[ISN] Toward More Cybersecurity in 2002

From: InfoSec News (isnat_private)
Date: Wed Jan 02 2002 - 22:10:53 PST

  • Next message: InfoSec News: "[ISN] Worm targets security software"

    By Alex Salkever 
    JANUARY 2, 2002 
    Here's a list of resolutions that, if put into action, would help make
    the Net a much safer place
    Call 2001 The Year of Living Dangerously. Router attacks brought down
    major Microsoft sites, followed by the Code Red worm over the summer.  
    Then came the Nimda worm-virus in the fall.
    A sinister-sounding program called AirSnort allowed roaming
    cybersnoops to hack vulnerable wireless networks using only a Linux
    laptop and some free software. And Visa U.S.A. launched a policy
    mandating merchants that accept online credit cards to take basic
    security steps or lose their charging privileges.
    Perhaps the biggest shock came on September 11, when terrorists
    attacked the World Trade Center and the Pentagon. While Net security
    wasn't at issue, the episode convinced many security-conscious
    businesses that they had better lock down their networks against the
    possibility of cyber-terrorism.
    We've learned a lot. Today, even most cable-modem users understand
    what a firewall is and why it's so important. People are finally
    beginning to grasp that security isn't something that can be bought
    out of a box, rather it's a process requiring a constant state of
    So where do we go from here? Here's my list of four resolutions for
    2002 to make the Internet more secure:
    Gates & Co. Has to Get More Serious about Security
    Yes, Microsoft has made a big effort to shore up security in its
    software. But come on, guys. The most recent vulnerabilities detected
    and announced in the new Windows XP operating system and Microsoft's
    Internet Explorer (IE) Web browser go beyond the pale. The default
    configuration in all XP systems leaves computers exposed to the entire
    Internet. Malicious hackers could simply load a program into a Web
    page that they want to execute on an unsuspecting Web surfer's
    More than 90% of the world's PCs use some version of the Windows,
    though a small portion use XP right now. And more than 80% of all PC
    users surf the Web with IE. That's about as close to universal as it
    gets in the computer world.
    Serious holes in these programs could help spread havoc across the
    entire Net. And they'll be harder to clean up since they affect
    hundreds of millions of home users who are less likely to apply
    software patches to their computers.
    The bottom line: Microsoft should be held to a higher standard for
    security in these programs. The Colossus of Redmond has a public duty
    to ensure that these technologies are designed without gaping flaws.  
    No, we can't expect IE or XP to be perfect. But let's try to make it a
    little safer out there, please.
    Mandatory Firewalls for All
    Security experts can agree on one thing: Cable-modem and
    digital-subscriber line (DSL) broadband users who aren't using some
    kind of firewall are increasingly putting not only themselves at risk
    but others as well. Having no firewall is akin to leaving your car
    unlocked and hoping that the thief who steals it doesn't crash into a
    crowd of people.
    As Code Red illustrated with its coordinated attack on the White House
    Web site, today's cybercrooks try to coordinate large networks of PCs
    to magnify the assault's effect. Worse still, scanning tools and other
    hacking software have become easier to use, often fronted by a
    graphical interface that truly makes Net mischief point-and-click.
    Installing a firewall isn't foolproof. But it will head off a
    significant portion of attacks on desktop PCs and computer networks.  
    Corporate firewalls are now almost mandatory. But on the consumer and
    small-business side, Internet service providers have steadfastly
    refused to force, let alone encourage, broadband customers to install
    a firewall.
    That won't do. Just as cars need a safety inspection to get on the
    road, ISPs should require that their home and small-business customers
    have a firewall up and running before they allow them to surf the Net.  
    This would likely require additional customer support and might
    increase service costs, but in the long run, it would create a much
    safer Internet for all.
    Lock Down Routers
    Most garden-variety Netizens have never heard of border gateway
    protocol. It's the lingua franca of the powerful routers from giants
    such as Cisco Systems, Juniper Networks, Lucent Technology, and Nortel
    Networks that ISPs and telecoms use to direct data and voice traffic
    around the globe. When a company sends data from New York to New Dehli
    across the networks of AT&T, France Telecom, and others, all the
    routers speak BGP -- moving traffic easily without misrouting or
    losing it.
    Trouble is, BGP is becoming more hackable. The obscure protocol
    requires router engineers with an arcane specialty that fetches a high
    salary on the market. That's drawing increasing numbers of people to
    learn BGP -- some of whom may not have the best of intentions. Add to
    that software kits that allow those with a strong technical ability to
    hack into routers, and it's high time to lock down these devices.  
    While it hasn't happened yet, hacking a big router at a major telecom
    could reduce capacity enough to cause major traffic jams on the Net.
    Executing such a lockdown wouldn't take much. A secure version of BGP
    -- dubbed S-BGP -- already exists that weaves the same types of
    encryption and data-authentication processes now standard in online
    purchases into data handoffs between routers. Not only will routers
    pass along data efficiently but they'll verify that the device talking
    to them is another router and not a malicious hacker using a
    compromised PC connected to a cable modem.
    Getting S-BGP installed throughout the Web would take some
    coordination. It amounts to a new standard, but it comes with a
    trade-off: Encryption would probably make routers clunkier to
    configure and operate. Still, it's time to move because phone and data
    networks are at increasing risk.
    Zip It Up, Uncle Sam
    On Dec. 7, the U.S. Interior Dept. shut down its Internet sites after
    a court-authorized investigator broke into a portion of the network
    and exposed finanical data used to administer $500 million annually in
    payments and services to 300,000 American Indians. The shutdown came
    after Indian groups filed a class-action against Interior alleging
    that its network was dangerously insecure.
    While the move may have protected American Indian assets, the shutdown
    created a maze of new risks. The National Earthquake Information
    Center, which falls under Interior's aegis, could no longer use e-mail
    to distribute real-time bulletins in case of natural disaster. Ditto
    for the Defense Dept., which uses U.S. Geological Service (also run by
    Interior) data to watch for nuclear blasts around the world.
    And the USGS maintains a Web-linked network of water-level gauges that
    monitor river flows across the country. The shutdown forced USGS
    personnel to go out and physically monitor gauges in areas with
    imminent flood dangers, including Seattle, Wash.
    In security assessments of networks at 24 federal agencies, a
    congressional panel gave 16 failing grades. That has to change.  
    Representative Tom Davis (R-Va.) is pushing some major revisions in a
    reauthorization of the Government Information Security Reform Act,
    which is slated to expire in October, 2002. Davis hopes to make the
    law permanent and add tougher mandatory security standards for
    computers at federal agencies.
    That's a good step. So are some of the efforts the feds are already
    undertaking to get their systems audited. Every federal agency should
    get with the program. They should make sure their systems are
    protected -- and put processes in place to continually monitor and
    patch their systems. Let's hope the New Year sees progress on all
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 09:45:53 PST