http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/02/05/BUGV1NT3UV1.DTL By Dan Fost Chronicle Staff Writer February 5, 2007 As computers become more ubiquitous, so do the threats posed to computer users. But as the pernicious nature of the threats grows, so does the industry that has arisen to combat them. That industry will gather this week at Moscone Center in San Francisco for the RSA Conference, a chance to hear what the latest threats are -- and to see the latest tools to fight them. What started 15 years ago as a gathering of 50 cryptographers at the Sofitel hotel in Redwood City has emerged into a major convention, with more than 15,000 people expected and 340 companies taking booths in the exhibit halls. While cryptographers still occupy center stage -- including two from the team that discovered the RSA algorithm that led to the conference's name years ago -- they share it with such luminaries as Microsoft Corp. co-founder Bill Gates, Oracle Corp. CEO Larry Ellison and former U.S. Secretary of State Colin Powell. Without the tools displayed at RSA, all of online commerce, and much of the behind-the-scenes work of banking, would be at risk of malicious attacks. "Hackers have a new motivation. They are financially motivated," said Rowan Trollope, vice president of consumer products at Symantec Corp. of Cupertino, one of the leading consumer security software companies, along with McAfee Inc. of Santa Clara and Microsoft. "They are professional software developers backed by organized crime. When you have that kind of operation, they are motivated to find vulnerabilities. These are not college kids with time on their hands. These are paid professionals." That's because more money is now changing hands via computers. "It's like Willie Sutton, who said he robbed banks because that's where the money is," said Phil Dunkelberger, president and CEO of PGP Corp. of Palo Alto, an encryption and data security company. "More and more criminals are coming online because that's where the money is. Phishing scams are a lot more sophisticated." Industry experts have identified several problems and trends that will be hot topics at the conference: -- Rising complacency. "We have a crisis going on, but it's a silent crisis," said Trollope at Symantec. "Over the last couple of years, we've seen a decline in the number of visible worms and viruses that splash across the headlines of CNN. But the hackers didn't go away, they shifted their attention to a different approach. ... User attention on the need for security has waned. If you don't hear about these things every day, you think, maybe I don't need to get antivirus software or enforce my network code to secure my PC." -- New Internet environment. More computing lives in what techies call "the cloud." Think of an e-mail account through Google, Yahoo or Hotmail that resides on a Web site somewhere, not on a desktop computer. Or software that's delivered "on-demand," or as a service, over the Internet. The convenience of such services has a major trade-off -- it could expose data to risk. "Can you imagine if someone broke into your Web mail account?" asked Marc Gaffan, director of marketing for the consumer solutions group of RSA, the company that owns the conference. "They'd to some extent be able to recreate my identity." On the other hand, Gaffan is not willing to trade the convenience for the risk, and he rationalizes, "Those companies likely have better security than my laptop." -- Proliferation of mobile devices. With many more laptops, cell phones, game machines and handheld devices connecting to the Internet, each holding troves of personal information and subject to loss or theft, the potential holes have multiplied exponentially. Ordinarily you would protect data by setting up firewalls in the network that protects your PC. That becomes a problem, though, when you are dealing with mobile devices. "The industry has been trying to harden the perimeter with wireless networks, but with smart phones, you really don't have a perimeter any more," said Dunkelberger at PGP. "We say you have to defend the data -- encrypt the data, secure the data, make sure all business records are not exposed to criminals." -- New types of threats that need new types of responses. It used to be that once a vulnerability was found in a software program, it would be a race over weeks to see if it could be plugged before a hacker broke through. But now the industry is seeing "zero hour" attacks, which exploit vulnerabilities almost immediately after they're discovered and well before the holes can be plugged. Also worrisome, according to Trollope at Symantec, are "bespoke" threats that target small, specific groups of people. To counter these measures, the industry is adopting what it calls a "heuristics" approach that Trollope said can "find threats without having seen them. A scoring algorithm will tell us if a program is good or bad even if we haven't seen it before." -- Challenge of passwords. As so many Web sites require passwords, it becomes impossible to remember them all. So people make their passwords all the same, or they write them in a file or on a post-it note on their computer -- none of which are secure. Sites are now coming up with new ways to tell if a person is who they say they are, and the solution sometimes requires unique passwords for each situation. The challenge for the industry, Gaffan said, is to strike a balance between security and usability. "The key thing is to keep the user experience simple and easy most of the time," he said. -- Microsoft's role. As always, the software giant stands astride the industry. With its Vista operating system at long last on sale, Microsoft is touting how much more secure computing can be. The company is also getting into turf dominated by Symantec and McAfee. -- Needs of the 'physical security' industry. The physical security industry -- described as "guards, guns, gates, surveillance, locks, doors and access control systems" by Steve Hunt, founder of 4A International, a Chicago research firm for that industry -- is a $120-billion-a-year business that Hunt says "needs to embrace computers, software and networking in smarter and better ways. "It's a very primitive and old-fashioned traditional industry," Hunt said. As companies discover technology, they will want to add things like digital video recorders to their lobbies, making them networked, secure and accessible from remote locations. That will add up to big bucks for tech companies. -- Compliance. Congress, the states and other countries have passed laws requiring companies to be much more careful when handling sensitive data, and companies are looking to software to help manage compliance with the morass of new rules. Companies will need to know, "What are the standards that all these things are setting?" said Sandra Toms LaPedis, area vice president and general manager of RSA Conferences. "Where are the things that if I'm compliant in France I might not be in the U.S., or vice versa?" -- Authentication. How do you know someone is who they claim to be? Banks have required ATM cards for years, which LaPedis said is something physical that also requires some knowledge -- a password. Similar systems are in the works for computers. "It could be your thumbprint, an iris scan or any variation off of that," she said. In spite of all the threats, risks, challenges and bad guys out there, the industry manages to retain a classic optimism that it is solving problems and making life better. RSA, which always has a historical and often unusual theme, is celebrating this year the Renaissance, specifically 15th century Renaissance man Leon Battista Alberti, whom RSA's Web site calls "the father of Western cryptology." "We are living through a renaissance," LaPedis said. "It's that spirit of innovation that we are truly celebrating." RSA Conference highlights -=- When: Monday through Friday Where: Moscone Center in San Francisco Who: 15,000 people and 340 companies from the computer security industry Key speeches: Microsoft co-founder Bill Gates, 8 a.m. Tuesday; Oracle CEO Larry Ellison, 2:45 p.m. Wednesday; former U.S. Secretary of State Colin Powell, 1:50 p.m. Friday. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 05 2007 - 23:27:13 PST