[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[atlarge-discuss] FYI: "SAFE & SOUND IN THE CYBER AGE: INTERNET GRAND SLAM"
Cobb and Cobb have a good point:
> 1. Our society is a lot more dependent on the Internet and
>"immature" systems than anyone has so far been prepared to admit.
> 2. The Internet exists at the whim of those who know how to
>destroy it.
Their conclusion that we'll be okay as long as we keep our
money in different banks strikes me as dubious -- as it would
anyone who, like myself, has seen occasions where the ATMs of
several banks have been knocked offline at the same time by
something as trivial as a little incautious excavation near
the local backbone.
On the other hand, they're certainly right about our growing
(and unthinking) dependence on a network as fragile as today's
Internet. Another message I received today says that rather
a lot of money has been granted to some Canadian universities
to study ways that all traffic could be carried by a single
fibre-optic cable, so it's not just the general public who
are unclear on the concept of reliable security!
Questions:
1. What can be done to raise awareness that there is
more at stake than public relations problems for some banks
and IT companies?
2. How can one best make it clear to average Internet users
(not to mention the politicians who know even less about the
ICTs) that every aspect of everyday life in the developed
world -- from what's on the shelves of the grocery chains using
supply chain applications to the delivery of heating fuel to
outsourced payroll processing and a good deal more -- can be
disrupted without too much difficulty by anyone with a bad
attitude and reasonably good programming skills?
3. Is there any way of demonstrating in non-technical language
that such disruptions cannot be prevented by dispensing with
civil liberties and launching a programme of systematic spying
on everyone with a computer, but *can* be prevented by other
means like better-tested software, systematic attention to
suspicious activities and more backup systems through which
data can be channelled if the more-visible ones go down?
It seems to me that any kind of Internet governance which
doesn't include attention to these issues is guaranteed NOT
to serve the public interest. Am I nuts? Is it my imagination
that most discussions of Internet policies side-step these
questions, or are these important matters being dealt with
in back rooms while all the public hears about is the need
to dispense with privacy and personal security in the hope
that this will prevent cyberterrorism?
Just some late-night worries...
Judyth
---Fw from NewsScan Daily http://www.newsscan.com/newsscan/
SAFE & SOUND IN THE CYBER AGE: INTERNET GRAND SLAM
Could your company survive without the Internet? This is not a
rhetorical question. In the wake of last weekend's "Slammer" attack,
corporations may have to contemplate getting by without the Internet.
That
sounds like hyperbole until realize how much trouble was caused by just
376
bytes of worm code.
The basic facts have been widely reported. Late last Friday, or
early
Saturday in Asia, a worm was released onto the Internet targeting a
vulnerability in Microsoft Corp's SQL Server 2000. Activity generated
by
the worm's probing for systems to infect brought Internet traffic to
its
knees, at least in parts of Asia. Weekend Web surfers in North America
experienced everything from momentary delays to complete lack of
access.
American Express customers couldn't check their accounts online. Web
operations were paralyzed for two days at Countrywide, the country's
biggest residential mortgage provider. The Atlanta Journal-Constitution
couldn't print Sunday's first edition on time. Some 911 emergency
services
were forced to revert to manual dispatching. On top of that, some
weekend
shoppers found their Bank of America cash cards couldn't produce "cash
back" at supermarkets. For some, even plain old cash at ATM machines
was
unavailable.
A lot of technical staff at companies that rely on SQL Server and
related code spent the weekend at work, removing the worm from infected
systems and patching them to prevent reinfection. Even so, some
employees
couldn't get to their data on Monday morning, including some employees
at
Microsoft itself. An internal memo, issued over the weekend and leaked
to
the press on Tuesday, made it clear that Microsoft had failed to apply
to
many of its own systems the very patches it had urged customers to
install
to avoid this problem in the first place. Unfortunately, all the talk
about
Microsoft and SQL Server has tended to obscure two of the scariest
parts of
the story:
1. Our society is a lot more dependent on the Internet and
"immature"
systems than anyone has so far been prepared to admit.
2. The Internet exists at the whim of those who know how to
destroy it.
In this column and the next we will address these points in the
above
order, starting with the issue of dependency. Over the last few months,
Bank of America has spent millions of dollars on a television
advertising
campaign touting the ubiquity of its ATM machines. Imagine that you
just
switched your account to Bank of America because of those ads, only to
find
that access to your money is denied, by 376 bytes of rogue computer
code
released onto the Internet.
In our admittedly unscientific sampling of consumer opinion at
the
coffee shop we found universal disbelief that such a thing could
happen.
Sadly, it comes as no surprise to us. As security experts, we have made
it
our business to know a lot about network infrastructure (after all,
that's
where a lot of data is most vulnerable). People who know more than we
do
about that infrastructure have been warning us for years about
excessive
inter-dependencies, lack of redundancy, single points of failure, and
so on
(they have also pointed out that 90% of all military communications are
handled by commercial carriers, but that's another column).
There have also been plenty of warnings about excessive reliance
on
immature code, i.e. software which is not deployed through a production
process that includes thorough pre-production testing and a proper
maintenance cycle (companies that had installed the patches for SQL
Server
before the weekend were not infected, although they may still have been
affected by the traffic overload which the worm created). Now the
public
has very concrete proof that the experts were right. Now we know we
cannot
rely on our bank to provide 24/7 access to our money. Hopefully,
companies
will now set about beefing up their networks, providing redundant
channels
and managing their code (funded by some of the huge costs savings they
reaped by shifting data and voice from private lines to the Internet).
Fortunately, the advice of network experts can also help the
consumer. Redundancy is the best strategy to avoid being denied access
to
your cash by an ATM system failure. Just make sure you have debit card
accounts at more than one bank! In the next column we will explain why
we
think the Internet exists at the whim of those who know how to destroy
it.
[Chey Cobb, the author of "Network Security for Dummies," is an
independent consultant (www.cheycobb.com) and a former senior technical
security advisor to the NRO. Her email address, chey@patriot.net, is
heavily spam-filtered... Stephen Cobb, the author of "Privacy for
Business:
Web Sites and Email," is Senior VP of Research and Education for
ePrivacy
Group (www.eprivacygroup.com). He can be reached at scobb@cobb.com.]
##########################################################
Judyth Mermelstein "cogito ergo lego ergo cogito..."
Montreal, QC <espresso@e-scape.net>
##########################################################
"A word to the wise is sufficient. For others, use more."
"Un mot suffit aux sages; pour les autres, il en faut plus."
##########################################################
---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de