Def Con III report
Companies face lawsuits for network security lapses
Executives focused on keeping costs down are overlooking the need for software that will prevent or minimize the risk of network break-ins, said Robert Steele, who was also a Marine Corps intelligence officer and now does consulting. As a result, those executives will eventually be held liable and stockholders will sue them for failing to secure the networks, he said.
"The value of proprietary information is being eroded," Steele said.
Def Con III is the third annual gathering of tribes in the user, vendor, security, and intelligence communities. The informal mission of Def Con is to discuss computer security issues in an open forum. Approximately 470 attendees visited this year's Def Con.
A spokesman for a company that sells security software said his firm's clients recognize the risk of negligence.
"Corporate executives and officers of publicly traded companies are aware that their fiduciary responsibility extends to protecting their information assets," said Tommy Ward, strategic applications manager for Digital Pathways of Mountain View, CA. "The real assets of America are in electronic storage."
Some companies even go so far as to cover up network break-ins so they won't be fingered, according to Ward who added, "Banks are especially guilty of this."
Interest in security began to surge after the Computer Emergency Response Team, a government-corporate consortium that monitors Internet security, sent out an advisory Feb. 3, 1994, warning users to replace static passwords with one-time passwords, which change with each log-in, because there had been "concerted, massive attacks throughout the world."
"Corporations and organizations are essentially paying lip service to security," said Craig Alesso, marketing director at Secure Computing Corp. in Roseville, MN, which released version 2.0 of its Sidewinder applications-level Internet firewall software the week before the conference.
"Our customers are more concerned about competitors getting information, or mistakes internal users may make" by inadvertently releasing information, Alesso said.
To improve its product, Secure Computing is unofficially enlisting computer hackers, oft-maligned experts at penetrating networks, as beta testers. The company has created a challenge site on the Internet and encourages hackers to break through. Anyone successful -- none to date -- gets bragging rights and an MA-1 flight jacket.
Former CIA spy Steele sees hackers as potential renegade heroes in the quest for network security and said they are a "major national resource" because they force systems administrators to tighten networks.
"Hackers are not the poison, they're the antidote," he told the crowd of mostly hackers. "They're pushing the envelope ... They're making the systems healthier."
At other Def Con III venues, attendees swapped tips on how to crack computer networks and evade arrest, and the keynote speaker discussed the need for maintaining the privacy of individuals via encryption.
The US National Security Agency cites terrorism concerns in favoring inferior technology -- specifically, the Clipper Chip, which gives government officials a key to decrypt encoded data -- over superior technology that enables only the recipient to decrypt data, said Bruce Schenier, an author and president of Counterpane Systems, an Oak Park, Ill., consulting firm specializing in computer security.
As a result, the US government bans the export of products containing any but the weakest encryption software. Such law undermines US businesses, as well as the notion of encryption itself, Schenier said.
"US companies can choose to cripple their products or ignore the international marketplace," he said.
Encryption software must be universally used to be effective, Schenier suggested. "For cryptography to be successful, it has to be ubiquitous, to protect the important and the trivial," he said. "Cryptography is the great equalizer in the world. It makes my stuff just as secure as the government's."
Certain organizations and government agencies are recognizing the benefits of the technology in areas other than electronic mail. The states of Utah, California and Colorado are considering adopting legislation to authorize digital signatures, the Internal Revenue Service is preparing to allow citizens to file tax returns electronically using such signatures and the American Bar Association is drafting model legislation governing encryption, Schenier said.
"Hackers are not the poison,
they're the antidote."
Other countries deal with information privacy differently. In France, citizens accept laws that require them to give police a key to decrypt their data, whereas Canadian officials created a privacy advocacy bureau to make sure that agencies and organizations don't infringe on anyone's right to privacy, he said.
From other parts of the conference:
In one possible scenario, Thunder suggested a hacker calling a worker in data processing and asking for a new password, claiming that someone saw it being typed in. The hacker, posing as a worker from data processing, then calls the employee whose password is being used and informs the worker of the new password as part of a routine security measure.
Conscientious hackers can then mischievously remind employees about the need to guard their passwords. "I get off on giving a little lecture on security while I'm compromising it," she said.
Also enjoying celebrity status was Sun employee Dan Farmer, the creator of SATAN (Security Analysis Tool for Auditing Networks) software that probes Unix networks for security weaknesses.
"It would take me all of five minutes to get in," Glitch said. "That's the thing about most computer stuff. People are stupid!" -- Elinor Mills IDG News Service, San Mateo Bureau
If you have technical problems with this magazine, contact firstname.lastname@example.org