|
IT security strategies invariably focus on maintaining impenetrable fortresses around computers and network systems. Firewalls, virtual private networks and anti-virus programs are the tools IT engineers use to create their digital security. Sophisticated defense systems can be very effective at keeping the obvious attackers at bay, yet they often create a false sense of security because the real attacks, the kind that inflict irreparable damage on a system or network, avoid the obvious routes into the secure fortress.
According to a 2001 study by the Computer Crime Research Center, the majority of computer-related crimes that are prosecuted involve attacks on individual privacy and security. From an attacker’s perspective, it makes perfect sense to go after the weakest link in the security chain - the individual.
Today, the most common form of personal privacy and security, especially on the Internet, is ‘hope’ - hope, that after you hit the send button, your instant message or email reaches the intended recipient without being intercepted and read by someone else; hope that when you store a personal file on your computer, nobody will find it, steal it, make a copy or otherwise change it; hope that when you key in your user name and password to access a service, nobody is surreptitiously watching, logging, sniffing or otherwise trying to steal your identity.
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on that fact that we have made our position unassailable (Sun Tzu the new translation “The art of war”).
What the Internet needs is a strong technical solution that specifically protects personal IT privacy and security. The system must be trivial to use. If a person has to do anything extraordinary to invoke or use the system, it may not be used leaving the door open to attackers. The solution must be portable, going wherever the user goes, providing protection on computers in the office, home, airport kiosks, PDAs, cell phones, etc. To stop fraud and other crimes of impersonation, the solution must be as hard as possible to steal and use a user’s access credentials. People must be able to positively identify one another, before placing information at risk. Messages and personal data must be encrypted so only the user or the intended recipients can decipher them. Messages must never be decrypted and re-encrypted in transit from a sender to the recipients, leaving a window of opportunity open for eavesdroppers. Finally, every encrypted bit of data must be signed so users can immediately tell if the information has been changed.
Instant Messaging Example
Instant messaging (IM) services that are faster and easier to use than most email and phone systems are experiencing explosive growth worldwide.
The vast majority of IM today, including virtually all of it originating from freeware IM clients, is done with client to client security. MSN is shutting down chat rooms in many countries because of security and child-protection issues. Messages and files are transmitted in clear text that even unsophisticated eavesdroppers can easily intercept and read. Most IM services use client-server architectures that make it trivial for system operators to browse every message that passes through the servers handling the message exchanges. Inadequate password management makes hijacking IM accounts very easy. Account spoofing, where a malicious user hijacks an account and casually solicits confidential information from people who think they are chatting with a trusted buddy, is a very real threat in the unsecured world of IM. Finally, it is trivial for an attacker to impersonate someone else in a chat room even without using someone else’s credentials.
As corporate use of IM services has grown, the need for comprehensive security measures aimed at protecting their intellectual property has become vitally important. “Enterprise” IM solutions created by companies such as Yahoo and AOL provide very limited, inadequate security. While “enterprise” IM services encrypt messages, the encryption strategies used offer ample opportunity to view messages in clear text. No provisions have been made to protect the privacy of individuals who use these “secure” IM services. Practically nothing is done to guarantee that users cannot be conned by attackers who have hijacked a valid account name. All of the services are vulnerable to penetration by worms like Fizzer, which steal user names, passwords, and encryption keys from unsuspecting users.
“Enterprise” IM services provide limited protection for employees of the companies that use these applications. Messages exchanged between the company’s employees are protected to a limited extent. However, while employees using business IM services can chat with people outside the company, they cannot do so securely and privately.
A Solution
Most of the well-known IM services including Yahoo! Messenger, MSN Messenger and AIM, are based on classic client-server architectures. In this model, people use client applications to connect to an IM server. IM servers handle basic user sign-on authentication, keep track of users who are currently online, and relay messages between users of the IM service. When a person sends a message to an IM buddy, the desired text is typed into an IM client application which sends it to an IM server. The IM server in turn relays the message to the intended recipient completing the client (sender) to IM server to client (recipient) message transfer.
During simple chat sessions client applications almost always communicate with one another using an IM server as a message relay. However, to minimize server bandwidth bottlenecks, when users pass files back and forth, the IM server simply gives the sending client the address of the recipient client so the message can be passed directly from the sending client the recipient, bypassing the server.
Gnutella and IRC are examples of IM services that are built on peer-to-peer architectures. In this model, IM clients exchange messages and files directly without the need for a server manage the process or relay messages. In the peer-to-peer model, IM client applications are more sophisticated than in the client-server model in which most of the intelligence is located in the IM server. While peer-to-peer IM services offer some advantages over client-server IM applications, there are security issues that must still be addressed. The major deficiency of peer-to-peer architectures is that there is no way to independently authenticate users of the service. Clearly, this deficiency has enormous security implications. In addition, using simple packet sniffers, eavesdroppers can easily intercept messages and files transmitted by peer-to-peer IM clients in plain text.
I simple solution consists in a service likely working as service gateway, monitoring incoming and outgoing IM traffic on standard ports used by IM services (e.g., AIM uses port 5190, MSN uses port 1893). The security architecture can be compared to firewall filtering port management using an intelligent, application-aware gateway.
Data that passes through a protected IP port is secured by the generic client software. It produces the key exchange material between the chat group, the encryption and the certification of the IP packets during the conference over the IM infrastructure.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
I hate to say it, but this article is at best highly unclear, particularly to the extent that it proposes a solution. On re-reading the last two paragraphs several times, I came no closer to understanding how the solution addresses the problem, or even precisely what it is that the proposed solution is doing. If the threat model includes the possibility of a keylogger as installed by something like “Fizzer”, then surely an application-specific gateway fails to address the problem. Can the application-specific gateway tell the difference between a legitimate client and a compromised one? If so, then how?
I’m afraid I just don’t get it.