Stronger security urged

A panel discussion involving a group of experts held during Demo 2006 in Phoenix concluded that the state of security is not where it should be, but they also had suggestions about how to improve it.

A panel discussion involving a group of experts held during Demo 2006 in Phoenix this month concluded that the state of security is not where it should be. Luckily, the panelists also had suggestions on how to improve it.

During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to answer the question: Will the good guys be able to stay ahead of the bad guys? But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren’t necessarily ahead of the bad.

“The state of security is terrible . . . absolutely abysmal,” said Hilarie Orman, former research scientist and onetime member of Defense Advanced Research Projects Agency’s Information Technology Office. She now is CTO and vice president of engineering with Shinkuro, which makes file-sharing software. “It’s difficult to argue there’s a good state of security right now.”

Another panelist reminded the audience that there’s no such thing as perfect security. “It’s a cat-and-mouse game [that the industry plays with hackers], but we need to bring [the threat] down to a level where we can live with it,” said Partha Dasgupta, an associate professor with Arizona State University’s Fulton School of Engineering.

The good news, according to the third panelist, is at least the industry and users are beginning to think about security. Enterprise and consumer products need to find a balance between being secure and being useful, said Charles Palmer, manager of the security, networking and privacy departments at IBM’s Thomas J. Watson Research Center.

“If [security] makes the system really hard to use or is done wrong, you’ve got a brick,” he said.

One possible solution to the recent series of identity theft is biometrics, in which computers scan a finger, face, retina or other part of the body and save that image for authentication. The problem with biometrics, agreed the panel, is that once a thief learns how to reproduce a fingerprint, the owner can’t change the original.

Technology is being developed that doesn’t take a picture of the finger but some small measurements of the finger’s characteristics, said Palmer, who added that 4% of people can’t produce good fingerprints and that pineapple juice can temporarily remove a person’s fingerprint.

Another promising area is challenge-response biometrics, Dasgupta said. Instead of matching a spoken word or phrase to one previously recorded, the phrase is changed every time so a thief can’t record the phrase and replay it over and over to gain access to protected data. “That’s much more sophisticated, and much more complicated,” he said.

Fingerprint biometrics are the best bet at the moment, because the technique has been in practice the longest, Dasgupta said.

Another technology that can help improve security is encryption, the panelists agreed. However, most people don’t know how to use it, and even when it is employed, it is poorly managed, Orman said.

“Encryption does protect data,” Orman said. “The weak point in this is almost always key management. Even when data’s been encrypted someone can find the key, since key selection and protections is so bad. . . . Usually the key is lying around somewhere.”

“The problem is at the endpoints,” Dasgupta added. “When you’re using encryption, you have to encrypt at one end and decrypt at the other.”

Another point of agreement among panel members was that security needs to be part of an application or operating system from the beginning, not an add-on or afterthought.

“We continue to build systems without thinking about security from the beginning,” Palmer said.

“What developers really want is [a tool that] looks at code and tells you if it’s evil, and that’s impossible,” Palmer added.

“All code is evil, let’s face it,” Orman retorted, drawing chuckles from the audience. “It’s been interesting watching the evolution of network security protocols; it’s very difficult to change them” at this point, she said.

Patrick asked the panel whether mobile devices were a particularly high security risk. Technically speaking, they’re not, the panel said, but it’s the way people use them today that creates vulnerabilities. Good security “requires you to take your BlackBerry and type your password in every time you open it,” Palmer said.