May 11, 2005 -- GBC Technology Policy Committee Meeting

People are beginning to lose confidence in e-commerce because of security problems, according to computer science expert, Avi Rubin. "It's almost impossible to measure security… there will always be a back door in the code," Rubin told members of the GBC Technology Policy Committee on May 11.

Rubin is a professor of computer science and technical director of the Information Security Institute (ISI) at Johns Hopkins University. The institute provides a comprehensive approach to safeguarding information security and privacy. For example, ISI researchers identify security flaws in Radio-Frequency Identification devices; potential vulnerabilities in the electronic registration and voting system; and wireless security problems, among many other Internet issues.

Some of the major cyberspace problems include “Pfishing,” or convincingly luring browsers to invalid sites; and “spyware” or attack software that allows people to spy on users through remote access to computer systems, Rubin said. Even though voice over IP (Internet Protocol) telephones were designed to be secure from people tapping into phone calls, they are susceptible to telephone spam.

Also, “Bluetooth,” a wireless protocol could be used as a way to hijack other people’s Internet service providers through mobile phones. With this protocol, information moves at 1 megabyte per second, for example, giving someone the opportunity to suck large amounts of data from an entire wing of a building. “Security is superficial and breakable,” Rubin said.

The “Internet 2” has been a topic of discussion with respect to its security. It is a very high-speed network, one thousand times faster than the current Internet, with a ten- gigabyte capacity. It runs on a backbone circuit – OC192. It has less traffic and uses third-party encryption to pass data. Its use has been limited to a small number of research organizations around the world. Hopkins has been using it to map solar systems, since it allows such a large amount of information pass quickly, Rubin said. Digital x-rays and molecular data from pharmaceutical companies can be sent internationally in seconds via the Internet 2.

“The Internet 2 isn’t any more secure, but we’re working on it,” Rubin said. “Security isn’t tangible – it’s hard to feel without an independent evaluation.” A way to evaluate a system is to test or attack the system and look at the results, Rubin said. It is also recommended to have an independent auditor, someone other than the entity who wrote the program, conduct a security study.

There are three leading security problems – bugs in software; poor technical administration, where patch management creates new vulnerabilities; and a lack of user education and involvement in security, Rubin said. Unfortunately, most administrators won’t know and can’t detect when computers are being used as "zombies." But, they should be keeping a log and reviewing filtered e-mails.

Spam Assassin is a good tool for monitoring e-mail spam, Rubin said. Additionally, users need to be educated about password selection. Mixing numbers and letters are more secure than selecting commonly used words that others have chosen every time, Rubin said.

What do companies need to think about with respect to security? If a company is small, administering a small network is easy and it can run on Linux or OSD. It can also use Apple Macintosh’s e-mail application, where e-mail addresses in the address book will be allowed through and not stopped by spam detectors.

Most large companies use Windows because the most important software runs on it. What kind of company is more secure depends on the value of its assets. Banking is high risk, whereas real estate may not care as much about its information. Amazon’s network can never go down, but theft isn’t as worrisome, Rubin said.

“Suddenly when security became important, everyone became a security expert,” Rubin said. There needs to be liability and regulation. Everyone should be able to just go buy a computer and not worry about an attack that originates in the network.

In addition to identity theft, another reason for someone to spy on a network is to gauge demand to plan new product offerings. It is easy for people to find out what our recent purchases are and send direct mail specifically geared toward what we spend money on, Rubin said.

For more information about the Johns Hopkins University Information Security Institute, click here.


	JHU expert details e-commerce security challenges, Internet's 'back door'
People are beginning to lose confidence in e-commerce because of security problems, according to computer science expert, Avi Rubin. "It's almost impossible to measure security… there will always be a back door in the code," Rubin told members of the GBC Technology Policy Committee on May 11. Rubin is a professor of computer science and technical director of the Information Security Institute (ISI) at Johns Hopkins University. The institute provides a comprehensive approach to safeguarding information security and privacy. For example, ISI researchers identify security flaws in Radio-Frequency Identification devices; potential vulnerabilities in the electronic registration and voting system; and wireless security problems, among many other Internet issues. Some of the major cyberspace problems include “Pfishing,” or convincingly luring browsers to invalid sites; and “spyware” or attack software that allows people to spy on users through remote access to computer systems, Rubin said. Even though voice over IP (Internet Protocol) telephones were designed to be secure from people tapping into phone calls, they are susceptible to telephone spam. Also, “Bluetooth,” a wireless protocol could be used as a way to hijack other people’s Internet service providers through mobile phones. With this protocol, information moves at 1 megabyte per second, for example, giving someone the opportunity to suck large amounts of data from an entire wing of a building. “Security is superficial and breakable,” Rubin said. The “Internet 2” has been a topic of discussion with respect to its security. It is a very high-speed network, one thousand times faster than the current Internet, with a ten- gigabyte capacity. It runs on a backbone circuit – OC192. It has less traffic and uses third-party encryption to pass data. Its use has been limited to a small number of research organizations around the world. Hopkins has been using it to map solar systems, since it allows such a large amount of information pass quickly, Rubin said. Digital x-rays and molecular data from pharmaceutical companies can be sent internationally in seconds via the Internet 2. “The Internet 2 isn’t any more secure, but we’re working on it,” Rubin said. “Security isn’t tangible – it’s hard to feel without an independent evaluation.” A way to evaluate a system is to test or attack the system and look at the results, Rubin said. It is also recommended to have an independent auditor, someone other than the entity who wrote the program, conduct a security study. There are three leading security problems – bugs in software; poor technical administration, where patch management creates new vulnerabilities; and a lack of user education and involvement in security, Rubin said. Unfortunately, most administrators won’t know and can’t detect when computers are being used as "zombies." But, they should be keeping a log and reviewing filtered e-mails. Spam Assassin is a good tool for monitoring e-mail spam, Rubin said. Additionally, users need to be educated about password selection. Mixing numbers and letters are more secure than selecting commonly used words that others have chosen every time, Rubin said. What do companies need to think about with respect to security? If a company is small, administering a small network is easy and it can run on Linux or OSD. It can also use Apple Macintosh’s e-mail application, where e-mail addresses in the address book will be allowed through and not stopped by spam detectors. Most large companies use Windows because the most important software runs on it. What kind of company is more secure depends on the value of its assets. Banking is high risk, whereas real estate may not care as much about its information. Amazon’s network can never go down, but theft isn’t as worrisome, Rubin said. “Suddenly when security became important, everyone became a security expert,” Rubin said. There needs to be liability and regulation. Everyone should be able to just go buy a computer and not worry about an attack that originates in the network. In addition to identity theft, another reason for someone to spy on a network is to gauge demand to plan new product offerings. It is easy for people to find out what our recent purchases are and send direct mail specifically geared toward what we spend money on, Rubin said. For more information about the Johns Hopkins University Information Security Institute, click here.

		GREATER BALTIMORE COMMITTEE Copyright © 2005 by GBC. All rights reserved.