New CompactPCI Product  Brochure from Ziatech. Click here to visit LogicVision.
CMPnet

EET

News
 Todays News 
 Print Archive Search 
 Site Search 
 Smart Technologies 
 EDA Advantage 

Career
 Career Corner 
 Ask the Headhunter 
 J.O.B.S. Online 
 Guide to Internet EE 
 Salary Survey 
 Search Firm Directory 

Products
 Product File 
 Free Product Info 
 Marketplace 
 EDTN 
 ISD 

Personal
 Subscribe to EE Times 
 The Profession 
 Immortal Works 
 The Motley Fool 
 Poems 
 Game Power 

Features/Columns
 Special Features 
 25th Anniversary 
 Columns 
 Wintel Watch 
 Letter from Europe 
 Nano Research Today 
 Institutional Memory 

Advertisement

Click here to visit CMPnet

CMPnet Resources
 Home 
 Site Map 
 Search 
 Ad Info 

Click here to visit NetBusiness.


White Paper 1

Warnings for an Electronic nation

By Larry Lange

Recognized as one of the leading experts on information security and electronic privacy, Winn Schwartau is a boisterous, charismatic-and somewhat arrogant-man. Testifying before Congress in 1991, Schwartau coined the phrase "electronic Pearl Harbor" to describe the security threat he believes hangs over the age of distributed computing. His book, Information Warfare: Chaos on the Electronic Superhighway, has become a kind of unofficial reference guide for dozens of top-level military leaders around the world.

As chief operating officer of Security Experts Inc. (Seminole, Fla.), Schwartau consults on security issues for both industry and governments. He also manages two popular Web sites on security: www.infowar.com and www.info-sec.com. As a regular keynote speaker at the annual DefCon hacker's convention-an event that attracted 1,500 people to Las Vegas last July-Schwartau has been adopted by the hackers who gather there as one of their own.

Where is the hacker community heading?
The hacking community has really, really changed. There used to be a fair amount of ethics, appropriate behavior and regard for the sanctity of the systems they were penetrating. They were not there to do harm, to steal or for profit-taking. They were there honestly to learn.

Today the community is literally made up of a lot of punks. A large amount of the community that were good "white hat" hackers eight or 10 years ago are all now legitimately employed.

At DefCon, about 30 percent of the people there were legitimate hackers, but the rest ...

Why haven't the white hats become more prevalent?
A lot of it has to do with the media, which has done a disservice to the hacking community as a whole. The [Kevin] Mitnick coverage sensationalized hacking to the point where it became chic bandito cool to be a big, bad hacker.

What do you think of the skills of white hats like Mudge and Hobbit?
These guys live and breathe this stuff. There's a cultural difference between the way they live and the way most others do a 9-to-5 job. Some of the lesser hackers, on the other hand, have skills that are rough-hewn. They may get from point A to point Z by some roundabout method, and that leaves you wondering, "My God how did you do that?"

As the hacker community evolves, how is the overall security risk changing?
According to the FBI, 122 countries across the world currently have online hacking capabilities. I have absolutely no doubt that people with the attitude and with the capability are exploiting these capabilities for their own benefit, or very soon will.

We know that in the neighborhood of 20 million hacks a year are occurring worldwide. What we don't know is how many of them are coming from military non-friendlies or economic competitors, as opposed to white-hat hackers or just your typical pimple-faced teenager hacking in his parent's attic. The skill sets permit anonymity.

How does this threat relate to your concept of Infowar?
Infowar was introduced in 1990 as a vision that included all the various components of hacking-system vulnerabilities, bad guys, tools such as sniffers, viruses and well-financed teams with hackers. Later, I spoke before Congress about an "electronic Pearl Harbor." I was not trying to be Chicken Little, saying it was all going to happen tomorrow. But we have to be aware as an electronic nation what our vulnerabilities are and what our adversaries' capabilities are.

How has this notion of Infowar been received?
Today my Infowar book is used as a primer in 15 countries by the military. A lot of people think that information warfare is a military concept, but what I wanted to convey was from the corporate level, the personal level and the civilian infrastructure. I had no idea that the military considered much of what I wrote to be top secret. The British Army even tried to get it banned.

But the U.S. military felt they were out of the loop and started to bring me in. There was a conference, after which I remember telling several colonels and generals, "Hey, you guys are supposed to be the experts." They said that each of them had their own area of expertise, but they weren't allowed to talk to each other.

You sometimes refer to an 'electronic apocalypse,' and the need for 'electronic civil defense,' but is such apocalyptic talk really valid?
It's going to happen. It won't come from a foreign government. It will come from a non-aligned terrorist group, possibly even a militia group. Peace has been declared and the new motto is "make money, not war."

From a corporate standpoint, can you speculate what would happen to the fledgling field of e-commerce if, say, Wells Fargo loses $20 million due to a major hack?
They're losing a lot more than that already. Not Wells Fargo specifically, but in the financial world there's misdirected money, stupid accidents where money is lost in the system. When you include embezzlement and other internal and external online fraud, it's mind-boggling, but banks consider it "acceptable" losses because the numbers are relatively small. If you look at the amount of money that's moved electronically every day in the United States alone, it's trillions and trillions of dollars. So losing a few billion a year isn't a big deal at all.

So what's taking electronic commerce so long to take off?
Again, the media go and scare the American populace with their distortions, especially over credit-card fraud and theft. But let's look at the real world. You physically give the clerk making three dollars an hour at the greasy spoon your credit card and your receipt-and the media's worried about [credit-card numbers sent over] the Internet? The passwords and the database are where the hackers are going, not after the credit cards.

Isn't the government standard for security adequate?
In 1983 the Department of Defense and the National Computer Security Center published what is known as the "orange book," which has a range of criteria and evaluations that range from the D2 level to A1, which is the highest level. In 1985 the final version came out. C2 is bull. Look at how we got to C2. The information-security community is only 25 years old, and the people that were running InfoSec early on were from the military side.

The problem with the orange book and its methodology of implementing computer security is that it's based upon the military mind-set. It's based around building a moat around your computer. It's a fortress mentality, but what good does that do in today's distributed world?
It doesn't do any good. It means your computers are back in the '70s-a mainframe computer with dumb terminals. They weren't so hard to protect, but what we have come to learn since then is that in the real business world we need communication.

A new model is called for and infowar.com will be publishing a prototype model very soon. People will begin working with it on an ad hoc basis and it will work out.

What role has Windows NT played in security issues?
NT and security should never be used in the same breath.

You've been reporting on your site a number of NT hacks. Why?
It's necessary.

What do you mean, necessary?
NT has to fail security-wise, because Bill Gates never wanted to build security into it in the first place. When it all started, Microsoft admitted that they didn't care.

Back in '94, when I was visiting with Microsoft, they were attempting to proselytize that NT was going to be C2-compatible. I said to them, "This is absurd." They said, "Oh, this is an early version. We're going to upgrade and fix it," and so on.

The following year, '95, I was at a National Computer Security Conference put on by NSA and NIST [National Security Agency and National Institute of Standards and Technology] in Baltimore. Microsoft [people] were there, and they ushered me off into a private room. They were real cordial. I asked them about the C2 issue, and started going down a checklist. As we worked down the list it became clear that if they were going to meet C2, they were going to have to buy C2, because they had no security awareness whatsoever.

I asked them directly, "How can you possibly come out and introduce this new operating system, and not build into it any security?" And their answer was, "Because none of our clients want it." They said, "We did a survey of all our clients and security came up as concern No. 23." I immediately went out and wrote an article entitled "NT Security: Not Ready for Prime Time."

Another thing Microsoft people said to me back then was, "If we add security to our products, it will make testing our products a lot harder. We'll need an export version 1 and version 2, and a security version, and what happens if this doesn't pass [testing]?" My comment to them was, "Welcome to the real world of operating systems."

Aren't other operating systems like Unix just as vulnerable as NT?
Unix was never designed to be secure either, but it's got a couple of good things going for it. First off, it has a long track record of over 20 years of being used and tested. It has open source code for the world and hackers to play with, and also it's highly modular. What this allows you to do in Unix is harden it. You can get rid of this, hide that event, squeeze here, get rid of these 14 little components and then you're in pretty good shape.

Do you think Microsoft will become more open with its security features in the wake of recent hacks to NT?
Why didn't they do it right in the first place? From a pure business standpoint, they were right. They went out and made billions on an OS that is inherently insecure.

Twenty years ago people hacked into Unix. The big difference with NT is that Microsoft was told about all this, and they chose to make money and not serve the community.

Back to White Paper 1

Back to White Paper



CMPnet
SoC it to us America! System on Chip... Click here to visit CMPnet