Log In

Reset Password
BERMUDA | RSS PODCAST

Beware those security `experts' with pointy hats

This is the prime time of the year for forecasters and computer system security -- and after a year of hacks, Trojan horses, love bugs, denial of service attacks and other types of nefarious break-ins, the experts are predicting a progression to a more sophisticated level of security problems in 2001.

The predictions by 12 security experts appear in the December Security Alert newsletter of the SANS (System Administration, Networking, and Security) Institute (http://www.sans.org). Some trends are already in the works.

But a general theme running through the comments is the shortage of system security workers and a move towards outsourcing the function to companies that can provide round-the-clock service. Bruce Schneier's forecast of security issues moving into the "third'' wave of "semantic'' attacks is already a reality.

Mr. Schneier says that hackers concentrated on attacking physical electronics in the first wave of attacks, then moved on to syntactic attacks on the network's operating logic. In the third wave hackers will become more sophisticated semantic attacks, attacking data and its meaning. This includes fake Press releases, false rumours, and manipulated databases. The most severe attacks will be against automatic systems such as intelligent agents and remote-control devices.

"Semantic attacks are much harder to defend against because they target meaning rather than software flaws,'' Mr. Schneier says in The Coming Third Wave of Internet Attacks. "They play on security flaws in people, not systems. Always remember: amateurs hack systems, professionals hack people.'' A good example of the type of semantic attack occurred to the Orange County Register Web's site. Three stories about the arrest of a hacker known as "Shadow Knight'' and "Dark Lord'' were changed on September 29 so that the newspaper, which is based in Orange County, California, was reporting for about 90 minutes until the hack was discovered that Microsoft's chairman Bill Gates had been arrested for hacking into "hundreds, maybe thousands'' of computers, including those of NASA's Jet Propulsion Lab in Pasadena and Stanford University.

The Register breach is the first known instance of a "subversion of information attack'' at a media Web site. In previous attacks on media sites like Time, hackers simply deface the front page of a site with one of their own design. The attack was noted because while the first story was an obvious fake, changes to the other two stories were much more subtle, raising the sinister possibility of intruders breaking into archives and altering the public record of an event.

In another forecast Bruce Moulton, vice president of infrastructure risk management with Fidelity Investments, believes public key infrastructure (PKI) business, such as that touted by Bermuda-based certificate authority QuoVadis Ltd. (www.quovadis.bm), will grow steadily but not in the explosive manner as predicted.

The future prospects for small outsourcing companies that deal with security issues looks very bright according to Marcus Sachs, a computer security expert with the US Department of Defense.

"The year 2001 will see a marked increase in small computer security companies,'' he says. These companies "will flourish by filling a void generated by businesses looking to outsource the security of their computer networks and e-commerce systems. Eventually, these companies will consolidate into larger e-security businesses: the 21st Century equivalents of Pinkerton and Brinks.'' Perhaps the best forecast was by Padgett Peterson, who works in the corporate security for Lockheed martin Corp. He warns against getting sucked in by the same people who were predicting global disaster last year with the Year 2000 bug.

"The churning I predicted last year is starting as new security `experts,' complete with pointy hats, are coming out of the trees,'' he writes. "Many are repaints of Y2K `experts' seeking new homes while others are simply doing a Willie Sutton as the `B' in B2B turns into Billions$... Crisis management requires the ability to separate true information from the false and to be able to make the correct decision immediately. Preplanning helps. Often the most important (and hardest) job is to be able to say, `no worries, it's already covered' in the midst of panic.'' And just such a doomsayer turns up in the final prediction, which SANS Security labels as `the last word on 2001' from Peter Neumann of the Computer Science Lab at SRI International.

"We are likely to see some organised, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems -- all of which have significant vulnerabilities,'' Mr. Neumann predicts.

Perhaps. So hang on to your firewalls. But it does sound like he's trying to talk himself into a job.

Tech Tattle deals with topics relating to technology. Contact Ahmed at ahmedelamin yhotmail.com or (33) 467901474.