Ever since 1988, when the Morris worm cut

down 10 per cent of the Internet's

computers, the number of cyber "incidences"

and reported vulnerabilities has grown

exponentially. The cost of the disruption to

business, of the reduction in confidence and

of repairing the systems is no longer tolerable.

Moreover, the increasing connectedness of

users, via a growing variety of devices and

applications, means that the IT industry can

no longer ignore the cyber attack problem.

The large number of vulnerabilities is due,

in part, to the complexity of modern

systems. A typical Unix or Windows system,

including major applications, has of the

order of 100 million lines of code. Recent

studies show that a typical software product

has roughly one security-related bug per

thousand lines of source code. Therefore an

average system gives a hacker potentially

100,000 weak spots to attack.

The rate at which researchers discover

weak points makes it hard for security

managers to keep up with the necessary

patches, assuming they are available.

Therefore most systems will have at least one

known vulnerability. Hackers now use

combination attacks to test for these weak

spots, and to exploit them.

Live CERTFollowing the Morris worm incident, the

US Defense Advanced Research Projects

Agency asked the Software Engineering

Institute, a federally

funded research

and development

centre at Carnegie

Mellon University,

to coordinate

communication

among experts

during security

emergencies and to help prevent future

incidents. This became CERT.

The number of incidents reported to

CERT has risen from six in 1988 to 137,529

last year. The number of computers affected

runs into the millions.

Each attack may compromise the data on

each system. The theft, alteration or

destruction of commercially valuable

personal or enterprise data is a real risk.

Secondly, theft of identity and/or

authentication information can give hackers

access to other systems and accounts,

thereby compounding the damage.

Thirdly, as users become more mobile, the

risk rises that data and identity information

may be compromised by physical theft or

loss of the access device. Fourthly, as mobile

access relies increasingly on radio

technologies, the risk grows that third parties

overhear sensitive data.

It is becoming more obvious that software-

only security mechanisms are not enough to

protect information assets. Even the firewalls

that protect intranets do not provide much

comfort; many attacks originate from users

inside these firewalls, and may also bypass

these firewalls in e-mail attachments. This

adds impetus to the move to use hardware-

based embedded security subsystems to

protect information assets.

Standard trustThe Trusted Computing Group (TCG) has

been formed to respond to this challenge (see

table of members). TCG aims to develop,

define, and promote open, vendor-neutral

industry standards for trusted computing.

These include specifications for hardware

and software interfaces for multiple

platforms and operating environments.

User and IT benefits Security chips based on TCG's

specification for the Trusted Platform

Module (TPM) are now in millions of

desktop and notebook PCs and working with

many applications. Their benefits include:

• More secure storage of files, personally

identifiable information, and digital

secrets.

• More secure user authentication by

protection of keys used by authentication

processes such as 802.1x, S-MIME e-mail,

and VPNs.

Hardware to blunt hack attack

42

Info

security To

day

July/August 2004

co

lu

mn

Jim WardSoftware security is for wimps; enter the hard guys of hardware

0

1000

2000

3000

4000

5000

1995 1996 1997 1998 1999 2000 2001 2002

No.

of

Vuln

erab

ilitie

s

Growth in reported vulnerabilities since 1995

Ward: complexity breedsvulnerabilities

In last few years the number of

vulnerabilities published in the public

domain has mushroomed. This book is, as

it title says, a wake-up call for web

programmers. It provides practical worked

examples that take the reader through a

number of types of attack. What is

interesting is that this is a book which talks

about security, but does not spend ages

talking about encryption or buffer

overflows. This book has been written by a

developer for developers in a language that

developers will understand. The aim of the

book is to provide a developer with the

years of experience that are necessary to

develop a secure web site that meets the

needs of its users.

In more detail, this book is designed and

aimed at programmers who are building web

sites, and so it does not address the design

and deployment of infrastructure. This book

does not focus on client-side technologies,

such as Active-X or Java Applets; rather it

focuses us on server-side programming, in

particular SQL Injection, User Input

Manipulation, Authentication and Cross Site

Scripting. In short, if you are a server side

web developer then you simply must read

this book. If you are a web techie then you

will love this book. I did.

43

Info

security To

day

July/August 2004

• Lower-cost and stronger user

authentication by using the TPM as a

security token together with other types

of authentication such as passphrases,

fingerprint readers, keyfobs, smartcards,

proximity badges, and SIMs.

Extra benefits that will accrue over time

include:

• More secure platform authentication

through protection of an identity key that

is associated with the platform.

• Platform authentication with multiple

anonymous trusted identities which,

when combined with user authentication,

will enable additional remote access

security while protecting privacy.

• More secure data protection through

confirmation of platform integrity prior

to decryption.

TCG is exhibiting at Infosecurity Europe

2005, Europe's premier IT security

exhibition. The event brings together IT

security professionals from around the

globe with suppliers of security

hardware, software and consultancy

services. Now in its 10th year, the show

features Europe's most comprehensive

free education programme, and over 200

exhibitors at the Grand Hall at Olympia

from 26 to 28 April 2005.

Further information about Infosecurity

Europe 2005 is available at

http://www.infosec.co.uk. Information on

TCG and how to join is at

www.trustedcomputinggroup.org.

Jim Ward is the President of the Trusted

Computing Group

References:

CERT Web Site:

http://www.cert.org/archive/pdf/attack_tr

ends.pdf [Overview of Attack Trends]

CERT Web Site:

www.cert.org/stats/cert_stats.html

[CERT/CC Statistics]

co

lu

mn

Innocent Code: aSecurity Wake-Up Callfor Web ProgrammersAndrew Blyth

Sverre H. HusebyJohn Wiley & Sons; (January23, 2004) ISBN: 0470857447

re

vi

ew

an average system gives a hackerpotentially 100,000 weak spots to attack.