Digital Security
by Bryce Allen
I sit at my computer screen, watching new username and password pairs appear at sporadic intervals. I see mostly email passwords, but occasionally a website password, an FTP password, an AOL instant messenger password, or a Windows file sharing password will surface. I recognize some of the usernames - they are my friends, living in a different building a few hundred meters away. If I so choose, I can read people's email, impersonate them on AOL instant messenger, or steal their personal information from a website.
I have just run a password sniffer, a program that searches all of the network traffic passing my computer for login information. I downloaded the program freely from the Internet. No skill is required - I just run the program, and the passwords appear. The vast majority of our online communications are susceptible to this simple attack. Unfortunately, this is just the beginning - even in the case of secured ecommerce sites, a flaw in the system and a disgruntled employee could expose our credit card numbers. The digital world is a complex system, and we form an important part of that system. To protect ourselves, we must gain a basic understanding of security technologies.
History
The Internet began as ARPANET, a military research project (Zakon). In these early days, the design and operation of the network was punctuated by security naivety. For example, telnet allows you to run commands on a computer anywhere on the Internet. To access this service, you must enter a username and password. However, this access information is sent in clear text. This allows anyone running a sniffer on your local network to intercept the username and password, giving them access to the remote computer. Many of these insecure protocols are still in common use today.
The Problem
When you visit Amazon.com to purchase books online, you have expectations, perhaps unconscious, regarding the security of your transactions. First of all, you assume that your communications with the Web site - especially sending your credit card - are private. You assume that the Web site you are communicating with is really Amazon.com, and not an impostor. The data you send and receive from Amazon.com must also have integrity - you assume that the prices appearing in your browser are the actual prices. Cryptography allows all of these expectations to be met.
Cryptography
Cryptography is defined in Webster's Revised Unabridged Dictionary from 1913 as 'the act or art of writing in secret characters.' This definition hints at the origin of cryptography, which was used by Julius Caesar well before the advent of computers. His most famous method of secret writing is know as the Caesar shift. He would simply replace every letter in a message with the letter of the alphabet that is three places greater. 'Attack at dawn' became 'Dwwdfn dg gdzq'. This is an example of a cipher, a method of scrambling a message which replaces each letter with another letter or symbol. This particular cipher is easily defeated with a technique known as frequency analysis. Human languages typically have a certain structure, and the relative frequency of each letter will tend to be the same for everything written in a given language. In English, for example, 'e' is the most common letter (Singh 10-11).
Today, the tedious task of encrypting - scrambling - and decrypting - unscrambling - messages is usually done by a computer, which allows the cryptographic algorithms to be much more complex. Computers commonly use two categories of ciphers: symmetric key and public key.
To send a secret message to your friend using a symmetric cipher, you first agree to a secret key - a password. The symmetric cipher takes this key and scrambles the message you wish to send according to a specific set of rules, making it completely unintelligible. Your friend uses the same key to unscramble the message. These ciphers are symmetric because the same key is used to encrypt and decrypt the message. The security of these algorithm relies entirely on the secret key - if it ever falls into malicious hands, all security is lost (Schneier 86).
Symmetric ciphers have one major draw back - you must use some other form of secure communication to decide on a key. This may not be a problem with your best friend, but no one want to travel to Amazon.com head quarters in XXX just to order books online. Public key ciphers were developed to address this problem. With public key ciphers, everyone has two keys - the public key that they distribute to the world, and the private key which they keep to themselves. To send a message to Amazon.com, you simply encrypt the message using Amazon.com's public key. The message can only be decrypted using the private key, which is held only by Amazon.com (Schneier 95).
Public key cryptography brings a new challenge - a credit card thief could distribute another public key, claiming that it belonged to Amazon.com. You would encrypt the message and send it off, but Amazon.com could never decrypt it - only the credit card thief would have the corresponding private key. To solve this problem, cryptographers have devised a method for signing public keys. Amazon.com has a certificate which essentially says 'Amazon.com's public key is XXX, signed RSA Data Security, Inc.' (Peterson and Davie 589). The signature actual uses the public key of RSA Data Security, because it has no other way of identifying itself. So how do you know that this public key is accurate? RSA Data Security is one of the standard certification authorities, and their public key is included with all modern web browsers. This allows you to verify, with a very high level of accuracy, that you are really talking to Amazon.com.
Secure Systems
So when you visit securestore.com, your credit card is encrypted and a signed certificate positively identifies securestore.com. Your credit card is safe.
Or is it? What does securestore.com do with your credit card once they receive it? Do they email it unencrypted over an insecure connection, or to a disgruntled employee who handles credit card processing? Is there someone looking over your shoulder, watching you type the numbers? Are you using a public computer, where someone could have installed a key logger that monitors your typing and sends the result to hax0r@evil.net?
Bruce Shneier is the author of Applied Cryptography, one of the most popular book on modern cryptography. In the Preface to his new book, Secrets and Lies, he writes: “A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography.” (xii). While cryptography is a necessary tool in creating secure systems, it does not exist in isolation.
Software Security
A search on http://corporate.windowsupdate.microsoft.com, which provides a database of bug fixes for Microsoft products, reveals nearly 60 security related patches for Windows 2000. Some of these fixes apply only to server software that a typical user will not be running, but many others apply to commonly used software like Internet Explorer. None of these security holes are the result of bad cryptograpic ciphers - they result from obscure bugs in highly complex pieces of software. While the impact of these bugs varies, some allow an attacker to gain complete control of your computer.
Social Engineering and Physical Attacks
Some of the most successful attacks on a system are also the most low tech. One such technique is termed social engineering - simply call up a user and ask for the password. The authors of Hacking Exposed are security consultants for Foundstone Inc.:
We were once able to obtain an internal list of phone extensions from a target's Web site, and dialing down this list at random, we were able to obtain usernames and passwords for the internal file and print LAN from 25 percent of the users we called, simply by pretending to be the internal technical support group. Pulling rank, whether as the director of IT or the tech support group, is very effective (562).
Physical attacks are also very effective - take a baseball bat, and smash a computer. All of the data is lost, and the expensive equipment is ruined. A less drastic approach, which also relies on physical access, is to insert a floppy disk into a computer and force it to reboot. Most computers will look for a floppy disk at starup time - if the proper software is present on the disk, the computer will run from the it instead of the computer's hard disk. This is normally used to launch the installation program for an operating system, which needs to have complete control of the computer in order to overwrite the existing operating system. However, an attacker can easily use this feature to run his own operating system from the floppy disk. This allows the attacker to read, modify, and delete any unencrypted data on the target computer hard disk.
What You Can Do
Before sending data over the Internet, always ask yourself who will have access to the data. Is the connection encrypted, as with many ecommerce sites? Both Netscape and Internet Explorer allow you to view the security information for a Web site - whether or not it is encrypted, who signed the certificate that verifies the site's identity, and even details of the cryptographic algorithms used. Do you trust the Web site you are sending this information to? Many of the more obscure ecommerce sites on the Internet have very low prices - but is the money you save worth the risk? Will they sell your name and email address to spammers? Check the Web site's privacy policy before sending any personal information.
Keep your software up to date. Most modern operating systems include a method for easily applying security fixes to you computer. Under Windows simply launch Internet Explorer, open the 'Tools' menu, and choose 'Windows Update'. From there, you can find a list of product updates tailored to your computer. Unfortunately, this only works for Microsoft products. Many other products have a live update feature built-in - you just choose an option from some menu, and it automatically checks for and installs upgrades.
Conclusion
There is no such thing as a drop-in security solution. To create a secure system, every single detail must be taken into consideration - the communication channels, the people, and the computers running the system. As users of these systems, we can apply our knowledge to enhance their security.
Works Cited
Peterson, Larry L., and Bruce S. Davie. Computer Netowrks. 2nd ed. San Diego: Academic Press, 2000.
Scambray, Joel, Stuart McClure, George Kurtz. Hacking Exposed. 2nd ed. Berkely: Osborne, 2001.
Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. Ney York: Wiley Computer Publishing,2000.
Singh, Simon. The Code Book. New York: Doubleday, 1999.
Zakon, Robert. 'Hobbes' Internet Timeline'. 11 Sept. 2001. Online. Internet. Available: http://www.zakon.org/robert/internet/timeline/