Toward More Cybersecurity in 2002
By Alex Salkever
Call 2001 The Year of Living Dangerously. Router attacks brought down major Microsoft sites, followed by the Code Red worm over the summer. Then came the Nimda worm-virus in the fall.
A sinister-sounding program called AirSnort allowed roaming cybersnoops to hack vulnerable wireless networks using only a Linux laptop and some free software. And Visa U.S.A. launched a policy mandating merchants that accept online credit cards to take basic security steps or lose their charging privileges.
Perhaps the biggest shock came on September 11, when terrorists attacked the World Trade Center and the Pentagon. While Net security wasn't at issue, the episode convinced many security-conscious businesses that they had better lock down their networks against the possibility of cyber-terrorism.
We've learned a lot. Today, even most cable-modem users understand what a firewall is and why it's so important. People are finally beginning to grasp that security isn't something that can be bought out of a box, rather it's a process requiring a constant state of vigilance.
So where do we go from here? Here's my list of four resolutions for 2002 to make the Internet more secure:
Gates & Co. Has to Get More Serious about Security
Yes, Microsoft has made a big effort to shore up security in its software. But come on, guys. The most recent vulnerabilities detected and announced in the new Windows XP operating system and Microsoft's Internet Explorer (IE) Web browser go beyond the pale. The default configuration in all XP systems leaves computers exposed to the entire Internet. Malicious hackers could simply load a program into a Web page that they want to execute on an unsuspecting Web surfer's computer.
More than 90% of the world's PCs use some version of the Windows, though a small portion use XP right now. And more than 80% of all PC users surf the Web with IE. That's about as close to universal as it gets in the computer world.
Serious holes in these programs could help spread havoc across the entire Net. And they'll be harder to clean up since they affect hundreds of millions of home users who are less likely to apply software patches to their computers.
The bottom line: Microsoft should be held to a higher standard for security in these programs. The Colossus of Redmond has a public duty to ensure that these technologies are designed without gaping flaws. No, we can't expect IE or XP to be perfect. But let's try to make it a little safer out there, please.
Mandatory Firewalls for All
Security experts can agree on one thing: Cable-modem and digital-subscriber line (DSL) broadband users who aren't using some kind of firewall are increasingly putting not only themselves at risk but others as well. Having no firewall is akin to leaving your car unlocked and hoping that the thief who steals it doesn't crash into a crowd of people.
As Code Red illustrated with its coordinated attack on the White House Web site, today's cybercrooks try to coordinate large networks of PCs to magnify the assault's effect. Worse still, scanning tools and other hacking software have become easier to use, often fronted by a graphical interface that truly makes Net mischief point-and-click.
Installing a firewall isn't foolproof. But it will head off a significant portion of attacks on desktop PCs and computer networks. Corporate firewalls are now almost mandatory. But on the consumer and small-business side, Internet service providers have steadfastly refused to force, let alone encourage, broadband customers to install a firewall.
That won't do. Just as cars need a safety inspection to get on the road, ISPs should require that their home and small-business customers have a firewall up and running before they allow them to surf the Net. This would likely require additional customer support and might increase service costs, but in the long run, it would create a much safer Internet for all.
Lock Down Routers
Most garden-variety Netizens have never heard of border gateway protocol. It's the lingua franca of the powerful routers from giants such as Cisco Systems, Juniper Networks, Lucent Technology, and Nortel Networks that ISPs and telecoms use to direct data and voice traffic around the globe. When a company sends data from New York to New Dehli across the networks of AT&T, France Telecom, and others, all the routers speak BGP -- moving traffic easily without misrouting or losing it.
Trouble is, BGP is becoming more hackable. The obscure protocol requires router engineers with an arcane specialty that fetches a high salary on the market. That's drawing increasing numbers of people to learn BGP -- some of whom may not have the best of intentions. Add to that software kits that allow those with a strong technical ability to hack into routers, and it's high time to lock down these devices. While it hasn't happened yet, hacking a big router at a major telecom could reduce capacity enough to cause major traffic jams on the Net.
Executing such a lockdown wouldn't take much. A secure version of BGP -- dubbed S-BGP -- already exists that weaves the same types of encryption and data-authentication processes now standard in online purchases into data handoffs between routers. Not only will routers pass along data efficiently but they'll verify that the device talking to them is another router and not a malicious hacker using a compromised PC connected to a cable modem.
Getting S-BGP installed throughout the Web would take some coordination. It amounts to a new standard, but it comes with a trade-off: Encryption would probably make routers clunkier to configure and operate. Still, it's time to move because phone and data networks are at increasing risk.
Zip It Up, Uncle Sam
On Dec. 7, the U.S. Interior Dept. shut down its Internet sites after a court-authorized investigator broke into a portion of the network and exposed finanical data used to administer $500 million annually in payments and services to 300,000 American Indians. The shutdown came after Indian groups filed a class-action against Interior alleging that its network was dangerously insecure.
While the move may have protected American Indian assets, the shutdown created a maze of new risks. The National Earthquake Information Center, which falls under Interior's aegis, could no longer use e-mail to distribute real-time bulletins in case of natural disaster. Ditto for the Defense Dept., which uses U.S. Geological Service (also run by Interior) data to watch for nuclear blasts around the world.
And the USGS maintains a Web-linked network of water-level gauges that monitor river flows across the country. The shutdown forced USGS personnel to go out and physically monitor gauges in areas with imminent flood dangers, including Seattle, Wash.
In security assessments of networks at 24 federal agencies, a congressional panel gave 16 failing grades. That has to change. Representative Tom Davis (R-Va.) is pushing some major revisions in a reauthorization of the Government Information Security Reform Act, which is slated to expire in October, 2002. Davis hopes to make the law permanent and add tougher mandatory security standards for computers at federal agencies.
That's a good step. So are some of the efforts the feds are already undertaking to get their systems audited. Every federal agency should get with the program. They should make sure their systems are protected -- and put processes in place to continually monitor and patch their systems. Let's hope the New Year sees progress on all fronts.
Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online
Edited by Alex Salkever