Too Easy to Find, Too Easy to Fool

 
 
By Peter Coffee  |  Posted 2003-10-29 Email Print this article Print
 
 
 
 
 
 
 

Web services protocols open too many doors, while attackers gain new ways to find them.

Discuss This in the eWEEK Forum Back in the late 1900s, land-warfare experts—like the NATO generals who co-authored "The Third World War"—joined in agreeing that modern technologies favored the defense. When a soldier with a shoulder-launched TOW missile could plausibly take out a tank, conventional measurements of force superiority lost their value.
More recently, though, the vibe is in the other direction, with projects like the Do It Yourself Cruise Missile—whose originator proposes to build a working demonstration for $5000, and is offering detailed notes from his project diary on a paid-subscription basis. These are weapons against which there is almost no practical defense.
What changed? The difference between then and now, in the realm of conventional warfare, is delivery systems technology: the growing ease of sending a weapon out into the world with instructions to find its own way to a target. The CIA page that Ive hyperlinked here may or may not be an accurate statement as regards Iraq, specifically, but it gives an idea of the state of the art that might be employed by anyone who so desires. That same ease is the hallmark of the modern network. As William Gibson foresaw in the short story "Burning Chrome," published with other stories in the book of the same name, a completely connected network with unified protocols is an invitation to attackers: "The program was a mimetic weapon, designed to absorb local color and present itself as a crash-priority override in whatever context it encountered. Congratulations, I heard Bobby say. We just became an Eastern Seaboard Fission Authority inspection probe. " When all systems speak the same language, all systems are vulnerable to the same lies—and Web services protocols dramatically expand the scope and power of that shared vocabulary, without giving our systems a corresponding boost in skepticism about believing what theyre told. Wireless complications
Pervasive wireless access greatly multiplies the security problem of the homogeneous network. I hung a high-gain antenna from my bedrooms balcony railing the other day, and I was immediately able to identify three wireless networks with default names—none of them with even basic WEP security enabled. At least one offered sufficient connection quality to enable high-bandwidth access. Presumably, these were all home networks within a few lots of mine, and thats not a statistically large sample, but surveys of tens of thousands of wireless nodes typically find fewer than one-third of them using even basic wireless security. If you dont want to share bandwidth with whoevers in the neighborhood, or if youre concerned that you might be facilitating network abuse that might then be traced back to your IP address, then you have a bit of research to do: fortunately, as of last week, you can now separate the serious books from the casual guides using the full-text search capability that just came on line at www.amazon.com. Searching on "WiFi Security" returns 135 titles that mention those terms, with one-click navigation to actual pages of the books to give a quick idea of the level of presentation; focusing the search to "WiFi 802.11b wireless WEP security" narrows things down to a less overwhelming list of 28, and adding 802.1x to the list of search terms leaves only 20. You get the idea. Theres much to be done in the realm of educating both the enterprise and the individual user about the threats, the countermeasures and the responsibilities of network security. But anti-terrorism experts agree that its more cost-effective to hide a high-value target, than to fortify it against an attacker who knows where it is. And we do well to remember the instructions given to would-be military commanders: "The advantages of cover and concealment, advance siting of weapons, shorter lines of supply, and operations on familiar terrain and among a friendly population generally favor the defense. The only advantage enjoyed by the attacker is the initial choice of when and where to strike. The major challenge of the defense is to overcome this initial offensive advantage." Reduce the number of readily visible points where you can be attacked, and you can begin to regain the defenders advantage. Discuss This in the eWEEK Forum Tell me how youre making yourself less visible on the Net
 
 
 
 
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel