|
Internet and Security
There is a reason for writing the title as "Internet
and Security". Internet and security have so little to do with each
other. Typically the title should have been "Internet Security".
I have made a very profound statement. Now let's see why I feel
that way.
Firstly let's look at the history of Internet.
Internet was designed to survive even a nuclear attack by Russia.
Remember, it was the peak of cold was at that time. So Department
of Defence (DoD) and Advanced Research Project Agency(ARPA) got
together to form what was later known as DARPAnet or ARPAnet. Today's
Internet is the wild outgrowth of that network. There is absolutely
no regulation or order or any sense of control anywhere in the Internet.
If we examine closely the most important facet
of Internet is that it is an open system. What does that mean?
An open system is one that is meant to interoperate
with a plethora of operating systems and platforms. By open system,
we usually mean open connectivity.
The other interesting and most significant accomplishment
of the Internet lies in the rationale behind the design. Due to
the fear of nuclear holocaust, the network was designed so robustly
that even if all links but one are destroyed by Russians, Americans
can still communicate. It is this robustness that stands like a
rock and bears the weight of the load of today's Internet. Imagine
the wide array of things that we do today.
Even the future when we will have Bluetooth
enabled devices and WAP phones and whatever, Internet is going to
be the communications backbone for generations to come. So it is
extremely important for us to understand the security issues and
intricacies of Internet.
Now, after this digression let's focus on the
topic. Why is Internet not compatible with security?
The Internet is the most complex machine ever
built by man.
Complexity is the worst enemy of security. It's
not very difficult to see why. We have to ensure that all possibilities
of system interaction are secured properly.
Actually, come to think of it. It is the very
open and friendly nature of Internet that is responsible for its
popularity today. We must remember that this is at the expense of
security and regulation. This is not wrong because this is a tradeoff.
Let's now dive deep into the technicalities
and intricacies of security. The first and foremost principle of
security is that it cannot be brought about as an afterthought.
I have finished designing and I have deployed. Now let me go and
make it secure. This is the Achilles heel. It will be like using
cello tape to fix glassware. It will never work. Period.
A system must be designed with security in mind.
Security should be built ground up. Every possible interaction between
the components and subsystems should be clear and it should be made
secure. Once a system has been designed, it should be studied by
experts and attacked to expose the weaknesses. Only after we fix
all security problems that we discover(more remain to be discovered),
we should deploy. You must be able to appreciate now why it's such
a mountainous task to secure the Internet.
What are the security holes that we have discovered
in the Internet till now?
 |
 |
Credit
card numbers getting stolen over the net |
|
Distributed
Denial of Service attack in which high profile sites like Yahoo,
Amazon and eBay were brought down |
|
Hotmail
exploits in which anyone could log into anyone's account |
|
Web
pages of top military sites getting defaced |
|
E-mail
vulnerables like spam, viruses and junk mail |
|
Password
stealing |
|
IP
spoofing |
|
DNS
spoofing |
|
Snooping |
|
Attacks
against CGI scripts of web sites |
|
Bringing
down a network by buffer overflows of routers |
|
TCP
sequence number attacks |
|
Ping
of death attack |
|
Widespread dissemination
of tools like Tribal Flood Network and trin00 with which any
deranged teenager can bring down a network |
The list goes on and on. I am not going to explain
each one of them. Instead I am going to tell you what to expect
in the future . Internet is not getting any more secure than what
it was. Of course, Darwin's theory of evolution says that everything
will evolve, but as security evolves, we must bear in mind that
the attackers also evolve getting sophisticated automated tools
with each technical innovation.
But amusingly with the first virus by Robert
Tappan Morris, the son of a former NSA(the most sophisticated cryptographic
organ in the world) employee, nothing much has changed with viruses.
He capitalized on the buffer overflow in the finger program. Even
today, the plethora of viruses like ILOVEYOU and other exploits
in Microsoft products are all due to buffer overflow problems. Why,
even the RSA cryptgraphic library had a buffer overflow problem!
To make things difficult for security engineers
and consultants, the awareness to security is woefully low in the
industry. There is usually a kneejerk response to novel attacks,
but most companies try to brush the security issues under the carpet
than go ahead and fix them. Looks like as long as things work and
they don't go out of business, a few bad publicity is something
that companies can live with.
You must be wondering why I have not mentioned
anything about encryption or successful techniques like Secure Sockets
Layer(SSL) and Public Key Infrastructure(PKI) for securing the Internet.
I agree, they help you sleep peacefully that your data has not been
eavesdropped or tampered with, but this is only true with reasonable
limits. A determined attacker can still get what he wants if the
value of your transactions are more than the time and money the
attacker is ready to invest. Many think that PKI is a panacea for
conducting commerce over the Internet. It is naïve to think like
that. Firstly a full fledged PKI is swamped with technical, financial,
political, practical and governmental issues. Secondly it is NOT
a panacea. Unless it is implemented properly, maintained properly
by alert security engineers, there is no guarantee of security.
More often than not, the effort spent in implementing PKI is much
more than the benefit you get out of it.
Now, the other attractive alternative is to
use hardware based authentication tokens and encryption schemes.
This, we think can give the benefit of "security by what one possesses".
This is thus immune to anonymous attackers getting access to it.
But alas, the security God does not smile at us even now. Hardware
implementation is not only tough to make it secure, a series of
attacks have been discovered against hardware tokens like smart
cards. Since such hardware typically has low CPU, low power, low
memory and emit electromagnetic radiation, attackers are at an advantage.
A few known attacks against hardware are
|
|
Timing
attacks |
|
Differential
power analysis |
|
Eavesdropping
by EM waves |
These attacks can tell the attacker the exact
"key" used for protection of information. So we are back to square
one.
Why didn't I mention about cryptography at all?
Crypto will solve a major portion of the problems that confront
the web. That is the only measure that we have today. Strong crypto
springs from strong mathematics and weak computers. But things could
reverse anytime. And a weakness anywhere in the crypto chain right
from design to implementation can make crypto useless.
But this is not to paint a gloomy picture of
what is in store for us. There are a lot of promising techniques
and innovations that can make the paranoid get a good night's sleep.
But it pays to know the challenges. So you won't think twice before
paying money to ensure that nobody steals your credit card number
or reads your personal mail!
Girish Venkatachalam is a senior software engineer
at MindTree Consulting.
He can be contacted at girishv@mindtree.com
|
