Computing tax: get used to it
It`s 1994, St Petersburg, the offices of software development company AO Saturn. A24-year-old programmer, Vladimir Levin, allegedly masterminds a virtual bank job, netting a cool $10 million from Citibank. (Hacking underground lore still claims that another Russian hacker, known only as Megazoid, performed the hack, armed with a $10 computer, modem and vodka.)The bank eventually reports the infringement to the police, and Levin is arrested a year later at Heathrow. Citibank recovers most of its money, but the cost to the bank`s reputation is incalculable. Other banks learn this hard lesson, and reporting cyber crime becomes taboo – unless conviction is guaranteed.Although most would rather sweep the issue under the rug, we know security infringements cost even more today than they did in 1994. According to the FBI`s latest Computer Security Institute survey, the loss of proprietary information cost respondents more than $70 million in total in the past year. Coming in second for costly security headaches were the so-called “denial of service” (DDOS) attacks, at $65.6 million for the year – down ten-fold from 2002. Between the 233 survey respondents that could put a monetary value on their losses, a good half-billion dollars was reported lost.Where are the hackers?But the most worrying stat is that only 33 percent of respondents reported incidents to authorities. According to the findings, 53 percent that answered a question as to why they didn`t report incidents claimed they didn`t know they could. So while, on the one hand, lack of security is a costly risk for a business or government agency, on the other, knowledge about security is low – even in the US.So how does South Africa match up to the US? Not too well, according to former hacker Kriek “Kokey” Jooste. Says he: “[The level of IT security in corporate South Africa is] poor. I think it reflects the level of IT skill available. England is slightly better since economic conditions allow English companies to spend more on security than South African companies can. England itself is still behind a lot of other countries, including the US, Germany and Finland.”Total onslaughtSecurity expert (and hacker in the original MIT sense of the word) Andrew G Thomas of Hobbs & Associates recently scanned the co.za domain space to test South Africa`s commercial web site security.“In excess of ten percent of the 11 000 active name servers running at that time were vulnerable to various attacks,” says Thomas. One well-known hack method “could have, at the time of this audit, taken out in excess of 30 percent of the primary websites hosted in the co.za domain space”.Jooste, who has worked both in South Africa and abroad as a security expert and was once notorious for being the country`s top hacker, adds: “While the majority have ‘wised up` to previous security threats and are protecting against it, new threats have appeared which haven`t been dealt with yet. Security is constantly changing and people need to keep up with the change.“IT security in South Africa can be improved by reducing the time it takes to adapt to new threats. This doesn`t mean spending on new technologies, but rather spending on keeping the necessary skills up to date.”Companies perceive security as a complex and expensive animal. It has to keep out multiple types of attack, at multiple entry points and from multiple sources.Hackers, by contrast, have the freedom of low barriers to entry (a PC with an Internet connection), of selecting targets at random and of spending weeks or months attacking a single target. Defence against this anonymous and all-encompassing threat is going be pretty intricate.Not so, maintains Dr Andrew Hutchinson, member of the T-Systems solutions crafting team. “The best approach is keeping it simple,” he says. “One of the enemies of security is complexity.”Hutchinson goes as far as to propose Linux as a possible security solution – not because it is free, but because it is easily configurable. “If you can keep the modules clear and defined, you can make a better solution. If you look at something like Linux, you can take out the modules you don`t want to install. It`s much simpler in Linux to leave out a particular service, like the mail server.”Mike van den Bergh, MD of Gateway Communications, agrees. “The simplest systems provide the best security. When a system is unusable, people start to look for ways around it to make it useable. You`ve got to have something that is intuitive and built-in automatically.”Get some cultureBut while simple is best, don`t confuse a simple system with a simple solution. Security often falls down because corporate entities don`t see it in a holistic way. Security isn`t about a “point solution” like a firewall or a virus scanner. It should permeate a company`s culture.Thomas believes small, medium and micro enterprises (SMMEs) are more vulnerable than corporates to point solutions.“At an abstract level, larger corporations have a significantly greater awareness of the value of information security practices and skills, brought to them and sold to them by both the media and by the larger audit firms and their related consulting arms,” he says.“The SMME market by comparison shows greater exposure to information security risks and here information security management is often performed poorly, if at all. Additionally, SMMEs do not have the advantage of being able to afford the level of staff specialisation that larger companies have, instead relying on general staff or outsiders. They are particularly vulnerable to the sales pitches of unscrupulous or ignorant vendors that advocate a particular product or style of solution, as opposed to an integrated and holistic risk management approach.”Jooste agrees: “Technology vendors love to tell people that they can give you a complete solution in a box. In most situations even the simplest of technologies are more than adequate, if configured and managed right. Apart from having the right skilled people in place, in-house or outsourced, companies need to ensure that everyone partakes in the IT security function of a company, through education and awareness.“I think that, coming from a holistic point of view, security is everybody`s responsibility, because your security is only as strong as the weakest link. Companies need to also look at user education,” says Van den Bergh.Ultimately people are the weakest link. In Gates we trustMicrosoft`s trustworthy computing initiative is getting up steam. But will it have the desired effect in the market?“Trustworthy computing” is the latest bit of jargon buzzing around the security community, and it is widening the rift between open source protagonists and what they dub The Man – otherwise known as Wintel (the Microsoft/Intel partnership).The term originated among Microsoft execs, catching public attention with Bill Gates`s memo in January 2002, announcing that: “We must lead the industry to a whole new level of trustworthiness in computing.”Since the fateful day on which Microsoft halted all development to send its staff on secure development training, the phrase has come to represent Microsoft`s “secure by design, default and deployment” slogan. It`s become more than just a marketing placebo.The ultimate goal is to get to what the industry calls a trusted computing platform – a combination of hardware and software guaranteed to be secure, and for which Microsoft`s alliance with Intel will be very valuable.Research company Gartner analyst John Pescatore expects trusted computer platforms to start becoming a standard PC feature around 2005, but believes they will only reach critical mass in about 2008. We will also start to see the trusted platform appearing in cell phones and PDAs around 2008.Good news, bad newsPescatore believes the business impact of this Wintel initiative will be the introduction of “new business models enabled by digital rights management, safer use of public computers for employee remote access and stronger intellectual property protection”.It sounds like pretty good news for the end-user. Early trustworthy products eliminate any doubt that they`re more secure than their predecessors. So why are open source pundits up in arms?Firstly, Gates`s statement in his memo that “no trustworthy computing platform exists today” was a bit of a slap in the face for alternative operating systems – open source included. Whether Linux and its relatives are trustworthy is debatable and dependent on one`s definition of “trustworthy”, but few doubt that Linux has trounced Redmond on security, and nobody will argue that it has won the perception battle.Linux distributions usually include heavy-duty security tools, and deployments are by habit more secure. Linux vendors tend to warn users that their installation choices could create security risks.Linux supporters also argue that open source is the ultimate in secure design. Thousands of skilled users can assure themselves – and others – of the robustness of Linux`s security, and even choose to improve the source code themselves.Civil rights lawyers, privacy pundits, open source programmers and free speech fans also harbour justified fears about hardware-enforced digital rights management, as proposed by the trustworthy computing paradigm. It could limit the utility of what used to be personal, all-purpose computers, and will implement copyright and patents in a manner substantially removed from their original legal basis, by prohibiting fair use and sneaking off with statutory expiry provisions.But as much as Linux users might protest Microsoft`s claim to being the pioneer of trustworthy computing, such sour grapes do not affect the validity of Microsoft`s security initiative in principle.What might have a greater effect is Microsoft`s own users` reaction to trustworthy computing. While some will no doubt embrace the change with open arms (and maybe a few comments of “about time”), two opposite ends of the user scale could be negatively affected by the development.The first is the “power user”, whose primary concern with trustworthy computing to date has been the automatic installation of patches – little applications that Microsoft sends out to users regularly (a little too regularly, some argue) that fix a specific problem with the operating system. The patches, however, have developed a reputation of often causing more problems than they remedy, making systems administrators unwilling to install a patch until it has been comprehensively tested in their operating environment.Kicking backThe second type of user Microsoft might alienate is on the opposite end of the scale – the non-technical user. Microsoft has made its name by offering operating systems that work out of the box. But, by its nature, trustworthy computing means most services don`t work out of the box. Users will have to install and configure every service they want to use, which is not an ideal situation for the unqualified.Whether these two extremes will kick back against the changes or accept them as the price of higher security remains to be seen. It will be a good test of whether the “trust” in trustworthy computing is taken to heart – not only by Redmond, but by Microsoft`s customers too. Microsoft`s turning pointWindows 2003 is no doubt the most secure operating system from Microsoft to date, but it still needs some TLC.Let`s face it. Microsoft has a pretty bad track record for security. Gartner puts security (and lack thereof) as one of the three factors driving what it calls “the anti-Microsoft movement”.“Many governments are unhappy with its aggressive strategies (which have garnered significant antitrust investigations and actions) and a less-than-perfect record in software quality, security and privacy. The Microsoft juggernaut has, at times at least until recently, seemed oblivious to the growing antipathy shown by some of its previously loyal customers – especially in countries outside North America,” says Gartner bluntly.Partly, of course, it is most vulnerable to security threats for the simple reason that it is by far the most common desktop operating system in use.But even so, its security record is about to change. At least that`s what Microsoft tells us. Its first product to roll out under the trustworthy computing banner is Windows 2003 Server, and Microsoft is hoping that this product will convince concerned customers eyeing Linux that all is well (and safe) in Redmond.“Secure by design, secure by default, and secure by deployment” is the rallying cry, heard from Seattle to Sunninghill. From what we can tell from the outside, Microsoft has taken this motto to heart. So far, Standard Bank, Ster Kinekor and Professional Provident Society (PPS) have migrated to the new product and, according to Microsoft SA`s director of the .Net and developer group Danny Naidoo, they are “thrilled” – in the positive sense of the word.Password: PasswordNaidoo takes us through some of the new security features of Windows 2003: “The attack surface is reduced with less services running by default. For example, you need to explicitly run IIS (Microsoft`s web server and a common point of attack) on the server. Administrators can`t create an administration account with the password ‘password`, or with a blank password.”Microsoft has also committed itself to fixing bugs and making patches available to users faster than before. It went through every line of code looking for vulnerabilities. It has got a ton of open- and closed-standard authentication protocols built in. It offers encrypted file systems, smart card support, wireless LAN security and a built-in sandbox for applications running on the common language runtime platform. Compared to previous versions of Windows, Microsoft has made a momentous effort to live up to the trustworthy computing cry.But before you toss out your firewalls and sell your anti-virus licences, there is some bad news. First and foremost, Microsoft is only providing companies with the tools to make a more secure system.“We see security as a shared responsibility between ourselves and our customers,” says Naidoo. “We will need the customers to act and use the products the way they are designed to be used.”This is what Microsoft calls “secure by deployment”. If customers don`t implement patches and fixes, leave unused and unsecured ports open, or use “money” as their administrator password, there isn`t much hope for them.Microsoft hasn`t made any claims that its platform is “bug-free” or “unhackable”. (Oracle went down that road and its unhackable platform was duly hacked.)And a complaint by a concerned South African journalist to the Advertising Standards Authority shows that it won`t do to make claims that Microsoft will make hackers extinct.In fact, a couple of security holes in the new OS have already been discovered and posted to NTBugTraq, a security watchdog community that alerts Microsoft, customers and hackers alike of potential security holes.Although we have not had the opportunity to review the product ourselves, we did spot a worrying glitch on a local site running Windows 2003 recently. The site, hosting a large local retailer, defaulted to showing the ASP.Net source code whenever it had an error on a page. This was more likely a configuration fault than a Microsoft bug, but it does prove that Win2003 is not perfectly secure.Some believe that Microsoft is making its products too secure, compromising too much functionality and ease-of-use.“All organisations seem to be becoming more aware of the importance of releasing software that is more, rather than less, secure by default. Regardless, there is and will for the foreseeable future be a constant tension between ease of use and security, with end users traditionally preferring technologies that work ‘out-of-the-box`,” notes Andrew G Thomas of Hobbs & Associates.“I think Microsoft will be pressurised to remove the security and make it optional again,” opines Mike van den Bergh, MD of Gateway Communications. “Until legislation for seatbelts was introduced, the flashing lights and beeps to encourage you to wear the seatbelt didn`t help. I think they may have to backtrack on trustworthy computing, but I`d be happy if I`m wrong.”Continues Van den Bergh: “You can make people aware of security, and people must understand the consequences of ignoring secure practices – that`s where it comes down to education.”Education is one facet of trustworthy computing that Microsoft can truly be commended on. At the moment, the focus is on third party developers and administrators, but Naidoo says the material includes formulating security processes and procedure for staff, and communicating these throughout the company.“It`s not just about product,” says Naidoo. “We need to create a trust between us and our customers and us and our partners so that they see us as trustworthy enough to do business with. We are also changing our culture – we`re transforming an organisation that`s 55 000 people strong. You can`t do that overnight. I think this programme will run over a decade or so.”
31 July 2003
It`s 1994, St Petersburg, the offices of software development company AO Saturn. A
24-year-old programmer, Vladimir Levin, allegedly masterminds a virtual bank job, netting a cool $10 million from Citibank. (Hacking underground lore still claims that another Russian hacker, known only as Megazoid, performed the hack, armed with a $10 computer, modem and vodka.)
ITWeb Premium
Get 3 months of unlimited access
No credit card. No obligation.