Study: Global networks still vulnerable
9th January 2002 (The Star)

WASHINGTON: Security for global computer networks is "far worse" than optimal, a prestigious US research institute said Tuesday, citing vulnerabilities to "sleeper" attacks using unsuspecting computer users.

"From an operational standpoint, cybersecurity today is far worse than what known best practices can provide," said the Computer Science and Telecommunications Board, part of the US National Research Council.

"Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took appropriate steps," it said in a report released four months after the events of Sept 11.

Experts estimate US corporations spent about US$12.3bil (RM46.7bil) to clean up damage from computer viruses in 2001. Some predict viruses and worms could cause even more damage in 2002.

The report said a successful cyber attack on the US air traffic control system in coordination with airline hijackings like those seen on Sept 11 could result in a "much more catastrophic disaster scenario."

"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb."

The report concludes that "we have been remarkably lucky" that there have been no successful attempts to subvert critical computer systems but that "there is reason to believe that our luck will soon run out."

The report cites the dangers of surreptitious attacks that plant codes enabling the control of another computer in a later attack from so-called sleepers.

"A successful attack may lay a foundation from later attacks, be set to cause damage well after the initial penetration, or enable the clandestine transmission of sensitive information stored on the attacked system," the report said.

"For example, a number of recent incidents have compromised the computers of unsuspecting home computer users by implanting unauthorised code; these computers were subsequently used as launch points in a coordinated and distributed denial of service attack."

To avert such risks, the panel urged organisations to conduct more random tests of system security measures, implement better authentication systems and provide more training and monitoring to make information systems more secure.

All these measures were possible without further research, it said.

Investments in new technologies and better operating procedures could improve security even further, it noted.

Herbert Lin, senior scientist at the board, said information technologies were developing at a very rapid rate, but security measures had not kept pace.

In fact, he said, recommendations for improving security made by the panel a decade ago were still relevant and timely.

"The fact that the recommendations we made 10 years ago are still relevant points out that there is a real big problem, structurally and organisationally, in paying attention to security," Lin said.

"We've been very frustrated in our ability to get people to pay attention, and we're not the only ones," he added.

Use tokens, not passwordsIncreased security concerns after the Sept 11 attacks on New York and Washington could provide fresh impetus for upgrading computer security, Lin said.

But he warned against merely putting more federal funds into research, noting that it was essential to implement technologies and best practices already available.

"The problem isn't research at this point. We could be so much safer if everyone just did what is possible now," Lin said.

For instance, the report notes that passwords are the most common method used today to authenticate computer users, despite the fact that they are known to be insecure.

A hardware token, or smartcard, used together with a personal identification number or biometrics, would provide much better security for the computer system, the report said.

The report urged vendors of computer systems to provide well-engineered systems for user authentication based on such hardware tokens, taking care to make sure they were more secure and convenient for users.

In addition, it said vendors should develop simple and clear blueprints for secure operation and ship systems with security features turned on so that a conscious effort was needed to disable them.

One big problem was the lack of incentives for companies to respond adequately to the security challenge, the report said.

It said one possible remedy would be to make software companies, system vendors and system operators liable for system breaches and to mandate reporting of security breaches that could threaten critical social functions. - Reuters, AFP