verify that the device talking
to them is another router and not a malicious hacker using a
compromised PC connected to a cable modem.

Getting S-BGP installed throughout the Web would take some
coordination. It amounts to a new standard, but it comes with a
trade-off: Encryption would probably make routers clunkier to
configure and operate. Still, it's time to move because phone and data
networks are at increasing risk.

Zip It Up, Uncle Sam

On Dec. 7, the U.S. Interior Dept. shut down its Internet sites after
a court-authorized investigator broke into a portion of the network
and exposed finanical data used to administer $500 million annually in
payments and services to 300,000 American Indians. The shutdown came
after Indian groups filed a class-action against Interior alleging
that its network was dangerously insecure.

While the move may have protected American Indian assets, the shutdown
created a maze of new risks. The National Earthquake Information
Center, which falls under Interior's aegis, could no longer use e-mail
to distribute real-time bulletins in case of natural disaster. Ditto
for the Defense Dept., which uses U.S. Geological Service (also run by
Interior) data to watch for nuclear blasts around the world.

And the USGS maintains a Web-linked network of water-level gauges that
monitor river flows across the country. The shutdown forced USGS
personnel to go out and physically monitor gauges in areas with
imminent flood dangers, including Seattle, Wash.

In security assessments of networks at 24 federal agencies, a
congressional panel gave 16 failing grades. That has to change.  
Representative Tom Davis (R-Va.) is pushing some major revisions in a
reauthorization of the Government Information Security Reform Act,
which is slated to expire in October, 2002. Davis hopes to make the
law permanent and add tougher mandatory security standards for
computers at federal agencies.

That's a good step. So are some of the efforts the feds are already
undertaking to get their systems audited. Every federal agency should
get with the program. They should make sure their systems are
protected -- and put processes in place to continually monitor and
patch their systems. Let's hope the New Year sees progress on all
fronts.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.