Financial Daily from THE HINDU group of publications
Monday, May 29, 2006
Financial Daily from THE HINDU group of publications Monday, May 29, 2006 |
|
|
|
|
|
|
|
eWorld
-
Security Columns - Security Musings `The cracks are showing' R.K. Raghavan
A provocative article, The Internet is broken (Technology Review, December 2005-January 2006) by David Talbot provides the theme for my column this fortnight. Interestingly, Talbot compares the Net with the Times Square of the 1980s. "It was exciting, vibrant, but you made sure to keep your head down, lest you be offered drugs, robbed, or harangued by the insane. Times Square has since been cleaned up, but the Internet keeps getting worse, both at the user's level, and ... .deep within its architecture." In arriving at this vivid comparison, Talbot draws primarily from the assessment of David D.Clark of MIT. Considered the Internet elder statesman and once the chief protocol architect, Clark bemoans the fact that Net security is deplorably low. Worse is its inability to accommodate new technologies. Talking to Talbot, Clark salvages his 1992 power point presentation in which he had referred to `distant elephants' that needed to be feared and not ignored. Clark now believes that the elephants have already descended on us, and there is just a possibility that the Net will collapse without any intervention. Pessimistic as it may seem, the more than billion users of the Internet will sideline Clark and other soothsayers only at their peril.
Inadequate security architecture
Talbot reflects the views of many experts when he says that the Net has no security architecture worth the name. It depends solely on `patches' that include firewalls and anti-spam software. Such patchwork approach is ad hoc and inadequate in the face of new threats arriving each day. In the words of MIT mathematician Tom Leighton, this is like "trying to plug holes in the dike." One school of experts believes that if the Net has not come to a total standstill, it is because those who write viruses have not been daring enough, if not sufficiently knowledgeable, to bring about a disaster.
Some solutions
Clark is not a mere Cassandra. He goes as far as suggesting solutions for the current mess. In his view, any exercise aimed at a new architecture should be preceded by fresh goals. The first of such goals will talk about designing a basic security architecture that would create an ability to authenticate those with whom we are communicating. It is distantly analogous to the Caller ID that we have on telephones. Thereby, we have more than a good chance of preventing spam and viruses ever reaching our PCs. Can there be anything more attractive to many of us plagued every working day by these menaces in cyberspace? Other goals would include a facility by which devices other than PCs, such as sensors and embedded processors, can also be connected to the Net. It is encouraging to hear that the National Science Foundation (NSF) of the US has already embarked on an ambitious research project in this area that will draw heavily on work that is going on in at least four Universities, including Princeton and Rutgers. Only time will tell whether the fears about the Net crashing are real or exaggerated. For instance, all the talk about cyber terrorism has, until now, not matched any occurrences on the ground. We can only keep our fingers crossed! At the same time, we will be dumb if we do not draw some intelligence on the existing situation from a continual stream of breaches of security reported from different parts of the globe.
Chip and PIN fraud
The latest of incidents that should worry us is the widespread Chip and PIN fraud reported at some petrol pumps in the UK. One major victim is Shell, and the company has stopped accepting payments authorised by Chip and PIN at about 600 of its 1,000 petrol stations. Here, fraudsters draw petrol for their cars from accounts owned by others and the loss to customers is estimated at about £1 million. An important UK bank, Lloyds TSB, has also lately reported a flaw in its Chip and PIN system that has helped making cloned debit and credit cards that work at ATMs abroad. One Lloyds customer lost £3,000 from withdrawals made at ATMs in the Netherlands. Again in the UK, 4,000 MasterCard holders were recently hit after hackers gained access to credit card details through an e-tailer. Across the Atlantic, a group of technically savvy thieves recently managed to hack into electronically controlled petrol pumps in the US and draw free petrol. Here, the modus operandus adopted was to reprogram a pump to deliver petrol after forcibly opening up pumps. It is conjectured that this is an insider job, because the physical tampering with pumps cannot be hidden from attendants who are present round the clock.
Significant moves
Ironically, the spate of incidents from the UK comes in the wake of two significant happenings. First, the country is on the verge of bringing in major amendments to the Computer Misuse Act (CMA) 1990 by incorporating suitable provisions in the new Police and Justice Bill. These contemplate longer sentences for hackers and the recognition, for the first time, of the offence of Denial of Service (DoS). A fly in the ointment, however, is the proposed restriction on the number of hacking and security tools the use of which will be criminal. Since this has caused uproar, the law would focus more on the intent behind the use of a tool rather than on specific hacking tools. Another important development in the UK is the ruling of a UK Magistrate's Court that Gary McKinnon, charged with hacking into computer systems in the US, could be extradited to the latter country. McKinnon is said to have broken into 97 government computers for nearly a year beginning with February 2001. Interesting was the judge's conclusion: " ... if you choose to commit a crime in a foreign country you run the risk of being prosecuted in that country." It did not matter, in the judge's opinion, that the accused was likely to get a longer sentence in the US than in the UK. Do you think this would act as a deterrent to prospective offenders? I do not think so, because the profile of a cyber criminal is changing, from a mere adventurer to that of a determined and deliberate predator who is constantly looking for easy prey in cyber space. The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.
The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.
More Stories on : Security | Security Musings | Internet
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | Business Line | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2006, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|