Dont Bet on Computing Security

By Chris Gonsalves  |  Posted 2005-05-23 Print this article Print

Opinion: We may never really be safe where computers and networks are concerned.

Im sitting across from a security guy who is supposed to be telling me how hes making the world a safer place, and hes scaring the hell out of me. I had just owned up to requesting an authentication token from my online bank. Ive been waiting breathlessly for the thing, thinking it will make my admittedly paltry transactions bulletproof. At least I thought that until security guy got hold of me.

"Token-based authentication was considered very good ... until very recently," said Amir Orad, executive vice president of marketing at Cyota, a company that specializes in security for financial institutions. "Now it is considered vulnerable and less effective."

Orad described a newly discovered Trojan that sits quietly on an infected machine until a user authenticates to an online banking site with a token. The authentication prompts the Trojan to action, where it opens a background session with the users online banking site, populates a money transfer form and relieves the user of much coin, according to Orad.

That security vendors are working hard to repair things that seemed fine a week ago isnt much comfort. The whole thing has me wondering if well ever really be safe where computers and networks are concerned.

When I got word that the token I dont even have yet is of questionable value, it struck me with the same sinking feeling as when I found out two weeks ago that the Firefox browser Ive been suffering with for the sake of security had some serious holes. Let me be plain: Firefox makes a lot of Web sites look bad. I cant do some everyday stuff with it. I really dont care about tabbed browsing. I used Firefox only because I thought an obscure, marginally functional browser would keep me safe by putting me in a league of "technogentsia" too puny and poor for hackers to bother with. Now Im supposed to shut off JavaScript?

My friends want me to try Opera now. Forget it. If Im going to use a vulnerable browser, Im going back to Internet Explorer so I can at least watch the music videos on Yahoo.

Before anyone writes in to tell me that eEye Digital Security was warning of even more serious holes in IE and Outlook last week, let me just say, I know that. But I expect those. Its IE and Outlook.

Oddly, while booting IE for the first time in months, I was taken to my old home page, the Web site of my local paper. Right away I was greeted with news that a kid from my native city of New Bedford, Mass., won a collegiate CyberSecurity Challenge in Norwalk, Conn., last month by exposing not one, not two, but three VOIP hacks. Im proud of you, Brandon Cavanaugh, but this doesnt come as comforting news to a guy who just ditched his Verizon land lines in favor of Vonage.

If my problems seem too trivial to extrapolate to IT at large, consider that in the same week of my crises, the Sober worm resurfaced to make everyones spam speak German, and weve been treated to reports that software timing attacks could expose crypto keys on Intel servers running Hyper-Threading. Also, a popular VPN protocol was found to be vulnerable to a fairly easy exploit, and—surprise, surprise—Microsofts latest security patching efforts appear flawed. Even grid computers couldnt get through early May unscathed, with word that a worm could lift SSH user credentials and give away the keys to the on-demand kingdom.

Maybe the darkest moment came earlier this month when our own federal legislators, even as they were debating the merits of a bill to thwart spyware, threw up their hands and admitted this government dog wont hunt. Spyware is a hack wrapped in butchers paper and sealed with a price tag, but it has too many permutations and, more important, too many friends to give way to simple legality.

"Theres no way we can be agile enough," Sen. Conrad Burns, R-Mont., said at a U.S. Senate Committee on Commerce, Science and Transportation hearing.

Very comforting. So maybe this whole business will never be very secure. Ive come to terms with letting a waitress take my credit card away for minutes at a time, and I know to watch my back at an ATM. Maybe computing is about accepting risk and moving on as well. But I really thought that bank token was going to make me feel better.

Executive Editor/News Chris Gonsalves is at

To read more Chris Gonsalves, subscribe to eWEEK magazine. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel