Application Development - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Application Development


Security Scans



 By: Peter Coffee
2001-03-12
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Application Development story.


Rate This Article:
Poor Best
Earning e-business confidence

In the early days of air travel, danger and glamour went hand in hand with the novelty of the experience. But as jet-set exclusivity turned to tourist-class ubiquity, passengers came to take safety for granted.

So, too, must the security of e-business transactions cease to be a high-profile customer concern; only then will the online marketplace reach its full potential. In the same way airlines can now boast that air travel is safer than driving, in terms of passenger miles, e-business operators must be able to affirm that doing business on the Internet is at least as safe as buying and selling in any other medium.

From that starting point, the distinctive strengths of electronic business—its convenience, its selection, its efficiency—will enjoy their full advantage.

There are retail establishments, such as high-end jewelry stores, that put their security up front and in plain sight. Many retail Web sites have much the same aura, with their user names and passwords, cookies and browser dialog boxes advising, ?You are about to view pages over a secure connection.?

However, a jewelry store with guards in front may have an unlocked service entrance in back. And a store may check the identification of every customer who wants to pay by check or credit card, while routinely admitting anyone wearing a UPS or FedEx uniform.

Resource Library:

Likewise, a Web site may intimidate users with the outward inconvenience of conspicuous security while actually leaving itself and its customers at risk because of misconfigured servers or flawed storefront software that builds vulnerability directly into its design.

The site that relies on user names and passwords, but that tries to reduce the inconvenience of these access control tools by packaging them in browser cookies, is authenticating the device, not the user—a conceptual flaw thats also common to the security protocols of, for example, Bluetooth wireless technology.

Business-to-business situations are even more likely to involve shared access terminals, increasing the need to find ways of controlling transaction privileges (such as allowable order amounts and approvals) by person rather than by connection.

Costs of biometric scanners are already falling, especially as voice hardware becomes part of mainstream convergence-driven systems, and growing bandwidth enables more transparent processing of fingerprint maps, face scans and the like. Businesses will benefit from the nonrepudiation of transactions that comes with means of authentication that are so closely tied to the individual user.

Another authentication option is the physical token, associated with the user rather than with the information appliance.

Portable tokens, attached to key chains or jewelry, let users move among many different client devices in a setting such as a large retail store or factory floor. Unlike biometric methods, they enable convenient transfer of authority as readily as handing someone a conventional key.

Better than mechanical keys, though, are electronic means of revoking authority quickly and with precision in the event of changed assignments or a departure from an organization. B2B system planners must think in the same circumspect terms as an engaged couple drawing up a prenuptial agreement, envisioning the possible need for withdrawing privileges as well as making it convenient to grant them. Key-distribution and management mechanisms, such as those commonly called public-key infrastructure, must be part of the plan.

The enemy within

Three generations of eWeek?s unique international OpenHack challenge events (story archives are at www.eweek.com) have highlighted three targets of attack: the platform, the applications and the technical staff of the site.

OpenHack I fell to an attack that induced the target site to betray itself by using a known but unpatched vulnerability of the cron daemon (which automates routine task scheduling) to give the attacker privileged access to the machine.

System administrators may be vexed by the frequency of software patches and by the distressing likelihood that a patch will create new problems while solving old ones. However, there is really no choice: Widely circulated patches, and their documentation, constitute a textbook of known attacks that all too often remain useful for years after their disclosure. Tracking and applying system patches can be daunting, but reputable sites such as CERT (www.cert.org) and the SANS Institute (www.sans.org) provide valuable assistance.

OpenHack II went down when a storefront application served as an entry point, accepting arbitrary commands through a pathway that was meant only to process file names. Both OpenHack I and OpenHack II showed the complexity of e-business systems and the high degree of mutual trust thats assumed among various components by PC-trained application developers.

When a storefront application was cracked in OpenHack II, for example, it became the stalking horse for an attack on the database of which that application was a trusted user. B2B application development managers may need to guide programming staff on the need to assume an arms-length relationship among system modules that might, at some future date, be operated by outsourced service providers or business alliance members.

OpenHack III began with a "trusted systems" foundation (perhaps better termed a "distrustful system") using Argus Systems Group Inc.s PitBull, with internal partitions that strictly limited system components privileges. Despite attackers success in finding loopholes such as those that brought down the previous OpenHack sites, the internal controls of the PitBull platform prevented attackers from linking those holes to tunnel through site security.

Failing to defeat site protection by technical means, at least one enterprising contender for the OpenHack cash prizes turned to social engineering, offering a simple bribe: Assist the attack, share the prize. Every e-business operator should bear in mind the growing likelihood of "purchased key" attacks as technical attacks become more difficult to carry out.

A Russian proverb, adopted by former President Ronald Reagan, says, "Trust, but verify." For e-customer confidence and B2B success, the dictum might better be: "Design, and you wont need trust."





  Reader Comments: Security Scans
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Application Development Articles          >>> More By Peter Coffee
 


x}ks۸jFgd1ERoYR-':-K'HH"yHʶ2w~bvK/Kɹ7N9hFh"GI"f\8̢$;uOuޙIjz:І}oQo2t"E%U5EhDԸ#|xLg{2 8ϻf{iki#2pj9N`QFdnڭaㅰH A#a9p<^h- GgJ3vr 'Mڪ8NQ^tXF>D>8z vur6O(L|@ɠiģFr$˚3he9njTW^5XoDܽiνoĥqs3}s77+e5WE*Cq7Z} m)9xM5u=kyؼ} _Vb;}" @D%\.$_::&N{_ xZjk K'i̮g fZ҈ 'UUjH,ǝqT~6/NMwםwbٚXC j=Ίgxg_-:nNo/9n:ݛ9^IəyN0@q3 jʿ~['y5HyZz>540Z-$5IULusB2,NdJ~}׿8'=M% $sܿG)HaM|`Ap 2Xf]vЎRljVm&T3o`H2 ShK_39j\K}0[#RFp &\ aCǘش 6,%JP$,|ʅ U >YtBFPq:]R$y3DDȝ g3E94>BzBp4<01FpJn.b?uKZg۰feY%YWa"G#-*<7ڭ)]u/{]tZo۰"D!ʠ괱b{\@'&hC:}ҍ:LZ a;^h.[W , sX >$n#J$ >6ZЉχjc˦MB:{ǻښB(QС4|мa !yjQ?]*~h3`-Df> o 4҆*QcSB\jÐx?_+1 Tt!B~`Y&4D 7q9準IyR! +=Ͱ'p_;owzfv#ʅKMrJ) w$m˴oWCBo!_.dI_fMbt |ƓBw3cfVʒrɕU&Fn( S>I? JLqG)'gJQJJv Zh'N6ec phlYWn%,j?յ݋0z9(Ҵ.Z*ei -Ae[h0^Ԣ(-a|u(" !ڴsaŴ,B/P<:\bP'^&äkQ[Kpw{K5G^\큢SUVj'G&,-3^ȣXWxK[@ xB6$3Qَm2ij6<:NЃX鹞voԱO@۠w3G RB/C48c$R+maQWj3- ;_ ǂeK,}o2tr:|Ꚛ;/ {gaWlIs7s4ڌvpvGa!2f4ÑiH5ߴIF̫%UV-Pנq2,Ƹ'q?|72le,g@@rFe91'j5Y$tFi.Z0Y8pADb$6\P`t>* :WX00n) hRUԒ.ZE^nv Z Ktl?`zTyhBQݏP1gxyd.3IR-ȗUTJkV| }3?7]ex$R9pF#~y6s'~nL2,}RjzC?}NwK\isfC#\ܬagaF]Hde@Ϸw.1SdcSyt( dݛ0n !UՖWask'b6B4!$Ծ7 X-0`7YR{IMzO1ɨ4VsC<7WK$?n#덼>Lk}PJZP+k9m6f/ycDH! 2Ѵ%\%Lc( O篌 kf +RSJ, 86"uݙFvru~E!Yh93is5"AJϊ֍3XgSuqïJUXfЩ ruawя^\?m+5.и|)a^f&k꾬0XrS5BdrQT޴ J7 \vO yrh2jkno 71ތsb9t[ y|\+pKd3 8@ا<y}PhlK[ u޺\8XnZ58Mc.ij2~P+` ~` Y|JRP-HjYxv(P|nɘKVh=nM\&m}JJ\qZ7D_L7 xE8DC{P?lZ.+BC=PX*O$d%,t>Gɏ01f䅕ҟۆ ˕~w?l)ɡ$ |ܯJ8 C7wXPf+Ọ9914/^\}f='&BP` &w,/ot@;M轟Dw%]ޫi)YY/.:矎 !kK:N0ɻv~t}}܇?,Їߤi#R؝{py*u.Zo]8 } -yރ4 2`i8>kCfN۫itцi~py# @*~{!\v.ŗtOk~ݬN;m)^{%<R'hhZ睷G,Y#t!B[-ͦ5vpR` qH/=} CՠhMء{+*O= V`!LR:wha.`$؏*XU2ӻ:o}en/l! D78S*PW"REH%IA%N'' 缀9hEщݹ~i T t~iў.` eڃ͟\WVr['v>!!^&V8;=h1sfzvIEAqǻ"Tc(LLàvD)iũ-xOӖO|^BBYQJ;ńQ2u?IkvkYM S)Ҥ GBgJȄJ~$IjSfky4<ʒyTObCYF*݅' һj]npVPt.+Psv綱09k2it(5~u.H>a)-GH TI)jݷΪ\> 6o`H0vySkbnMZZU$vLݝf0!zߺ3^Ɠ`/q" he֩Ҋ!hX4gkS@ ?\:d [ıT߆ح?G.9r kNQDܯ$7&^=`q Ӯ q" q̳Db1N4f89nkҺba}%HHR`@wGL4\P7GAT2#|ȥ~viك:sǚ5od7%_aW)RfYj#rK"J]jD Nt5Q{qN9p}W90Ϊ6=9$/Av} ,Daf?Vȿ5LĴhg ZACX38sH2q&cx2z'F[euw+[cgcc;/F%%wg&Ȱl !_к ŵaZǴ OMp8|+؊wfo_O5oNւ1v̹Oc%we/  j{nna_od^=3V,qlhd[01,gXp8q<3 ~Q+lFaY45h|L44+dkVl-ra&j7 mɕr _S6ZS~=jn̲C$FJN`C=C$g &A~.n!R(6AWAgaHM  sBWlj"H[p4]1'VPڑ3VÒ^[f i1OY"N *z /xUq8,VbLJ椪$]q#.+q=XfA%`!H5G<0ʋNGd)T9;lP Q_,88_2jT&ZQϗ/gEʑ746g;|\d|C& B>' ?j#iv#wG75}Ne6CAŤR0!R^:ƊUSXo>ՀuK%JtxSψi =J/dbR6L6$@dy0/DnRW6r7ޟ-ϮrV6]%Uż dq2<S {?`Aa^\Jn[I{HZS0JA|jb|,/@Om= )!>vAs*ӚZޖ /Ek,輣DRܭz{Yx{27\E&(Qbc 4/mK`ŗ"0h ƞ/'}CkyQ :ԥ7bEQ m* (@0$Io%z͝<ªRX&L,tL."8L=Bxɵp5YX]2xGQQQQ+}|t,^615=rǗ)ҙ2f?󌙎fWwh :b~qᾦD1{TBe*x5;} YZ{ t/?OKU$Kj_F󥋹1&A5D>P6/HsubZt ~O>j,G|i@.wo8" E $" ڣꅐO-ncf8 44PiK)qs/_B4ӟĝ<*k#]l}YϠGXu#T>a2C~ͭnIHܒzs CBxU(.5D-uivw9/P- -€px337l(P٣ z0h= a࿑5K#/|6- o:yr<l~~yE2hD,o?hێmɯmX.?Wڟi0Wkxt²D]?0֥/Þ<|xo{~?gfmfԅ߾r];ɰ}cK8XP| %!fyi>9@ I3m*f)Zbz8S[W@.h ,FF)P&sSMaɟYwgC|kTctq"o~C0_=T,[ LU+ Rk[Q{Z˫k=!\P]C$obF .m3FO +3h??X\bDxb*1bVIM;IP}7Y?d=`'t24/^\}B!_UQw>6<|xww-]hbY|r1~>)N& )aMС  arK$/p >>|6ژYhF$YcN`?,!ԓFGī)Ӏ!gׂWH7˽}H[e'郀tZꈁ$ E슃L(a]B @q77{V\oz~}C +@ܙ6 χ}ڎ&^)aj, wOlx|֐D ]TVZA=Fn0Gs.}jŃ,+KgC.7# |9[CG)WTbʑ,̆Voo__R@7FDur1 `8*ejU KKL 2@k8{_{=>M0- œ5"ts#ϙ>' .yHcI ^iN4X+ ?MO_zwbbx ><Rh̘_[*uUԁRk]j)qE^]{ 7uEq H@+^@2bw44ܽB%@%͈ŵ?/?5iv>N;WNϻ7x Zѷptԝs=tҽtֹl_]w.JGƿd&E`,eJE)3S9,j4lw^;OKvEGeqq^ |BO|?Sv}Y 1/ F8[ ᗞuoV\j)?=V#tɉcl:}j{7~l>42+UoE )n}>e; Uj^+Q_m9o7mȿ'-ֆ.w7#NO d}l~Bna}N>sivN7C:|gC2 s>v͋ s0  >b~/?s0 ϋ yy>G/7#ܐmcC_lȇ0?ru n?]/ j}\A ~7O0a} a}}a|7#@ͦ|ߛ {lhf%:IڰA~kpvJEs!ioRŦM<ې_ @zv^˰ڀr! ^}ZV*oir_!4.5Pߴϫ/emO5Z8VҦ n@KG{2Pi +{yD L*gل}@C؞y#u/'eFWTCﹺ d^ {WrMmhӉzZ>ĚwxY(V<-t&j\eѣfhS =5|i3׃7>Rqz`n%^Te|pzfl(O6*8 ߜ:H4+6W`%@^̓>/15D -BfpOߨBGm ~Ǵ1-}G$ΆR +J9SaO;F$ô!ND(.#j^VYI0R++ QPB48ۈW)174#7 y8an%[_"z%^>FG&~l m^@, enQKp^'WvŐb0~'P`K֞9:^͆,'rrgLߟQѷd] 4?-ikUDt҃Yk䃿 􅠶'Sk фwYBD˸xm =ƾw<^AkMH2` ̀N5Wે1/47 \Z=woWp*|.`{VݍK#0{o%1{ |-SfAL q,qL/jSF#Fo؛ǖaB֯aXkt rV7Bf+ΣܝS/f5|s;!,Rj L8{Aflk8ӕsXK+up_T3lPSѽ1;tA5/z!_ 8$" tdd3+x L mb[>/~}$g%jY:}PCDv=,=6 &13㿄$RvvJ[PxK b?94Ǟ”0΀ė%>fv5$$}9= zl{J=S%n 馃%艬GC߱iB .7̈ }+,RDvZ+F2}jQwب}t:WX3aOjød{BUmkC 1̅{{κ^+^Ռ[#|F+3௚F3qyU (pd+Qq1^RXhs]qvz4OHm{XL "a'Sߌ^| g _H6G!qY "=(l-E'.|}7{/ݤdq-+r0l®%ovl=H &M* >!p#R.ƛrx{GkckQcL%^GPVFnOv˷Dg귾6Yf4p6g@!(DP?hFq:hI W9:xp3[ !ۂZic,#sEt%(Xp^'A֮v&`ܛ) 3/U@Evg˫PvxGm<"^|:u-E{cuݍ2JW(:NOes{JF 7#T %` GYU`Z+rǩVxx ut+y! (a4AL?Q1?{c]'nJQi#5T-veщ&ߵ3p߼D]Y>9Ѝ5a01ngFb k f =[=܊;~#1V`]cٱWOR6Ȥ{ mPCdk5RKEq sXǼȖwWRڱ!;/eD?8@ cL ;fcJ ,oԛŠ'TS*a#o *;ANWesS$ˉY)jV0ѪαЩ_k^٢C><|g`)nԈ77tZ.=Khc{ŸpfJ)j胋AȽg~d>>}]H'ȱ`,ӊ v"V윔IJLΡnbpQ!EVF) 5P&~XDn-n$_B@ zZ|gG? | |{ >ŗ$ZSX?#c^44{<Y|x7({48έIq{6N}䏽W^48uDԿϾŗ_xbi=ۋ~/ {IJP/Y :=vK@1"p e5 ^4]cduȏ b@t;U+fP O3 yAr>~őcIMj=/\G Q`l̳Sy  KgŐgPftR0Gc`?tQ*|ٌ<|J$^?oScD*sLV_\-.J*?>Mp)t^vۤwr=?'Ər} _*VYXFS_K|U7'= Զ#e<^RУD&oY( GV)[Z]1 6Z.is t*˂jZSnPt-$  -~8=?Ht @Of.RIE[.{:A/}o</B`у&3_ek0ћg! D/[9g [(v? [X':~J&ss cDwI,~,l}С j6.6hvaei[ulJ0iG\dCj]7i96r ^?z%\(XԠP'!Ya(2.+47|m5|6Vw r~;sqL@R 1/R1\U"f|Y| "5m/ ᫤HEIzb`IgM8Xcy֑_Eiqι&1>pl>vcCqJ㪍l]-Db#ics?"pirl9Cv.'-lV3L42'#Ml|y$'#Њ(8I81x;wKJʫy]a o/f j6aC3.v2#ǮN27G#+ţz}OaDSR?7t|Pɗk<-C E<@^f8jǯc˦$NG]r|YAY4j;6._̎jO.a;4GX\k){*xa7|ZM{O!Y/.:矎>. Uk:"=F\y}}?Z}=^aǭo.O4:xD+tOi BVuzڹ|,y-7wfF] Y oLP͗D4w0-b< tb=)jk 2tx̗8l٦d UA/4 : 1PtLxTʉ8piY96