|
|
|
Published: June 15, 1997
Companies like Netscape and Microsoft are learning firsthand just how hard computer security is to get right. And for the first time, the public and the stock market are telling these companies that computer security matters. This new attention should ultimately result in computer systems that are not just safe to use on the Internet, but better equipped to handle the 21st-century information society now under construction. Netscape and other companies promoting Internet-based commerce have said the main security requirement is a snoop-proof link between the consumer, using a Web browser, and a business with a Web server that processes the transaction. This secure link uses a a mathematical process called encryption, which scrambles information so that it's unreadable even if intercepted. But there is a lot more to protecting consumers than simply sending encrypted data from point A to point B. Encryption is like an armored car, securely taking cash from one place to another. Web-commerce encryption doesn't protect the endpoints themselves -- the computers used by the merchant and the consumer. For example, instead of stealing a credit-card number as it travels across the Internet, an attacker could leave a program running on the consumer's computer that scans the keyboard and captures the consumer's credit-card number as it is typed. The attacking program would then transmit the captured credit-card number over the Internet to the attacker -- even encrypting the number to avoid detection. Such a program was demonstrated in January 1996. Alternatively, an attacker could go after the thousands of credit-card numbers on the merchant's computer. That's probably what happened last month, when the FBI arrested a computer criminal for selling a list of 100,000 credit-card numbers that had been stolen from an Internet service provider. The fundamental building blocks of the Internet were not designed with this kind of security in mind. The Internet's TCP/IP communications protocol was created in the 1970s and early 1980s for research networks; it wasn't designed to withstand sustained attacks from hostile insiders who had access to the larger Internet. Likewise, the programs that run on most of today's personal computers were written primarily in the C and C++ programming languages. These languages were designed to let programmers rapidly create exciting new programs, not necessarily programs that were reliable and secure. Today, many of the computers on the Internet run Microsoft's Windows 95 operating system. Windows 95 was designed to be relatively easy-to-use and to run existing programs. It was not designed as a stable computing platform that could withstand a sustained attack from a skillful adversary. The majority of computer security problems are simply programming bugs that somebody has figured out how to exploit. What's different today is that the increasingly ubiquitous Internet creates a two-way channel between the attacker and the person being attacked. Instead of merely making your computer crash, an attacker might take over your computer and steal confidential information, or scramble your data and demand a reward. Microsoft, Sun and Netscape are exploring a security-enhancing technique called digital signatures. Software publishers would sign their programs with these signatures. Then, if a program misbehaved, the consumer would know whom to blame. But digital signatures won't solve one of the most insidious problems on the Internet today. Called the ``data-driven attack,'' this technique causes an otherwise innocent program to misbehave by giving it information it doesn't expect. For example, you can often cause a program to crash by trying to open a file that has been corrupted, that is, where contents have been damaged. A data-driven attack, created by a clever programmer, might cause the program to erase your hard drive's contents or mail a credit-card statement to a third party in Argentina. Nearly all of the attacks against Netscape Navigator and Microsoft Internet Explorer, as well as the attacks against Java and Shockwave, have been data-driven attacks. Having Web browsers or other programs digitally signed won't prevent them from happening. To be protected against data-driven attacks, the computer's operating system must limit the actions that programs like Web browsers and word processors can perform. For example, there is no reason for your Web browser to erase your computer's hard disk; your computer's operating system should prevent it from taking such a drastic action. Likewise, there is no reason for your browser to give a third party any access to confidential banking information stored inside your electronic checkbook. A secure system would use multiple layers of safety, including a carefully written browser, restrictive operating system and on-disk encryption to protect the data itself. This is the sort of security we'll need if consumers and businesses want to place confidential financial and medical records on the same global Internet that will be shared by organized crime bosses and terrorists. Consumers are beginning to realize that even their home banking software must be protected against the world's most sophisticated attackers, or else they may be caught up in some scam and lose their money. Unfortunately, security costs money -- money consumers have been unwilling to spend. Neither the Windows 95 operating system nor Apple's Macintosh operating system offer this level of security. Interestingly, both Windows NT and Apple's upcoming ``Rhapsody'' operating system do, although few programs running on these operating systems take advantage of their improved security features. That's why we should all rejoice each time a new security flaw in Netscape Navigator, Internet Explorer, or the Java programming language is found. The constant attention is a high-powered spotlight, forcing companies to devote real resources to computer security -- resources that could just as easily go into marketing budgets or executive compensation. To turn up the wattage a little higher, software vendors should be legally liable for losses that result from bugs.
Creating secure software is difficult. But it is possible, and it is absolutely necessary.
|
|
|
    |
|
|
|||
