The Forgotten Leg of Security
The Basics Remain The Basics
by Winn Schwartau, President and CEO Interpact Inc.
The more I live and breathe in the security world, the more I realize
that people forget the basics either because they are so wrapped
up in day to day operations or they never knew them in the first
place. With the incredible spate of web-graffiti occurring globally,
it totally escapes me why more people haven't returned to the basics
to solve a fairly elementary information security problem: web graffiti
and illicit data modification.
basics of Information security have long been represented by a simple
Confidentiality: Keeping secrets a secret; making sure prying
eyes cannot read information in storage or transmission.
Availability: Systems must be 'up and running' at all times,
especially Mission Critical applications.
Integrity: Insuring that data is not accidentally or intentionally
modified or corrupted.
that security triad other important security issues emerge such
as Access Control, Usability, Non-Repudiation and Accountability.
security community has paid vast attention to confidentiality issues,
which are solved through encryption of data transmissions such as
email or encrypting files in storage. While encryption has been
possible for decades, until key management problems were solved
with the advent of public key encryption in 1976, this security
technique lagged in implementation due to complex management. The
issue of denial of service attacks began to be solved through better
intrusion detection, high-speed reaction mechanisms, redundancy,
fault tolerance, better disaster planning and system reconstitution.
what about hacking web sites - graffiti - the most prevalent form
of annoying and meddlesome hacking we see today?
a web page generally entails replacing the words or pictures on
the home page with a political, pornographic or merely juvenile
message of some sort. The common hacker message "U R Owned" seemingly
refers to the complete takeover of your network, when in fact it
more often refers to poor web server configuration or unpatched
vulnerabilities. A web page hack is simply an integrity attack against
the site's contents.
attacks modify content without the knowledge or permission of the
owner as in the case of the New York Times hack or the countless
NATO, FBI, CIA and Chinese web-hacks we read about. For an entertaining
evening, head on over to your favorite hacker site and look at the
thousands of archived hacked web pages. (Definitely R-rated, though.)
the life of me I couldn't figure out why all of these hacks continued
when since the late 1970s, we security folks have had many integrity
protection methods to protect the contents of files from illicit
modification. Integrity mechanisms have been part of the computer
security professional's arsenal in many forms.
simplest method is called CRC or a Cyclic Redundancy Check. The
contents of the file are X-or'd with another set of (random) data
and the results create an integrity key. When the reverse CRC process
is run, and if the integrity key doesn't match the original, the
file has been corrupted in some form and cannot be trusted.
A stronger integrity method is called MAC, or Message Authentication
Code, a cryptographic technique that is based on the Data Encryption
Standard. Again, a key is generated when the file is 'sealed'. Upon
decoding, the key must match if the files are to be trusted. MAC
was designed for use in electronic financial transactions (EFT)
to make sure that a $1,000 wire transfer doesn't become $1,000,000
to my account.
forward to the web. When we go to eBay, we want our bids and product
descriptions to be accurate. Airlines and service industries want
the correct hotel rooms or flights, billed at the right price to
the right customer. News outlets want to make sure that an item
is not subtly changed to completely alter its meaning. ("Bill Clinton
said 'I DO know that woman'", or "Bill Clinton 'said I DO NOT know
that woman'".) Subtle, but important, and how many people will pick
up an error in the vast resources of millions of web sites? Embarrassment
is least of their worries in an e-commerce world where integrity
hasn't the industry picked up on the importance of data integrity
not only in Internet applications but for Intranet usage as well?
Part of the reason is that vendors have not created decent tools
and made them readily available to customers.
in 1992, Professor Gene Spafford and Gene Kim of Coast at Purdue
University re-opened the integrity issue with the first comprehensive
file integrity checker, Tripwire. Originally it was focused on Unix
systems, but now, Tripwire Security, Inc. offers a complete range
of platform support for integrity checking systems. Systems such
as Tripwire can be configured to check for integrity violations
(unauthorized file modifications) on a periodic basis (hourly, daily,
etc.) and will check only those files chosen by the administrator.
Perhaps only system files are deemed of importance, or perhaps entire
file contents are so important that any alteration could cause severe
damage to the company. Your choice.
checkers address many security needs: integrity based virus protection
looks at file and system modifications (behavior), not signatures,
which is an improvement for many new-breed attacks including Trojan
Horses. Accidental system and file corruption can be detected early
with integrity checkers, preventing additional damage as errors
compound themselves. System upgrades, revision control, file and
program management are all applications for the more sophisticated
don't forget that Web sites still are the most visible and vulnerable
targets of integrity attacks - and also, incredibly easy to solve.
Please don't make me repeat this article next year: take a look
at the currently available integrity solutions that can certainly
make your life a whole lot easier.
me know what you think!
Integrity Master www.stiller.com
© 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley
Walker, Interpact, Inc.