Strengthening Security on the World Wide Web

By James Schultz

Guns, guards and gates have long been employed by those seeking to protect physical assets. Not so in the incorporeal world of the Internet, where easy entry and rapid navigation are routine practice and common articles of faith. Internet security, in fact, may be a kind of oxymoron: the World Wide Web is easily torn by malicious attacks that can come anytime, anywhere. A computer-based network that, because it was so decentralized, was initially designed to survive a national emergency is now, ironically, at growing risk from common e-thugs.

“The Internet was not designed to be secure. It was designed for redundancy in nuclear war, with multiple points of operation,” said Chris Rouland, director of the Atlanta-based Internet Security Systems’ X-Force, a 50-person group of security experts and software developers. “Today, there’s been a radical upswing in new vulnerabilities. Globally, the Internet is in a very poor state as far as security is concerned.”

Since the late 1990s, Rouland’s X-Force has recorded a relentless escalation of known Internet weaknesses, exploitable by malicious hackers. By the end of 1997, only 10 to 20 such vulnerabilities per year had been pinpointed. In 1998, that rate rose to five per month. A tripling to 15 per month occurred in 1999. Today, the rate has soared to 90 known points of weakness per month - on average, three per day.

“[Software] systems are much more complex, with millions of parts in some cases. The more complex, the greater the chance of bugs,” Rouland said. “And there’s a lot of competitive pressure. Products are not developed with security in mind. Features functionality and release dates become the priorities.”

As network administrators and home surfers alike have discovered to their dismay, even casual Internet touch can bring computer viruses, denial of service attacks, file hijackings, wholesale password piracy and hard-drive erasures. Because of its size and complexity, the government appears particularly susceptible.

Blurring of Lines

Millions of workers on the federal, state and local levels must use dedicated intranets and the Internet for routine transactions, even as questions of access and authentication persist. Federal work-force stability, once a hallmark of government service, is eroding. For those with information-technology experience, the lure of private-sector employment is strong, discouraging potential hires and encouraging the departure of longtime employees. Pending and lucrative retirements could lead in 10 years, by some estimates, to the exodus of 50 percent of current federal workers.

The leave-taking only intensifies nagging Internet-security questions: Who has access to information? When, and how securely? What provision will be made for successors, replacements or, perhaps inevitably, temporary or contract workers who also will require immediate clearance to sensitive systems and critical-mission intelligence?

Additional pressures are being exerted by the transition to all things Internet-enabled and electronic, erasing the once strict line between private-sector practices and the implied and explicit rules of government operation. Electronically enabled, off-the-shelf buys of equipment and supplies, for example, are becoming commonplace, as are a host of other practices designed to ensure a speedy transition to e-commerce practices. Like business, government as a whole struggles to limit exposure to Internet-based dangers and damage, even as departments and agencies individually struggle to implement reasonable security procedures and programs.

According to a recent Forrester Research survey, “B2B Information Warfare,” authored by Frank Prince with assistance from Carl Howe and Christopher Voce, 50 security professionals at Global 2,500 firms indicated that security spending as a portion of revenue has increased tenfold at their companies. More than a quarter of respondents attributed the beefed-up expenditures to the accelerating pace of Internet-enabled e-commerce.

Prince and his Forrester report colleagues point out that just one disgruntled Internet-savvy insider, perhaps in alliance with other like-minded malcontents, can easily damage or destroy critical organizational data. The ability of Internet-active e-terrorists, Prince noted, “to coordinate independent physical and electronic assaults into devastating infowar campaigns that disrupt a broad range of organizational functions” are as serious a matter to public or private-sector “Internet nations” as are security threats to nation-states in the physical world.

Knowing The Attackers

Given its primacy in office and cubicle, the personal computer is a flawed but inevitable warrior, a front-line defender in Internet-based attack. Because of application vulnerabilities, PCs are often the preferred point of entry for cybercriminals. One of the chief threats comes from the ability of third parties, invited or not, to turn a personal computer into a file server, essentially no different than the network servers Internet users connect to constantly when browsing the World Wide Web.

“The information-security industry has done a reasonably good job of providing security on Web servers and for networks,” said Pete Privateer, president of Pelican Security, a Fairfax, Va.-based firm that sells “active content” security software. “The client side, the personal computer, remains generally unprotected. It’s like locking all the windows but leaving the front door open.”

Privateer says that his company’s SafeTnet is able to snare and then render harmless all active content, including applets, scripts, executables, plug-ins and macros that enter a computer via Internet browsers, chat software and e-mail. The program provides real-time alerts and a centralized, detailed log of suspicious events.

When SafeTnet detects a call to a system resource, it intercepts that call and applies a set of permissions, or access controls, around the suspicious code. These access controls define what is permissible and what is not. SafeTnet’s “denied unless explicitly allowed” access-control policy creates a protective virtual enclave - known popularly and generically as a sandbox - around e-mail attachments, Web browsers, chat clients and word processing applications.

Even if the suspect program or document is saved to the hard drive and executed later, SafeTnet will still monitor the active content and sequester it within a sandbox, in order to determine its origin and whether it is malicious code sent by a destructive hacker. Although a user may have the authority to access a system resource, Pelican’s “dynamic sandbox” can prevent harmful code the user may receive from accessing a given resource.

“Any kind of executable program that comes over the Internet needs to be monitored and controlled,” Privateer said. “Are you willing to let a Web site run code on your desktops? Access controls around the applications - the browsers, the e-mails - restricts what can and cannot be done and by whom.”

Validating the identities of users and encrypting data are strategies advocated by RSA Security Inc. of Bedford, Mass. “Transaction accountability” is a key means of ensuring that personal computers, servers or networks won’t be used to destructive ends. RSA has developed a popular “two-key” authentication system to guard against such Internet intrusion and security system compromise.

One of the company’s most popular offerings is a key-fob-size token, known as a SecurID authenticator, that generates a new, unpredictable code every 60 seconds that is unique to the user. When logging on to a government or business network, the user enters this number plus a personal identification code, which is then approved by an RSA server within a matter of seconds to allow entry to the network. Because the user/authenticator code is valid for roughly one minute, it is virtually impossible for a hacker to correctly ferret out the correct combination.

“Security is all about choices,” said Brian Breton, RSA Security product marketing manager. “It’s about mitigating risk. You trade ease of use and access against privacy and protection. Some of it comes down to cost. The more safeguards you put around something, the more it will cost.”

The company estimates that up to 7 million SecurID authenticators are in use worldwide. In particular, the device is popular with the U.S. government, with the Department of Defense and civilian agencies being among RSA’s prime customers. Another of the company’s products, an encryption toolkit, RSA BSAFE, may be even more widespread. According to Breton, BSAFE has been adopted by virtually all U.S.-based e-commerce companies and has been incorporated into more than 700 software programs worldwide.

Securing E-Mail

Perhaps the most ubiquitous Internet threat derives from the Web’s primary application - e-mail. E-mail attachments are notoriously vulnerable to tampering and misuse. Like human carriers of disease, e-mails are able to spread contagion rapidly by direct contact - electronically speaking - by a user’s decision to open and view e-mail attachments. Now, says HushMail.com, a company founded in the United States and relocated to Dublin, Ireland, that problem has been solved. HushMail claims to provide the world’s first completely secure but easy to use Web-based e-mail system.

“As a matter of course we should be sending secure, encrypted e-mail,” said Jon Matonis, president and chief executive officer of Hush Communications Corp. “We shouldn’t have to jump through hoops to do it. Right now, sending e-mail is like sending a postcard through regular mail. Everyone, including the mailman, can read your postcard.”

Behind the scenes, the Hush encryption engine scrambles electronic information using 1,024 bits of randomly generated numbers. With Hush encryption, users create their own pass phrases, and a secure Hush server does the rest. A pair of user keys - one private key and one public key - is created. What the public key locks, the private key unlocks. Later, when the user sends a message, a one-time message key, unique to each e-mail that is sent, is used, first, to encrypt and subsequently decrypt the e-mail message itself.

The recipient’s public key is used to encrypt the message key. When the encrypted e-mail and the encrypted message key are sent to the recipient, the e-mail can only be decrypted by using the one-time message key; but the message key can only be decrypted by using the recipient’s private key; and the recipient’s private key can only be decrypted by entering the recipient’s personal pass code-thus creating an interlocking cascade of encryption that guarantees spy-and tamper-proof transmission.

“Our encryption model can be applied to any other application as well,” Matonis said. “Encryption is here to stay. It will be more accessible to the everyday user, and faster than people expect.”

HushMail is World Wide Web-based, using the Java programming language. The approach, while different in certain key ways from a related technique known as public key infrastructure, or PKI, nonetheless illustrates the power of encryption to secure and protect Internet transactions and communication. In establishing a series of public and private keys, or mathematically related constructs that users would employ to authenticate the legitimacy of transactions, a fully implemented encryption system applied to all software would make anonymous or false-identity computer assaults extremely difficult, if not impossible. While theoretically hackable, deciphering the keys would require calculations of such complexity and length as to make the task impractical for the foreseeable future.

“We’re getting to the point with Internet security where the complexity [of protection] is being masked from the end user,” said Matonis. “Transactions will be secure but transparent. Security will become a default, not a conscious process.”

Outsourcing Security

With all the technology tools deployed and pending, why is it so easy to poke holes through the Internet? In part, said the experts, it’s because technology is only now beginning to catch up with experience.

“The Internet has only been available for general public use for five years,” said RSA’s Breton. “It took 20 years for people to get used to securing mainframes, minicomputers and networks. We’re still on a learning curve. As bad things happen, we’ll learn. We’ll only get better.”

For anyone involved in e-government or e-commerce, the improvements can’t come fast enough. According to Michael Harden, president and chief executive officer of the Fairfax-Va.-based CyberGuardian Inc., which monitors an estimated 30,000-plus hacker sites on the Internet, by 1999 there were roughly one billion unique accessible pages on the World Wide Web. Internet traffic is anticipated to double every 100 days, and a new network is added every 30 seconds. Business-to-business e-commerce is projected to hit at least $1.5 trillion by 2004, with thousands of financial institutions online and hundreds enabled for cash and credit-card transactions.

Commercial, off-the-shelf software, however, remains vulnerable. In the rush to market, security is often shortchanged in favor of ease of use. While more user-friendly encryption techniques may eventually solve that problem, software makers still rely on customers to identify potential weakness. As governments adopt wholesale more commercial products, the risk of compromise likewise increases.

“It’s amazing that people find themselves in the same situations again and again,” said Ken Jones, security-practice lead at Immersant.com. “The same themes reoccur. Poor software coding creates security vulnerabilities. Developers take shortcuts. Problems that are solved in one version can reappear in a subsequent version.”

Problem solving will apparently provide excellent business opportunities in the near term for those companies supplying Internet security services to governments short of in-house experts. The road runs two ways, however; the private sector should encourage government initiatives to address and enlarge Web-based security initiatives, according to Forrester analyst Frank Prince.

“Unless companies want to fund private militias and send them out to make hamburger out of hackers’ hands, firms will have to support government involvement,” Prince wrote. “Outsourcing law enforcement and prosecution to government makes good business sense. Despite firms’ objections, some government intervention [to protect] the Internet is warranted.”

In the end, most observers agree that Internet security comes down to best practices. Reasonable effort, reasonable cost and reasonably secure systems should discourage the vast majority of intrusions that can seriously wound, perhaps mortally, any public or private enterprise. Internet nations must develop their own versions of one or more virtual deterrents.