The United States recently relaxed export restrictions on strong cryptography, making 128-bit cryptography-based pro-ducts available. And the NIST has come up with the Advanced Encryption Standard, an algorithm that many say, will never have an engineering break. So are security worries outdated? Nothing could be farther from the truth. Today, security worries arise more out of the carelessness, and stupidity of users and administrators than the strength of cryptography employed. Often human error makes a mess of the best of security systems.
Let me illustrate. Location: Los Alamos at the time of the first atom bomb. A high-flying army captain ordered a huge safe for keeping top secrets. The bomb made and used, and with the war over, the captain left. Before leaving, he forgot to leave the combination with his successor. The army in urgent need of some papers in the safe got a locksmith to open it. And it took the locksmith all of fifteen seconds. Puzzled? All safes from the company came with the same default setting, and it
did not cross the smart captain’s mind even once that he should change it.
Today we use security systems in much the same way. Despite having the best security, carelessness renders the system susceptible to attacks. Here’s yet another example. ‘President Clinton e-signs the first digital bill with a smart card using his dog Buddy’s name as the password’ screamed a Fox News headline sometime back. A great day for the digital community, but it also tells us a few more things. One, the most powerful man in the world knows nothing about security. He uses a weak password, which is susceptible to a dictionary attack. Finally, thanks to Fox News, the whole world knows it. Surely you would expect better from somebody who can start a nuclear war at the press of a button.
These are not isolated incidents. Often, intelligent people with years of experience turn completely naive when selecting a password–some even use their names as passwords.
We also have incidents of hackers making a mockery of security systems, thanks to gross ignorance and misuse by users and administrators. Ever tried calling your system administrator over the phone to reset your password after forgetting it? The odds are nine to one that he will do it. And that too without verifying who the caller really is. So, the next time you want to read that confidential report your boss is writing, you know who to call.
In most offices, even knowing the password is not necessary. Just walk around and see how many confidential documents you can see lying on your colleagues’ tables. And how many corporate secrets are beautifully explained on whiteboards. All this information is available to any one walking in. If physical access to all this information is not possible, other means are available. Apparently, during a security audit, an auditor called a General’s secretary in the US Depart- ment of Defense and asked for some confidential information. The secretary obliged immediately without even verifying if the caller was indeed who he claimed he was, and if he had the authorization to get that information. Why break your head over cryptography? Sometimes you just have to ask.
Look at viruses or trojans. Give it a glamorous name like ‘I love you’ or ‘U love me’ and the whole world will talk about it. Yet the same people will not think twice before running the next executable file they receive. After all, they have the best virus scanners installed. So what if they haven’t updated the virus definition files since the day Charles Babbage was born? What if it takes only one line of code change to make a virus undetectable by existing scanners?
If you are out to get into other people’s systems, you can also use work done by people before you. Go through a list of known security holes available at any public site and try the first one on the first system you can lay your hands on. In all probability, you will succeed in getting in. Of course, the software vendor has a patch, but the system administrator never bothered to install it.
Millions of dollars are lost each year due to information theft, most of it by gross carelessness. And that the solution is simple is the sad part–users and administrators need to be trained in the use of security. Organizations spend millions on training their employees in all kinds of things except security. And companies have policies on virtually everything but security. Even where these policies are there, they are either confined to some corner of the Intranet, or are handed out as a one-page pamphlet, to be forgotten.
There are some things you could do to make life difficult for those trying to steal your valuable information.
For policy makers:
- Have a security policy. Take help from experts if necessary.
- Make sure that your employees understand the policy, its importance, and are following it.
- Have security audits done at regular intervals and update the policies as necessary.
For network administrators:
- Make sure that your security systems are configured for the highest level of security.
- Keep a regular check on the known defects in your software and security products, and install patches promptly.
- Never entertain any calls for change of passwords or for passing any confidential information over telephone without proper verification.
And for users:
- Use strong passwords–difficult to think of, include both alphabets and numerals and do not employ identifiable sequences. Do not write down your passwords where others can read them.
- Install virus scanners in your machines. Update the data files regularly.
l Never run an executable from an unknown source. This means the source of the executable and not the source of the e-mail. Remember that your best friend may unknowingly forward to you a dangerous Trojan. - Many places have the policy of POPI (Protect Our Proprietary Information) in place, where no confidential information is left unlocked. You can make that your personal policy, including on your computer.
These are simple steps, easy to follow. And they can go a long way in strengthening the security of your system. They will not make 64-bit cryptography stronger than the 128-bit one, or deter a truly determined cracker. But follow them sincerely and if your system is still broken into, you will at least have the satisfaction of knowing that whoever did it had to really work hard to do it. He didn’t just wander in through an open door.
Aridaman Tripathi is a senior software engineer
at Novell, Bangalore