Too Easy to Find, Too Easy to Fool

Web services protocols open too many doors, while attackers gain new ways to find them.

Discuss This in the eWEEK Forum

Back in the late 1900s, land-warfare experts—like the NATO generals who co-authored "The Third World War"—joined in agreeing that modern technologies favored the defense. When a soldier with a shoulder-launched TOW missile could plausibly take out a tank, conventional measurements of force superiority lost their value.

More recently, though, the vibe is in the other direction, with projects like the Do It Yourself Cruise Missile—whose originator proposes to build a working demonstration for $5000, and is offering detailed notes from his project diary on a paid-subscription basis. These are weapons against which there is almost no practical defense.

What changed? The difference between then and now, in the realm of conventional warfare, is delivery systems technology: the growing ease of sending a weapon out into the world with instructions to find its own way to a target. The CIA page that Ive hyperlinked here may or may not be an accurate statement as regards Iraq, specifically, but it gives an idea of the state of the art that might be employed by anyone who so desires.

That same ease is the hallmark of the modern network. As William Gibson foresaw in the short story "Burning Chrome," published with other stories in the book of the same name, a completely connected network with unified protocols is an invitation to attackers: "The program was a mimetic weapon, designed to absorb local color and present itself as a crash-priority override in whatever context it encountered. Congratulations, I heard Bobby say. We just became an Eastern Seaboard Fission Authority inspection probe. " When all systems speak the same language, all systems are vulnerable to the same lies—and Web services protocols dramatically expand the scope and power of that shared vocabulary, without giving our systems a corresponding boost in skepticism about believing what theyre told.

Wireless complications

Pervasive wireless access greatly multiplies the security problem of the homogeneous network. I hung a high-gain antenna from my bedrooms balcony railing the other day, and I was immediately able to identify three wireless networks with default names—none of them with even basic WEP security enabled. At least one offered sufficient connection quality to enable high-bandwidth access. Presumably, these were all home networks within a few lots of mine, and thats not a statistically large sample, but surveys of tens of thousands of wireless nodes typically find fewer than one-third of them using even basic wireless security.

If you dont want to share bandwidth with whoevers in the neighborhood, or if youre concerned that you might be facilitating network abuse that might then be traced back to your IP address, then you have a bit of research to do: fortunately, as of last week, you can now separate the serious books from the casual guides using the full-text search capability that just came on line at Searching on "WiFi Security" returns 135 titles that mention those terms, with one-click navigation to actual pages of the books to give a quick idea of the level of presentation; focusing the search to "WiFi 802.11b wireless WEP security" narrows things down to a less overwhelming list of 28, and adding 802.1x to the list of search terms leaves only 20. You get the idea.

Theres much to be done in the realm of educating both the enterprise and the individual user about the threats, the countermeasures and the responsibilities of network security. But anti-terrorism experts agree that its more cost-effective to hide a high-value target, than to fortify it against an attacker who knows where it is. And we do well to remember the instructions given to would-be military commanders: "The advantages of cover and concealment, advance siting of weapons, shorter lines of supply, and operations on familiar terrain and among a friendly population generally favor the defense. The only advantage enjoyed by the attacker is the initial choice of when and where to strike. The major challenge of the defense is to overcome this initial offensive advantage."

Reduce the number of readily visible points where you can be attacked, and you can begin to regain the defenders advantage.

Discuss This in the eWEEK Forum

Tell me how youre making yourself less visible on the Net