[ISN] Hackers to concentrate on moving targets

From: InfoSec News (alerts@private)
Date: Tue May 20 2008 - 01:30:51 PDT


By David Neal
IT Week
19 May 2008

In a long and illustrious career in both the public and private sectors, 
Howard Schmidt has earned a reputation for being one of the world’s 
foremost authorities on computer security.

Schmidt first made a name for himself as an expert in computer crime 
while working for the FBI. As head of the Bureau’s Computer Exploitation 
Team, he gained recognition as a pioneer in computer forensics and 
computer evidence collection. Next he headed up the US Air Force’s 
Computer Forensic Lab and Computer Crime and Information Warfare 

His involvement with national security continued with his appointment in 
December 2001 as the vice chair of the President’s Critical 
Infrastructure Protection Board and as the Special Adviser for 
Cyberspace Security for the White House.

Schmidt has also worked in the private sector. He served as chief 
information security officer at online auction giant eBay, and as chief 
security officer for Microsoft, where his duties included forming and 
directing the Trustworthy Computing Security Strategies Group.

Today, Schmidt divides his time between his role as chief executive of 
R&H Security Consulting, delivering keynotes and writing. One of his 
main messages is that the IT industry has to take more responsibility 
for security. “We have a huge dependency on applications these days, and 
our expectation is that the suppliers will do more to secure them,” he 
said. “Or, you can look at the infrastructure that we use, and ask, ‘Why 
don’t the ISPs just block infections, or bad networks?’.”

But while vendors and service providers have a responsibility to provide 
security, this does not get users off the hook. “As consumers we have to 
do things to be better protected. We have to follow through on the work 
being done by the vendors, and the applications,” he said.

Schmidt said he has been impressed by the steps the industry has taken 
to combat online threats. “Look at phishing, for example. I have 
multiple email accounts, but phishing mails only ever end up in my spam 
folder, not my inbox. Should one get through and I click on the link, I 
am presented by a warning, and then, should I ignore that, it is likely 
that my browser will block my access anyway,” he said.

But the threat landscape is constantly changing, Schmidt warned, with 
mobile applications likely to be the next prime target for hackers. “I 
don’t carry a laptop around much anymore, but I do carry two mobile 
devices. Companies are releasing SDKs for developers to use so there are 
lots of mobile applications out there, but this also means that there 
are lots of applications for the bad guys to exploit. I don’t know if 
the industry has put much focus on protecting them,” Schmidt said.

Another problem he has with mobile devices relates to the increasing 
amount of storage they offer. As business users have come to rely on 
these devices more and more, so the amount of potentially sensitive data 
stored on them has increased. “What do you do about encrypting that?” he 
asked. “Very few manufacturers make software protection for mobiles.”

Schmidt believes organisations are far too reliant on patching to secure 
their systems ­ a situation that he feels simply cannot be allowed to 
continue for much longer. “Patching is frustrating, but as we get better 
at secure coding the need to do this will become less. But now, we have 
to work in a much more reactive way, applying fixes as and when they are 
released. Often it can cost more to run a software solution than it does 
to buy it. We need to be looking forward. Looking for ways to prevent 
things from happening in the first place, not after they become an 
issue,” he said.

Asked whether new regulations such as a breach notification law would 
help to improve standards of system security, Schmidt agreed ­ up to a 
point. “Breach notifications would be of benefit, but the requirement 
must be consistent. In the US, individual states make their own [rules] 
and there is a lot of complexity, which makes things difficult to 
manage,” he said.

But for Schmidt, the one sure-fire way tominimise online threats is the 
adoption of two-factor authentication ­ a form of logging on that 
requires both a password and some form of physical token.

“I said two years ago that passwords and logins should have been 
declared dead already. People use the same password with their bank and 
their email accounts, despite the fact that these may not be as secure 
as each other. [If bad guys get hold of a password] they will try them 
against all of your accounts,” he said. “If we move away from the 
log-in/password method a lot of the low-hanging attacks would be 

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 20 2008 - 01:38:10 PDT