Return-Path: <sentto-279987-2476-1001704567-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 12:17:07 -0700 (PDT) Received: (qmail 3236 invoked by uid 510); 28 Sep 2001 19:16:21 -0000 Received: from n16.groups.yahoo.com (216.115.96.66) by 204.181.12.215 with SMTP; 28 Sep 2001 19:16:21 -0000 X-eGroups-Return: sentto-279987-2476-1001704567-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by mo.egroups.com with NNFMP; 28 Sep 2001 19:16:07 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 28 Sep 2001 19:16:06 -0000 Received: (qmail 34615 invoked from network); 28 Sep 2001 19:16:06 -0000 Received: from unknown (10.1.10.26) by m8.onelist.org with QMQP; 28 Sep 2001 19:16:06 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 28 Sep 2001 19:16:06 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id MAA12478 for iwar@onelist.com; Fri, 28 Sep 2001 12:16:06 -0700 Message-Id: <200109281916.MAA12478@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 28 Sep 2001 12:16:05 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Computer.Security.Is.Like.Military.Intelligence.-.A.Contradiction] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Computer Security Is Like Military Intelligence - A Contradiction Thomson Financial, 9/28/2001 <a href="http://www.antionline.com/showthread.php?threadid=115118">http://www.antionline.com/showthread.php?threadid=115118> As banks of all sizes push their on-line treasury management systems farther down the corporate food chain, their risk of being hacked rises, because the systems of smaller companies are typically less well- protected than bank systems. So the more successful banks are selling service, the more vulnerable they are."You're joining [systems] together, and every time there's a join, you get a risk," says Alan Matthews, CEO of Rapid 7, a computer security firm. "You're creating more layers between end users, and anytime there are layers, you have danger." This is a bigger problem than people think, says Matthews, because smaller banks and larger banks are linked. So once a hacker has penetrated, say, a pet food store's computers and used them to attack that company's local bank, the hacker is well-launched to cruise wherever he or she wants. Of course, Matthews is in the security business-security types depend for business on feelings of insecurity, just as financial companies depend on the image of security. But Matthews still says hack attacks are easier to launch than most people think. Not only are there large numbers of hacker sites with ready-made attack programs available for the taking; the better security gets, the more it tends to assume a homogenous format. The more it assumes a homogenous format, the greater the value of breaking the security-and thus, the greater likelihood of attack. Matthews says the best security models tend to be those which allow broad information exchange. But these hold more information, which is more valuable to crack. And that makes it more likely that people will try to hack it. Popularity usually begets success in the hacking game. Matthews is not a fan of digital certificates. Since most are based on a single algorithm, all public/private key infrastructures are equally vulnerable, to the extent the algorithm can be broken-has been shown. "It makes it very easy to de-encrypt information en masse," he says. Even so, since it's currently state-of-the-art encryption, digital certificates are likely to spread across the most sensitive parts of the digital landscape. Matthews argues when digital certificates are used for encryption the certificate only encrypts the key that secures the data. The precious data itself is usually encrypted with a weaker encryption technology. This weakness is unavoidable since digital certificates multiply the amount of data a computer needs to deal with as much as 15 times-straining the capacity of any system to deal with the transmission. Institutions that invest in digital certificates aren't safe, says Matthews, because a hacker with any brains or skill who wants to poke around a major, well-protected firm wouldn't attack the big bank directly anyway-he or she would attack a smaller bank that probably has weaker security, and then breach the firewall. This makes committing real crime easy, says Matthews. "If I were an intelligent black hat, I would be writing programs that dug deep into the recesses of things like a wide- spread accounting programs, and learn how to mail checks to myself, or just create accounts and put very small positive balances in them, and then call up the company rather later and ask for a credit," he says. Copyright, Thomson Financial, [2001] All Rights Reserved. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT