[ISN] Made For Hacking

From: InfoSec News (alerts@private)
Date: Wed Oct 03 2007 - 23:07:04 PDT


http://www.forbes.com/security/2007/10/03/cerf-internet-hacking-tech-security-cx_ag_1003techcerf.html

By Andy Greenberg
Forbes.com
10.03.07

Vint Cerf, Google's chief Internet evangelist, says the Internet is 
insecure. And he should know he helped build the thing.

Cerf, who helped design the first protocols that allowed information to 
be sent across computer networks in the late 1970s, expressed regret in 
a speech Tuesday that he hadn't designed the Internet to be a safer, 
more regulated system.

"We didn't pay a great deal of attention to the security side of the 
Internet when it was first being designed because we didn't really know 
if it would work at all," Cerf said in the keynote address at Georgia 
Tech's annual security summit. "Much of the problems that you all face 
every day might be caused by that."

One fundamental flaw, he said, is the relative anonymity provided by the 
Internet's system of IP addresses, which only identify a user's general 
location, not a specific computer. Cerf said that using only general 
locations was a compromise designed to help routers get packets of 
information to the right destination. If he could start over, Cerf 
added, he would have built a protocol that allowed "multi-homing," 
giving each user a unique IP address.

Today, Cerf lamented, the Internet does little to authenticate either 
servers, like those that host Web sites, or users themselves. That 
loophole lets cybercriminals host "phishing" sites, in which they 
impersonate legitimate pages and ask for users' bank codes or other 
sensitive information. It also lends anonymity to hackers using 
"botnets"  herds of personal computers turned into zombies by malicious 
software. Botnets can send spam and flood Web sites with countless 
requests for information, a cyber attack also known as distributed 
denial of service.

"Distributed denial of service attacks are probably the worst threat we 
face on the Net," said Cerf, who estimated that about 15% of the 
computers on the Internet or more than 150 million machines have been 
hijacked into botnet armies. "This is really a fundamental vulnerability 
in the system. The ability to launch large-scale attacks is a very 
serious problem."

Cerf didn't place all the blame on himself and other Internet pioneers 
he also pointed out that current Web browsers leave people vulnerable to 
hackers who would either hijack their computers or plant malicious bot 
software. Dynamic content sites touch PCs' operating systems, and so 
should force browser builders to install tougher defenses. "We're at 
very great risk because of the way that browsers work today," he said. 
"This is an area where some serious research and development would be 
worthwhile."

Cerf also plugged the contributions of Google (nasdaq: GOOG - news - 
people ) to Web security. The search engine's Web-crawling spider now 
keeps an eye out for viruses and malware as it combs the Web, and shows 
users a warning page before allowing them to access malicious sites.

Firewalls, Cerf said, were a "necessary but not sufficient" mechanism 
for security private networks are too easily infected, he said, 
especially when employees use USB flash drives, laptops and other mobile 
devices. He suggested that security professionals instead explore ideas 
like "hardware-based security," which would allow only privileged users 
to gain access to certain elements of a server's memory.

But Cerf admitted that much of the Internet's exploitability could have 
been avoided at its advent. In the early days of his research, Cerf 
said, he worked on a more secure version of his networking protocol for 
the National Security Agency, but wasn't able to implement that 
technology in what would become the public Internet.

"Unfortunately, it was all classified," he said. "I felt kind of 
schizophrenic about it because I knew we could do a better job of 
securing the Internet, but I couldn't tell anyone except those who had 
the proper clearances. So the network grew up without the kind of 
protection it could have had."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Oct 03 2007 - 23:38:16 PDT