Click on our Sponsors to help Support SunWorld

Def Con III report

Companies face lawsuits for network security lapses

By Elinor Mills

September  1995
[Next story]
[Table of Contents]
Subscribe to SunWorld, it's free!

Mail this
article to
a friend
LAS VEGAS -- Companies that don't adequately secure their networks will face the wrath of shareholders and others who stand to lose from information leaks, said a former CIA spy at the Def Con III show here in early August.

Executives focused on keeping costs down are overlooking the need for software that will prevent or minimize the risk of network break-ins, said Robert Steele, who was also a Marine Corps intelligence officer and now does consulting. As a result, those executives will eventually be held liable and stockholders will sue them for failing to secure the networks, he said.

"The value of proprietary information is being eroded," Steele said.

Def Con III is the third annual gathering of tribes in the user, vendor, security, and intelligence communities. The informal mission of Def Con is to discuss computer security issues in an open forum. Approximately 470 attendees visited this year's Def Con.

A spokesman for a company that sells security software said his firm's clients recognize the risk of negligence.

"Corporate executives and officers of publicly traded companies are aware that their fiduciary responsibility extends to protecting their information assets," said Tommy Ward, strategic applications manager for Digital Pathways of Mountain View, CA. "The real assets of America are in electronic storage."

Some companies even go so far as to cover up network break-ins so they won't be fingered, according to Ward who added, "Banks are especially guilty of this."

Interest in security began to surge after the Computer Emergency Response Team, a government-corporate consortium that monitors Internet security, sent out an advisory Feb. 3, 1994, warning users to replace static passwords with one-time passwords, which change with each log-in, because there had been "concerted, massive attacks throughout the world."

"Corporations and organizations are essentially paying lip service to security," said Craig Alesso, marketing director at Secure Computing Corp. in Roseville, MN, which released version 2.0 of its Sidewinder applications-level Internet firewall software the week before the conference.

"Our customers are more concerned about competitors getting information, or mistakes internal users may make" by inadvertently releasing information, Alesso said.

To improve its product, Secure Computing is unofficially enlisting computer hackers, oft-maligned experts at penetrating networks, as beta testers. The company has created a challenge site on the Internet and encourages hackers to break through. Anyone successful -- none to date -- gets bragging rights and an MA-1 flight jacket.

Former CIA spy Steele sees hackers as potential renegade heroes in the quest for network security and said they are a "major national resource" because they force systems administrators to tighten networks.

"Hackers are not the poison, they're the antidote," he told the crowd of mostly hackers. "They're pushing the envelope ... They're making the systems healthier."


Social engineering
At other Def Con III venues, attendees swapped tips on how to crack computer networks and evade arrest, and the keynote speaker discussed the need for maintaining the privacy of individuals via encryption.

The US National Security Agency cites terrorism concerns in favoring inferior technology -- specifically, the Clipper Chip, which gives government officials a key to decrypt encoded data -- over superior technology that enables only the recipient to decrypt data, said Bruce Schenier, an author and president of Counterpane Systems, an Oak Park, Ill., consulting firm specializing in computer security.

As a result, the US government bans the export of products containing any but the weakest encryption software. Such law undermines US businesses, as well as the notion of encryption itself, Schenier said.

"US companies can choose to cripple their products or ignore the international marketplace," he said.

Encryption software must be universally used to be effective, Schenier suggested. "For cryptography to be successful, it has to be ubiquitous, to protect the important and the trivial," he said. "Cryptography is the great equalizer in the world. It makes my stuff just as secure as the government's."

Certain organizations and government agencies are recognizing the benefits of the technology in areas other than electronic mail. The states of Utah, California and Colorado are considering adopting legislation to authorize digital signatures, the Internal Revenue Service is preparing to allow citizens to file tax returns electronically using such signatures and the American Bar Association is drafting model legislation governing encryption, Schenier said.

"Hackers are not the poison,
they're the antidote."

Other countries deal with information privacy differently. In France, citizens accept laws that require them to give police a key to decrypt their data, whereas Canadian officials created a privacy advocacy bureau to make sure that agencies and organizations don't infringe on anyone's right to privacy, he said.

From other parts of the conference:

Click on our Sponsors to help Support SunWorld


What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Subscribe to SunWorld, it's free!
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: