ch05.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 978 行 · 第 1/4 页

foster an entirely new frontier for those pandering malicious code, viruses, and
code to circumvent security.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To learn more about the
	HTML standardization process, visit the site of the World Wide Web Consortium (<A
	HREF="http://www.w3.org"><TT>http://www.w3.org</TT></A>). If you already know a bit
	about the subject but want specifics about what types of HTML tags and extensions
	are supported, you should read W3C's activity statement on this issue (<A HREF="http://www.w3.org/pub/WWW/MarkUp/Activity"><TT>http://www.w3.org/pub/WWW/MarkUp/Activity</TT></A>).
	One interesting area of development is W3C's work on support for the disabled. 
<HR>


</BLOCKQUOTE>

<P>Proprietarism is a dangerous force on the Internet, and it's gaining ground quickly.
To compound this problem, some of the proprietary products are excellent. It is therefore
perfectly natural for users to gravitate toward these applications. Users are most
concerned with functionality, not security. Therefore, the onus is on vendors, and
this is a problem. If vendors ignore security hazards, there is nothing anyone can
do. One cannot, for example, forbid insecure products from being sold on the market.
That would be an unreasonable restraint of interstate commerce and ground for an
antitrust claim. Vendors certainly have every right to release whatever software
they like, secure or not. At present, therefore, there is no solution to this problem.</P>
<P>Extensions, languages, or tags that probably warrant examination include

<UL>
	<LI>JavaScript
	<LI>VBScript
	<LI>ActiveX
</UL>

<P>JavaScript is owned by Netscape, and VBScript and ActiveX are owned by Microsoft.
These languages are the weapons of the war between these two giants. I doubt that
either company objectively realizes that there's a need for both technologies. For
example, Netscape cannot shake Microsoft's hold on the desktop market. Equally, Microsoft
cannot supply the UNIX world with products. The Internet would probably benefit greatly
if these two titans buried the hatchet in something besides each other.
<H3><FONT COLOR="#000077"><B>The Trickling Down of Technology</B></FONT></H3>
<P>As discussed earlier, there is the problem of high-level technology trickling
down from military, scientific, and security sources. Today, the average cracker
has tools at his or her disposal that most security organizations use in their work.
Moreover, the machines on which crackers use these tools are extremely powerful,
therefore allowing faster and more efficient cracking.</P>
<P>Government agencies often supply links to advanced security tools. At these sites,
the tools are often free. They number in the hundreds and encompass nearly every
aspect of security. In addition to these tools, government and university sites also
provide very technical information regarding security. For crackers who know how
to mine such information, these resources are invaluable. Some key sites are listed
in Table 5.1.
<H4><FONT COLOR="#000077"><B>Table 5.1. Some major security sites for information
and tools.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Site</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Address</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Purdue University</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://www.cs.purdue.edu//coast/archive/ "><TT>http://www.cs.purdue.edu//coast/archive/</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Raptor Systems</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://www.raptor.com/library/library.html"><TT>http://www.raptor.com/library/library.html</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">The Risks Forum</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://catless.ncl.ac.uk/Risks"><TT>http://catless.ncl.ac.uk/Risks</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">FIRST</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://www.first.org/"><TT>http://www.first.org/</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">DEFCON</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://www.defcon.org/"><TT>http://www.defcon.org/</TT></A></TD>
	</TR>
</TABLE>
</P>
<P>The level of technical information at such sites is high. This is in contrast
to many fringe sites that provide information of little practical value to the cracker.
But not all fringe sites are so benign. Crackers have become organized, and they
maintain a wide variety of servers on the Internet. These are typically established
using free operating systems such as Linux or FreeBSD. Many such sites end up establishing
a permanent wire to the Net. Others are more unreliable and may appear at different
times via dynamic IP addresses. I should make it clear that not all fringe sites
are cracking sites. Many are legitimate hacking stops that provide information freely
to the Internet community as a service of sorts. In either case, both hackers and
crackers have been known to create excellent Web sites with voluminous security information.</P>
<P>The majority of cracking and hacking sites are geared toward UNIX and IBM-compatible
platforms. There is a noticeable absence of quality information for Macintosh users.
In any event, in-depth security information is available on the Internet for any
interested party to view.</P>
<P>So, the information is trafficked. There is no solution to this problem, and there
shouldn't be. It would be unfair to halt the education of many earnest, responsible
individuals for the malicious acts of a few. So advanced security information and
tools will remain available.
<H3><FONT COLOR="#000077"><B>Human Nature</B></FONT></H3>
<P>We have arrived at the final (and probably most influential) force at work in
weakening Internet security: human nature. Humans are, by nature, a lazy breed. To
most users, the subject of Internet security is boring and tedious. They assume that
the security of the Internet will be taken care of by experts.</P>
<P>To some degree, there is truth to this. If the average user's machine or network
is compromised, who should care? They are the only ones who can suffer (as long as
they are not connected to a network other than their own). The problem is, most will
be connected to some other network. The Internet is one enterprise that truly relies
on the strength of its weakest link. I have seen crackers work feverishly on a single
machine when that machine was not their ultimate objective. Perhaps the machine had
some trust relationship with another machine that <I>was</I> their ultimate objective.
To crack a given region of cyberspace, crackers may often have to take alternate
or unusual routes. If one workstation on the network is vulnerable, they are all
potentially vulnerable as long as a relationship of trust exists.</P>
<P>Also, you must think in terms of the smaller businesses because these will be
the great majority. These businesses may not be able to withstand disaster in the
same way that larger firms can. If you run a small business, when was the last time
you performed a complete backup of all information on all your drives? Do you have
a disaster-recovery plan? Many companies do not. This is an important point. I often
get calls from companies that are about to establish permanent connectivity. Most
of them are unprepared for emergencies.</P>
<P>Moreover, there are still two final aspects of human nature that influence the
evolution of security on the Internet. Fear is one. Most companies are fearful to
communicate with outsiders regarding security. For example, the majority of companies
will not tell <I>anyone</I> if their security has been breached. When a Web site
is cracked, it is front-page news; this cannot be avoided. When a system is cracked
in some other way (with a different point of entry), press coverage (or any exposure)
can usually be avoided. So, a company may simply move on, denying any incident, and
secure its network as best it can. This deprives the security community of much-needed
statistics and data.</P>
<P>The last human factor here is curiosity. Curiosity is a powerful facet of human
nature that even the youngest child can understand. One of the most satisfying human
experiences is discovery. Investigation and discovery are the things that life is
really made of. We learn from the moment we are born until the moment that we die,
and along that road, every shred of information is useful. Crackers are not so hard
to understand. It comes down to basics: Why is this door is locked? Can I open it?
As long as this aspect of human experience remains, the Internet may never be entirely
secure. Oh, it will be ultimately be secure enough for credit-card transactions and
the like, but someone will always be there to crack it.
<H2><FONT COLOR="#000077"><B>Does the Internet Really Need to Be Secure?</B></FONT></H2>
<P>Yes. The Internet does need to be secure and not simply for reasons of national
security. Today, it is a matter of personal security. As more financial institutions
gravitate to the Internet, America's financial future will depend on security. Many
users may not be aware of the number of financial institutions that offer online
banking. One year ago, this was a relatively uncommon phenomenon. Nevertheless, by
mid-1996, financial institutions across the country were offering such services to
their customers. Here are a few:

<UL>
	<LI>Wells Fargo Bank
	<LI>Sanwa Bank
	<LI>Bank of America
	<LI>City National Bank of Florida
	<LI>Wilber National Bank of Oneonta, New York
	<LI>The Mechanics Bank of Richmond, California
	<LI>COMSTAR Federal Credit Union of Gaithersburg, Maryland
</UL>

<P>The threat from lax security is more than just a financial one. Banking records
are extremely personal and contain revealing information. Until the Internet is secure,
this information is available to anyone with the technical prowess to crack a bank's
online service. It hasn't happened yet (I assume), but it will.</P>
<P>Also, the Internet needs to be secure so that it does not degenerate into one
avenue of domestic spying. Some law-enforcement organizations are already using Usenet
spiders to narrow down the identities of militia members, militants, and other political
undesirables. The statements made by such people on Usenet are archived away, you
can be sure. This type of logging activity is not unlawful. There is no constitutional
protection against it, any more than there is a constitutional right for someone
to demand privacy when they scribble on a bathroom wall.</P>
<P>Private e-mail is a different matter, though. Law enforcement agents need a warrant
to tap someone's Internet connection. To circumvent these procedures (which could
become widespread), all users should at least be aware of the encryption products
available, both free and commercial (I will discuss this and related issues in Part
VII of this book, &quot;The Law&quot;).</P>
<P>For all these reasons, the Internet must become secure.
<H2><FONT COLOR="#000077"><B>Can the Internet Be Secure?</B></FONT></H2>
<P>Yes. The Internet can be secure. But in order for that to happen, some serious
changes must be made, including the heightening of public awareness to the problem.
Most users still regard the Internet as a toy, an entertainment device that is good
for a couple of hours on a rainy Sunday afternoon. That needs to change in coming
years.</P>
<P>The Internet is likely the single, most important advance of the century. Within
a few years, it will be a powerful force in the lives of most Americans. So that
this force may be overwhelmingly positive, Americans need to be properly informed.</P>
<P>Members of the media have certainly helped the situation, even though media coverage
of the Internet isn't always painfully accurate. I have seen the rise of technology
columns in newspapers throughout the country. Good technology writers are out there,
trying to bring the important information home to their readers. I suspect that in
the future, more newspapers will develop their own sections for Internet news, similar
to those sections allocated for sports, local news, and human interest.</P>
<P>Equally, many users are security-aware, and that number is growing each day. As
public education increases, vendors will meet the demand of their clientele.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>In this chapter, I have established the following:

<UL>
	<LI>The Internet is not secure.<BR>
	<BR>
	
	<LI>Education about security is lacking.<BR>
	<BR>
	
	<LI>Proprietary designs are weakening Internet security.<BR>
	<BR>
	
	<LI>The availability of high-grade technological information both strengthens and
	weakens Net security.<BR>
	<BR>
	
	<LI>There is a real need for Internet security.<BR>
	<BR>
	
	<LI>Internet security relies as much on public as private education.
</UL>

<P>Those things having been established, I want to quickly examine the consequences
of poor Internet security. Thus, in the next chapter, I will discuss Internet warfare.
After covering that subject, I will venture into entirely new territory as we begin
to explore the tools and techniques that are actually applied in Internet security.</P>
<CENTER>
<P>
<HR>
<A HREF="../ch04/ch04.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch06/ch06.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>