http://www.gcn.com/online/vol1_no1/44556-1.html By William Jackson Cybereye 06/25/07 Speaking at a telecommunications trade show in Chicago last week, AT&T Chairman and Chief Executive Officer Randall Stephenson said the evolution of communications from fixed voice service to a suite of mobile IP-enabled services represents more than a rebirth of a moribund telecom industry; it is, he said, the next phase of the Internet. Funny thing about this next phase: Its creators appear to be making the same mistake that was made with the first Internet. Everyone is rushing headlong toward new functionality and leaving security as an afterthought. We know where that got us the first time around, and with the Internet becoming more deeply embedded in our lives and in our business, it looks like it is going to get worse before it gets better. The driver for the new Internet appears to be consumer demand for more and better ways to watch video. AT&T is beginning a limited rollout of its Video Share service, which allows cell phone users to stream live video to each other. At the same show, Motorola CEO Ed Zander said his companys newest phone will be capable of storing 16 hours of high definition, 30-frames-per-second video. But it isnt just about video; its about many-to-many collaboration over any kind of link to any kind of device, and wireless connectivity is becoming ubiquitous and embedded in more computing devices. Yet for all the talk of building out new broadband networks and the great new services they will carry, there was no talk at the show of security. There were frequent references to YouTube, the darling of the next phase, but none to security. There were predictions that the Internet would become integral to all aspects of our lives but no discussion of how to do this securely. It is understandable that the Internet originally was developed without much thought to security. The developers were building from scratch, trying to see if they could get it to work. No one knew at the time what its capabilities would be or that it would become a utility in everyday use by businesses and individuals. Who knew we needed to secure it? Now we know. Security companies, systems administrators and legislators are playing a high-stakes game of cat and mouse with hackers and criminals in a desperate effort to close vulnerabilities before they are exploited. As the Internet becomes more mobile and more functional, things are only going to get worse. Mobile spam has the potential to explode as spam-Trojan authors develop mobile malware, Craig Schmugar, a researcher at McAfee Avert Labs, wrote recently. And voice communications are vulnerable to something called SPIT Spam over Internet Telephony he wrote. Spoofed VOIP phishing attacks will likely be more successful than their e-mail counterparts because anti-SPIT technology is far behind that of anti-spam, and many VOIP users will not expect attacks to come from numbers that match those of their banks. Stephenson called the Apple iPhone the embodiment of innovation. Security researchers see it as a new and particularly rich vector for malicious software. It is likely that researchers are going to investigate what its possibilities are, Schmugar said recently. The news is not all bad. IPv6, the next generation of Internet Protocols expected to enable many new mobile technologies, should also enable better security at the network layer. And Microsofts new Windows Vista operating system is a step toward better security, Schmugar said. But he also said that in applications and services, in Web 2.0 there is still a lot of room for improvement. Maybe the network carriers, service providers, equipment manufacturers and application developers really are paying attention to security. Maybe they just dont trumpet it at trade shows because security doesnt sell cell phones any more than seat belts sell cars. But I, for one, would be glad to know that the device I am expected to use for everything from telephone calls to financial transactions and will carry all the details of my life was built with security in mind. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 25 2007 - 22:20:06 PDT