Feeds

Terror talk stalks RSA Conference

Computer security Czar Clarke frets

  • alert
  • submit to reddit

3 Big data security analytics techniques

The official theme of the eleventh annual RSA Conference evokes the Elizabethan Era -- complete with costumed minstrels and acrobats wandering the San Jose, Calf. convention center. Unofficially, the security event opened Tuesday with a more serious theme, with U.S. cyber security czar Richard Clarke warning about the potential for terrorist hack attacks, and a panel of noted cryptographers fretting over lost liberties in the wake of the real terrorist attacks of September 11.

In a keynote address kicking off the conference, Clarke repeated the message that he's delivered around the country since his appointment as the White House's Special Advisor for Cyber Security last fall, evoking patriotic duty and September 11 to urge companies to make computer security a top priority, and arguing that future terrorists may exploit glaring weaknesses in U.S. computer systems.

"This industry runs the same risk that the aviation industry ran," Clarke said. "For years, people in the aviation industry knew that there were security vulnerabilities. They convinced each other and convinced themselves that these vulnerabilities would never be used."

Citing a Forrester Research report that found companies spend on average .0025 percent of their revenue on information security, Clarke chided, "If you spend more money on coffee than IT security, you will be hacked. And moreover, you deserve to be hacked."

Govnet redux

In contrast, Clarke said, the Bush administration has proposed increasing federal cyber security funding by sixty-four percent to $4 billion -- eight percent of the government's $50 billion IT budget.

Clarke also defended his proposal for the creation of a private network exclusively for sensitive government computers. The administration received 167 comments on the proposal to create a "Govnet" that would be isolated from the public Internet, Clarke said. Those proposals are being reviewed by sixteen federal agencies.

The cyber security czar professed surprise at learning from the comments that other segregated wide area networks already exist, within federal agencies and private companies. "What we discovered is that the idea of having a separate air-gapped network... is in fact an old idea," said Clarke. "There are already such networks out there."

Some security experts had criticized the Govnet proposal, arguing that such a network would itself be vulnerable to attack, and would represent a government abandonment of the Internet. Clarke countered Tuesday that he didn't expect Govnet to provide perfect security, but that it makes sense to remove critical government functions from the public network. "I don't know where it was ever written that everything has to be connected to everything else," said Clarke.

Clarke's talk -- a mix of fiery rhetoric and pragmatic analysis -- was generally well received, though observers disagreed with Clarke on some key points.

"He seems to say that out of the goodness of our hearts we should spend more and more and do the right thing, and I don't think that's going to happen," said Bruce Schneier, CTO of Counterpane Internet Security. "If you want to make them do the right thing, make it illegal to do the wrong thing."

"I really believe terrorists are more interested in physical mayhem," said former hacker Kevin Mitnick, also attending the conference. "A lot of people don't take notice if the phone system goes down in Miami."

Cryptographer's Panel

The terrorism theme carried over into the Cryptographer's Panel -- an annual tradition at the conference that brings together the world's most well known cryptography experts. But the panel was less concerned with the purported threat of cyber terrorism, than with the corporate and governmental responses to physical attacks.

Adi Shamir, professor at the Weizmann Institute of Science, criticized the hodgepodge of security measures that went into effect following September 11, including airport screeners that sometimes prohibited innocuous items like fingernail clippers, while allowing materials that could be converted into weapons. "I think that in computer security we know the importance of multiple lines of defense," said Shamir. "They should use ethical computer hackers in order to think of ways that airline security could be breached."

Privacy was an issue for MIT professor Ronald Rivest, who was particularly concerned about plans to make widespread use of small, inexpensive radio-frequency tags as security tools. "Everything you own might have one of these tags on them," said Rivest. "I might be able to tell how much money you're carrying just by putting out a radio probe."

The technology could backfire, said Rivest, with terrorists using the tags as a proximity fuse for an explosive, so that a bomb would go off when a particular person came within range. The cryptographer suggested that laws may be needed to prevent companies or the government from tying such tags to personally identifiable information.

Whitfield Diffie, another cryptography legend, worried about growing restrictions on the free flow of information. "The more we impose controls on ourselves, the more they can be taken over to support some else's information control policies," said Diffie.

The cryptographer drew applause for condemning intrusive new surveillance practices. "This kind of very un-American watching of people is something we should watch very carefully."

© 2002 SecurityFocus.com, all rights reserved.

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.