http://www.forbes.com/security/2007/10/03/cerf-internet-hacking-tech-security-cx_ag_1003techcerf.html By Andy Greenberg Forbes.com 10.03.07 Vint Cerf, Google's chief Internet evangelist, says the Internet is insecure. And he should know he helped build the thing. Cerf, who helped design the first protocols that allowed information to be sent across computer networks in the late 1970s, expressed regret in a speech Tuesday that he hadn't designed the Internet to be a safer, more regulated system. "We didn't pay a great deal of attention to the security side of the Internet when it was first being designed because we didn't really know if it would work at all," Cerf said in the keynote address at Georgia Tech's annual security summit. "Much of the problems that you all face every day might be caused by that." One fundamental flaw, he said, is the relative anonymity provided by the Internet's system of IP addresses, which only identify a user's general location, not a specific computer. Cerf said that using only general locations was a compromise designed to help routers get packets of information to the right destination. If he could start over, Cerf added, he would have built a protocol that allowed "multi-homing," giving each user a unique IP address. Today, Cerf lamented, the Internet does little to authenticate either servers, like those that host Web sites, or users themselves. That loophole lets cybercriminals host "phishing" sites, in which they impersonate legitimate pages and ask for users' bank codes or other sensitive information. It also lends anonymity to hackers using "botnets" herds of personal computers turned into zombies by malicious software. Botnets can send spam and flood Web sites with countless requests for information, a cyber attack also known as distributed denial of service. "Distributed denial of service attacks are probably the worst threat we face on the Net," said Cerf, who estimated that about 15% of the computers on the Internet or more than 150 million machines have been hijacked into botnet armies. "This is really a fundamental vulnerability in the system. The ability to launch large-scale attacks is a very serious problem." Cerf didn't place all the blame on himself and other Internet pioneers he also pointed out that current Web browsers leave people vulnerable to hackers who would either hijack their computers or plant malicious bot software. Dynamic content sites touch PCs' operating systems, and so should force browser builders to install tougher defenses. "We're at very great risk because of the way that browsers work today," he said. "This is an area where some serious research and development would be worthwhile." Cerf also plugged the contributions of Google (nasdaq: GOOG - news - people ) to Web security. The search engine's Web-crawling spider now keeps an eye out for viruses and malware as it combs the Web, and shows users a warning page before allowing them to access malicious sites. Firewalls, Cerf said, were a "necessary but not sufficient" mechanism for security private networks are too easily infected, he said, especially when employees use USB flash drives, laptops and other mobile devices. He suggested that security professionals instead explore ideas like "hardware-based security," which would allow only privileged users to gain access to certain elements of a server's memory. But Cerf admitted that much of the Internet's exploitability could have been avoided at its advent. In the early days of his research, Cerf said, he worked on a more secure version of his networking protocol for the National Security Agency, but wasn't able to implement that technology in what would become the public Internet. "Unfortunately, it was all classified," he said. "I felt kind of schizophrenic about it because I knew we could do a better job of securing the Internet, but I couldn't tell anyone except those who had the proper clearances. So the network grew up without the kind of protection it could have had." __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Wed Oct 03 2007 - 23:38:16 PDT