Web Security: Is Our Luck Running Out?

We have been incredibly lucky. Despite the numerous businesses, government organizations, and individuals that have found danger lurking on the Web, there have been remarkably few large-scale electronic attacks on the systems that make up the Web. Despite the fact that credit card numbers are not properly protected, there is surprisingly little traffic in stolen financial information. We are vulnerable, yet the sky hasn't fallen.

Today most Net-based attackers seem to be satisfied with the publicity that their assaults generate. Although there have been online criminal heists, there are so few that they still make the news. Security is weak, but the vast majority of Internet users still play by the rules.

Likewise, attackers have been quite limited in their aims. To the best of our knowledge, there have been no large-scale attempts to permanently crash the Internet or to undermine fundamental trust in society, the Internet, or specific corporations. The New York Times had its web site hacked, but the attackers didn't plant false stories into the newspaper's web pages. Millions of credit card numbers have been stolen by hackers, but there are few cases in which these numbers have been directly used to commit large-scale credit fraud.

Indeed, despite the public humiliation resulting from the well-publicized Internet break-ins, none of the victimized organizations have suffered lasting harm. The Central Intelligence Agency, the U.S. Air Force, and UNICEF all still operate web servers, even though all of these organizations have suffered embarrassing break-ins. Even better, none of these organizations actually lost sensitive information as a result of the break-ins, because that information was stored on different machines. A few days after each organization's incident, their servers were up and running again this time, we hope, with the security problems fixed.

The same can be said of the dozens of security holes and design flaws that have been reported with Microsoft's Internet Explorer and Netscape Navigator. Despite attacks that could have allowed the operator of some "rogue web site" to read any file from some victim's computer or even worse, to execute arbitrary code on that machine surprisingly few scams or attacks make use of these failings.^[9] This is true despite the fact that the majority of Internet users do not download the security patches and fixes that vendors make available.

^[9] More accurately, there have been very few reported incidents. It is possible that there have been some wide-spread incidents, but the victims have either been unaware of them, or unwilling to report them.

Beyond the Point of No Return

In the world of security it is often difficult to tell the difference between actual threats and hype. There were more than 200 years of commerce in North America before Allan Pinkerton started his detective and security agency in 1850,^[10] and another nine years more before Perry Brink started his armored car service.^[11] It took a while for the crooks to realize that there was a lot of unprotected money floating around.

^[10] http://www.pinkertons.com/companyinfo/history/pinkerton/index.asp

^[11] http://www.brinksireland.com/history/history.htm

The same is true on the Internet, but with each passing year we are witnessing larger and larger crimes. It used to be that hackers simply defaced web sites; then they started stealing credit card numbers and demanding ransom; in December 2000, a report by MSNBC detailed how thousands of consumers had been bilked of between $5 and $25 on their credit cards by a group of Russian telecommunications and Internet companies; the charges were small so most of the victims didn't recognize the fraud and didn't bother to report the theft.^[12]

^[12] http://www.zdnet.com/zdnn/stories/news/0,4586,2668427,00.html

Many security analysts believe things are going to get much worse. In March 2001, the market research firm Gartner predicted there would be "at least one incident of economic mass victimization of thousands of Internet users . . . by the end of 2002:"^[13]

^[13] http://www.businesswire.com/webbox/bw.033001/210892234.htm

"Converging technology trends are creating economies of scale that enable a new class of cybercrimes aimed at mass victimization," explain[ed] Richard Hunter, Gartner Research Fellow. More importantly, Hunter add[ed], global law enforcement agencies are poorly positioned to combat these trends, leaving thousands of consumers vulnerable to online theft. "Using mundane, readily available technologies that have already been deployed by both legitimate and illegitimate businesses, cybercriminals can now surreptitiously steal millions of dollars, a few dollars at a time, from millions of individuals simultaneously. Moreover, they are very likely to get away with the crime."

Despite these obvious risks, our society and economy has likely passed a point of no return: having some presence on the World Wide Web now seems to have become a fundamental requirement for businesses, governments, and other organizations.

Building in Security

It's difficult for many Bostonians to get to the Massachusetts Registry of Motor Vehicles to renew their car registrations; it's easy to click into the RMV's web site, type a registration number and a credit card number, and have the registration automatically processed. And it's easier for the RMV as well: their web site is connected to the RMV computers, eliminating the need to have the information typed by RMV employees. That's why the Massachusetts RMV gives a $5 discount to registrations made over the Internet.

Likewise, we have found that the amount of money we spend on buying books has increased dramatically since Amazon.com and other online booksellers have opened their web sites for business. The reason is obvious: it's much easier for us to type the name of a book on our keyboards and have it delivered than it is for us to make a special trip to the nearest bookstore. Thus, we've been purchasing many more books on impulse for example, after hearing an interview with an author or reading about the book in a magazine.

Are the web sites operated by the Massachusetts RMV and Amazon.com really secure? Answering this question depends both on your definition of the word "secure," and on a careful analysis of the computers involved in the entire renewal or purchasing process.

In the early days of the World Wide Web, the word "secure" was promoted by Netscape Communications to denote any web site that used Netscape's proprietary encryption protocols. Security was equated with encryption an equation that's remained foremost in many people's minds. Indeed, as Figure P-2 clearly demonstrates, web sites such as Amazon.com haven't changed their language very much. Amazon.com invites people to "Sign in using our secure server," but is their server really "secure"? Amazon uses the word "secure" because the company's web server uses the SSL (Secure Sockets Layer) encryption protocol. But if you click the link that says "Forgot your password? Click here," Amazon will create a new password for your account and send it to your email address. Does this policy make Amazon's web site more secure or less?

Figure P-2. Amazon.com describes their server as "secure," but the practice of emailing forgotten passwords to customers is hardly a secure one.

Over the Web's brief history, we've learned that security is more than simply another word for cryptographic data protection. Today we know that to be protected, an organization needs to adopt an holistic approach to guarding both its computer systems and the data that those systems collect. Using encryption is clearly important, but it's equally important to verify the identity of a customer before showing that customer his purchase history and financial information. If you send out email, it's important to make sure that the email doesn't contain viruses but it is equally important to make sure that you are not sending the email to the wrong person, or sending it out against the recipient's wishes. It's important to make sure that credit card numbers are encrypted before they are sent over the Internet, but it's equally important to make sure that the numbers are kept secure after they are decrypted at the other end.

The World Wide Web has both promises and dangers. The promise is that the Web can dramatically lower costs to organizations for distributing information, products, and services. The danger is that the computers that make up the Web are vulnerable. These computers have been compromised in the past, and they will be compromised in the future. Even worse, as more commerce is conducted in the online world, as more value flows over the Internet, as more people use the network for more of their daily financial activities, the more inviting a target these computers all become.