NATS 1700 6.0 COMPUTERS,  INFORMATION  AND  SOCIETY Lecture 21: Security | Previous | Next | Syllabus | Selected References | Home | | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 |   Introduction CERIAS  or Center for Education and Research in Information Assurance and Security. "Rhe Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world's leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. CERIAS is unique among such national centers in its multidisciplinary approach to the problems, ranging from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them." The Computer Security Institute  "is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets." Read at least the executive summary of    Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence  prepared in 1994 by the US Joint Security Commission. Here is a brief but significant excerpt: "The world has changed dramatically during the last few years, with profound implications for our society, our government, and the Defense and Intelligence Communities. Our understanding of the range of issues that impact national security is evolving. Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention. Technologies, from those used to create nuclear weapons to those that interconnect our computers, are proliferating. The implications and impacts of these technologies must be assessed. There is wide recognition that the security policies, practices, and procedures developed during the Cold War must be changed. Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity, and cost. This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next." Here is a short list of sites devoted to information warfare: Information Warfare Information Warfare on the Web Warfare Flight Works behind the Scenes InfoSec and InfoWar Portal Information Warfare Information Warfare Institute for the Advanced Study of Information Warfare (IASIW) Intelligence and Security Webring Cliff Stoll's famous book The Cuckoo's Egg: Tracking a Spy through a Maze of Computer Espionage (Doubleday, 1989). The Risks Digest  is a forum on risks to the public in computers and related systems, organized by the ACM Committee on Computers and Public Policy. A large number of references can be found at  SecurNET  or at  The Security Clearinghouse. Check also the Cryptography FAQ  where you will find useful information about "encryption/decryption standards, their applications and implementations." CERT Coordination Center,  Carnegie-Mellon's Software Engineering Institute, is a research center where they "study Internet security vulnerabilities, provide incident response services to sites that have been the victims of attack, publish a variety of security alerts, research security and survivability in wide-area-networked computing, and develop information to help you improve security at your site." This site also includes a complete collection of  RFCs , including several on security issues. RFCs are documents from the Internet Engineering Task Force (IETF) containing information about established and proposed standards. This term was first introduced by J C R Licklider at DARPA (see Lecture 16 ). NIH has gathered together several useful resources on  Computer Security Information PGPi,  or Pretty Good Privacy, is an interesting piece of security software with an even more interesting history. It is a public key encryption program originally written by Phil Zimmermann in 1991. PGP is the de-facto standard for email encryption today, with millions of users world-wide. Read the  faq  on the international version. "There have been MANY rumours regarding its security (or lack there of).  PGP Attacks  answers some questions about the security of PGP. See also  Lecture 20. Read an    interview with Phil Zimmermann,  the author of PGP. Read also the   interview with Peter G Neumann,  who is principal scientist at SRI International Computer Science Laboratory, and whose research involves "security, crypto applications, overall system survivability, reliability, fault tolerance, safety, software-engineering methodology, systems in the large, applications of formal methods, and risk avoidance." Both interviews appeared on  High Tech Today. Look at the interesting list of other guests. Read    Red Team versus the Agents, an article which appeared in the December issue of Scientific American, and in which the authors describe the new agent-protected system technology. Such technology is based on special programs, called agents, which "are designed to act as artificial organisms. Their code is arranged into 'genes,' and the agents adapt in response to stimuli and communicate with one another to identify suspicious activity, such as unusual network traffic and unauthorized probes. As a result, the agents can detect and foil many kinds of insider attacks by bought or blackmailed operatives."   Topics When, in Lecture 16, we introduced the Internet, we argued that one of the reasons for the development of distributed computer networks was the US preoccupation with the vulnerability of their localized defense infrastructure. The Internet was designed to withstand a nuclear attack. The idea appeared to address this weakness--but only temporarily, and perhaps not so effectively as we thought. Tha danger is now more 'internal' than 'external,' and the likely offensive weapons are software weapons. See for example Hackers Target Core Internet Computers . Many studies have been carried out about the strength of the internet. See for example Error and Attack Tolerance of Complex Networks , where the authors argue that "Many complex systems display a surprising degree of tolerance against errors. For example, relatively simple organisms grow, persist and reproduce despite drastic pharmaceutical or environmental interventions, an error tolerance attributed to the robustness of the underlying metabolic network1. Complex communication networks2 display a surprising degree of robustness: although key components regularly malfunction, local failures rarely lead to the loss of the global information-carrying ability of the network. The stability of these and other complex systems is often attributed to the redundant wiring of the functional web defined by the systems' components. Here we demonstrate that error tolerance is not shared by all redundant systems: it is displayed only by a class of inhomogeneously wired networks, called scale-free networks, which include the World-Wide Web, the Internet, social networks and cells." If we are indeed entering the information age, it should come as no surprise that warfare has diversified also into information warfare. Read    Strategic Assessment: The Internet,  a review of "the actual and potential impact of the Internet on domestic and foreign politics and international conflict, from the point of view of a US Department of Defense analyst." This publication is part of the Federation of American Scientists Project on Government Secrecy.  As you may already know, the governments of the US, UK, Australia, and likely other countries, have invested a lot of resources in the continuous monitoring of the Internet traffic for evidence of hostile military action, industrial espionage, drug trafficking and social unrest. Although, given the obviously high sensitivity of these activities, it is difficult to gather hard evidence of their existence, there is plenty of circumstantial evidence. See, for example, the US Defense Security Service document    Internet: The Fastest Growing Modus Operandi for Unsolicited Collection,  which includes "a list of suspicious indicators of foreign collection efforts via computer elicitation." The FBI, in particular, has been directly involved in many contracts between the US and foreign telecommunications companies. Read the FCC's Order and Authorization in the matter of TMI's application for "authorization to operate up to 100,000 mobile satellite earth terminals...through Canadian-licensed satellite MSAT-1" in the US (especially Section "D. National Security and Law Enforcement Issues").   Cliff Stoll. The Cuckoo's Egg Security has other less familiar facets. Consider this question: what constitutes a legally binding document on the Internet? The problem is that an exchange of data does not constitute a contract, per se. Essentially, to have an effective contract, one needs some way to authenticate the signatories of the contract. You have probably had the occasion to see one of those (paper) legal documents where a signature is authenticated by another signature, and so on, until the last signature is considered to have such authority that the process stops with it. Moreover, one must be able to establish with a reasonable level of certainty that things haven't been altered since the contract was sealed, signed and delivered. How can all such requirements be met on the Internet? The answer will probably consist first in finding a legally acceptable solution--a problem enormously complicated by the fact that the Internet knows no boundaries--and second, in solving the problems of secure authentication, data exchange and storage. As pointed out in the next bullet, various proposals have been devised to cope with the technological issues. A widely used technology is represented by sophisticated encryption algorithms, similar to those used in PGP. However, all these algorithms can be cracked--at least, if given sufficient time and computing power. While they are rather safe for common, personal use, they are ultimately not sufficient, particularly in light of the continuing increase in number-crunching powers of computers. Possible effective solution may come from the new field of quantum computing. To get and idea of what this is, read    The Quantum Computer,  a very nice introduction by Jacob West, or check the Quantum computer entri in Wikipedia. "The advantage of quantum computers arises from the way they encode a bit, the fundamental unit of information. The state of a bit in a classical digital computer is specified by one number, 0 or 1. An n-bit binary word in a typical computer is accordingly described by a string of n zeros and ones. A quantum bit, called a qubit, might be represented by an atom in one of two different states, which can also be denoted as 0 or 1. Two qubits, like two classical bits, can attain four different well-defined states (0 and 0, 0 and 1, 1 and 0, or 1 and 1). But unlike classical bits, qubits can exist simultaneously as 0 and 1," with certain probabilities. "A quantum computer promises to be immensely powerful because it can be in multiple states at once--a phenomenon called superposition--and because it can act on all its possible states simultaneously. Thus, a quantum computer could naturally perform myriad operations in parallel, using only a single processing unit." Without entering in the rather complicated details, it is further possible to show that quantum computers can encrypt data in a completely crack-proof fashion. Preliminary experiments have demonstrated this capability, but we are still a rather long way from commercially viable hardware. ...and there are other problems. A rather comprehensive article in Information Week,  Global Security Survey: Virus Attack,  suggests that viruses may be the top security problem for IT managers. A more recent article by Bernard Cole,    Security, Reliability Twin Concerns in Net Era,  appeared in where the author reiterates that "the one problem that continues to hound the Internet and World Wide Web, and indeed, has gotten worse as the bandwidth available to the average consumer has gone up, is that of viruses." At the same time, it's important to note, the push towards mobile equipment and information appliances has worsened the situation. The defenses possible even on desktop machines, thanks to their processing power and large amounts of memory, are difficult to implement on the smaller information devices, where "the problem of viruses becomes a much more complex one because of the significant difference between the memory space required for a typical virus and the software mechanisms to protect against it. The viruses that have become ubiquitous in the desktop seldom exceed a couple of hundred bytes or kilobytes at most, and, as such, could easily infect even the smallest connected device.," according to Carey Nachenberg, chief researcher at the Symantec Antivirus Research Center, as quoted in the above article. Among the many proposed solutions, Cole mentions those by IBM and Symantec. "Developed by IBM Corp. (Armonk, N.Y.) and licensed for commercialization by Symantec, the Immune System for Cyberspace uses a specialized server that acts as a petri dish for the growth and analysis of suspect files sent to it over the network. It then identifies the virus, develops an antidote and sends it back out on the network just hours after it has been found." Using a somewhat related technology, "Symantec will take a two-step strategy. First, he said, will be to deploy the solution to large corporations and organizations, creating 'islands of safety' within their closed intranet and virtual private network environments...After that, in a 'head them off at the pass' strategy, Symantec will lobby the 10,000 or so largest Internet service providers. 'By monitoring the sites through which the majority of Internet traffic flows, we think it will be possible to catch most viruses, identify them and deploy an antidote long before they get to their destination,' Nachenberg said. 'Moreover, we should be able to do it on the same time scale that they are able to move around the Internet, in hours instead of days.'" It is clear that the various proposed forms of reaction to security threats have an obvious and troubling impact on privacy and freedom of speech rights. The tension between these two spheres--that is, between a 'commercially safe' and a 'spontaneous, unregulated' cyberspace--is bound to increase, and the future of the Internet as the expression of the global village, if not of the global information society, is very much in question.   Questions and Exercises Are security problems, as described in this lecture, really new? Hint: check the history of the telegraph. Do you think that security considerations will turn the Internet into a number of safe islands, or intranets, safely separated from each other, and from a chaotic, unregulated residue of what was once the web?   PIcture Credit: Pocket Books Last Modification Date: 07 July 2008