[ISN] Home isn't where security is

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 22:56:49 PST

  • Next message: InfoSec News: "[ISN] Hacker traffic up at HAFB following Sept. 11 attack"

    By Robert Lemos 
    October 29, 2002, 4:00 AM PT
    In 1944, the U.S. government kicked off the Smokey Bear campaign to
    teach citizens how carelessness with smoldering matches could set off
    raging forest fires.
    Now the government is making another call to arms--this time to defend
    cyberspace from intruders. The most recent draft of the Bush
    administration's "National Strategy to Secure Cyberspace" plan calls
    for users of the Internet to secure their own part of the worldwide
    Like the Smokey Bear campaign, this call to arms focuses on ordinary
    people doing their part to put out the small fires before they can
    turn into something big. It's an argument that resonates with computer
    industry executives like Symantec CEO John Thompson, who argues that a
    Smokey-like campaign could indeed help raise the awareness of citizens
    and convince them to use firewalls and antivirus products to protect
    their systems--product lines coincidentally supplied by Symantec.
    But while such a campaign would obviously do wonders for Symantec's
    quarterly profit statement, relying on home computer users for
    national security just won't work. The simple reason is that home
    users are (at best) unreliable.
    Some still call tech support wondering why they can't connect to the
    Internet because they didn't know to plug the computer into the wall.  
    Others continue to blithely click on e-mail attachments, oblivious to
    the torrents of media coverage about how this often leads to the
    spread of computer viruses. One home user fell victim to an e-mail
    scam, sending $2.1 million of her company's money to an account in the
    Cayman Islands. (The FBI arrested her for embezzling funds.)
    The experts are guilty of wrongheaded thinking in relying upon home
    users to shore up the nation's security. Frankly, that's somebody
    else's job. Home users are responsible for protecting their own
    important data. But it's a dangerous illusion to believe they will
    take better precautions after authorities ask them to upgrade their
    Two months ago, several security companies came under attack from
    hackers armed with denial-of-service attack tools. Hundreds of
    computers--most of them home PCs with broadband hookups--were ordered
    to flood the companies' connections to the Internet with data. During
    this kind of deluge, even professional security firms have trouble
    keeping their connections unclogged.
    "It is getting worse," said a consultant at one of the affected
    companies who asked not to be identified. "It is absolutely getting
    There's a lesson to be learned. The National Strategy plan makes no
    bones about suggesting that each company secure its employees. It
    should also require each Internet service provider to protect
    cyberspace from home users.
    There are simple technologies for doing this. Source egress
    filtering--a technique for preventing users from sending data with a
    false source address, useful in denial-of-service attacks--should be
    the norm. Companies filter e-mail messages for any viruses and
    disallow several types of executable attachments; ISPs (Internet
    service providers) should do the same.
    Dorothy Denning, a computer science professor at Georgetown University
    and security expert, says the most likely outcome will be for home
    users to find themselves picking up the tab. "Once you start
    formalizing where we are going to put liability, the questions start
    coming up (about) who's going to pay for it," she says. "And, almost
    anywhere you put it, the costs are going to end up coming back to the
    Another unfair tax arrangement? Maybe. But would you feel better
    relying on folks who still think e-mails from deposed Nigerian princes
    are the real deal? I wouldn't.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 01:21:09 PST