Archive for January, 2010

Cybersecurity

January 26, 2010

In today’s New York Times there was an article entitled “In Digital Combat, U.S. Finds No Easy Deterrent.” This article discusses simulations run by the Pentagon of how to respond to systematic cyberattacks. The simulations were run in a response to the hacking against Google and 30 other U.S. companies that have been in the news recently. The result of the simulation?

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

The implications for national security are scary. One participant in the game admitted,

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

But there are smart people working on this problem, and so eventually I believe (ok, I hope) it will be solved.

However, what no one is discussing is the implications of this to cloud computing. The idea behind cloud computing is that you keep your data and programs and such residing on someone else’s computer, or “in the cloud.” The data, the programs and all else is available through the internet. OK, sounds like a plan. BUT, what happens if these cyberterrorists attack your company or attack the cloud. Then everything that you need to run your business is suddenly unavailable. Isn’t that scary too? Are companies prepared to take this risk — especially after the Google incident? Are cloud companies planning for this kind of problem? How are people responding? I think this needs to be part of the planning process — especially in light of the dire results of the simulation.

Share your views!

January 24, 2010

France, Germany Say Stop Using Internet Explorer 6

January 24, 2010

Did you read the article about IE — France, Germany Say Stop Using Internet Explorer 6? This recommendation was provided since Internet Explorer 6 was a vehicle through which the attacks from China were launched. So, should YOU stop using Internet Explorer?

Microsoft issued a security bulletin in which it said:

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So, what this tells us is that you can patch your system and it closes the hole that were used during Operation Aurora. In addition, the newest version of IE is version 8, although that too was patched with the most recent version of the update. Clearly running the regular updates from Microsoft will help handle the security holes found in IE. Also, anti-malware and virus programs will help reduce the severity of the risk.

There are two reasons why IE is vulnerable. First, for a variety of reasons IE is the biggest target. Since IE holds the largest market share for browsers (although it is much smaller than it was previously), people wanting to write programs to do malicious things will aim first at IE. Also, Microsoft has developed a number of “enemies” over the years because of its business plan. There is not much Microsoft can do to address this problem.

The second reason for security issues is the architecture of the product itself. Microsoft has integrated IE into its system tightly so it has privileges that other browsers do not. Any holes in that browser will exploit more than the browser. Think of a hole as a “dropped stich” in knitting. At first it doesn’t look too bad, but if something goes through the garment at that precise part, everything else comes unraveled. So is it for IE.

A bigger problem than the base program itself is the ActiveX-based add-ons used by it. These programs have all the privileges of IE and any holes can be made worse. Test showed that there were over a hundred such holes in the ActiveX as used in the IE 6 product. Many of those problems were fixed in later versions (IE 7 especially). Hence that is why the European governments have stated a particular version of IE that they do not believe should be used.

Personally, I prefer Firefox.  Philosophically, I am troubled by Microsoft’s historical attempts to corner the market by insisting that only IE is loaded onto their systems.    Secondly, philosophically, I like the open systems philosophy of Mozilla.  Third, Firefox tends to have innovations earlier than IE and they follow established conventions for interpreting webpages (which IE does not).

Hello world!

January 21, 2010

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!