Security experts look to the future

A panel discussion involving a group of experts held during DEMO ’06 in Phoenix last week concluded that the state of security today is not where it should be. But the panelists also had suggestions on how to improve it.

A panel discussion involving a group of experts held during DEMO ‘06 in Phoenix last week concluded that the state of security today is not where it should be. But the panelists also had suggestions on how to improve it.

During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to try to answer the question, “Will the good guys be able to stay ahead of the bad guys?” But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren’t necessarily ahead of the bad guys to begin with.

“The state of security is terrible… absolutely abysmal,” said Hilarie Orman, former research scientist and onetime member of DARPA’s Information Technology Office; now CTO and vice president of engineering with Shinkuro, which makes file-sharing software. “It’s difficult to argue there’s a good state of security right now.”

Another panelist reminded the audience that there’s no such thing as perfect security. “It’s a cat-and-mouse game” that the industry plays with hackers, “but we need to bring [the threat] down to a level where we can live with it,” said Partha Dasgupta, an associate professor with Arizona State University’s Fulton School of Engineering.

The good news, according to another panelist, is at least the industry and users are beginning to think about security, yet it is harder to retrofit security onto hardware and software that’s already been built. Nonetheless, both enterprise and consumer products need to find a balance between being secure and being useful, said Charles Palmer, manager of the security, networking, and privacy departments at IBM’s Thomas J. Watson Research Center.

“If [security] makes the system really hard to use or is done wrong, you’ve got a brick,” he said.

One possible solution to the rash of identity theft that has broken out of late is biometrics, where computers scan a finger, face, retina, or other part of the body and save that image for authentication. The problem with biometrics, agreed the panel, is that once a thief learns how to reproduce a fingerprint, the owner can’t change the original.

New technology is being developed that doesn’t actually take a picture of the finger, but some small measurements of the finger’s characteristics, said Palmer, who added that 4% of the population can’t produce good fingerprints and that pineapple juice can temporarily remove a person’s fingerprint.

Another promising area is challenge-response biometrics, says Dasgupta, where instead of matching a spoken word or phrase to a previously recorded one the phrase is changed every time, that way a thief can’t record the phrase and replay it over and over to gain access to protected data. “That’s much more sophisticated, and much more complicated,” he said.

Fingerprint biometrics are the best bet at the moment because the technique has been in practice the longest, said Dasgupta.

Another technology that can help improve the current state of security is encryption, the panelists agreed. However, most people don’t know how to use it and even when it is employed, it is poorly managed, Orman said.

“Encryption does protect data,” said Orman. “The weak point in this is almost always key management. Even when data’s been encrypted, someone can find the key, since key selection and protections is so bad… usually the key is lying around somewhere.”

“The problem is at the end points,” added Dasgupta. “When you’re using encryption, you have to encrypt at one end and decrypt at the other.”

Another point of agreement among panel members was that security needs to be part of a new application or operating system from the beginning – not an add-on or afterthought. “We continue to build systems without thinking about security from the beginning,” said Palmer. “What developers really want is [a tool that] looks at code and tells you if it’s evil, and that’s impossible.”

“All code is evil, let’s face it,” retorted Orman, drawing chuckles from the audience. “It’s been interesting watching the evolution of network security protocols, it’s very difficult to change them” at this point, she said.

Patrick asked the panel if mobile devices were a particular security risk. Technically speaking they’re not, said the panel, but it’s the way people use them today that creates vulnerabilities. Good security “requires you to take your Blackberry and type your password in every time you open it,” Palmer said.