Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid – Gideon@AGSgo.com
Clients often ask me: “If I have water on my kitchen floor, I call in a plumber who plugs all my leaks and I don’t need to call him back next week. Why do we have to patch and plug virus holes—daily?” I answer with a different analogy: Why do we elect a Congress and state legislatures every couple of years? Why couldn’t our Founding Fathers have written the law so that no new laws would have to be written—daily?
Or consider playing chess by specifying all the moves in advance, without waiting for the opponent to make his move. While this is theoretically possible in chess, it is practically impossible. The same is true with respect to the unending cyberwar. Computers are very obedient and indefatigable, and have perfect memory. But they have zero common sense. They will execute any instruction unless that instruction is specifically forbidden. If we could list all the instructions that should not be executed, we would have no virus problem.
But as things are, hackers find, daily, new instructions to challenge computers with, and since these new instructions aren’t on the “don’t execute” list, the computers carry them out. On the defense side, we play catch up, instruction by instruction (you see them as “patches”). Such is the sad state of affairs with respect to security in general.
What’s more, early on, when design questions arose, computer scientists made a crucial decision: They mixed data and software into the same media, meaning that in the place reserved for textual material, like names and narratives, one could implant computer instructions (software). Data and software look the same to the naked eye, just a string of bits. Once the data are implanted, all that remains is to tell the computer to read that data, which are really instructions for its operation, and execute the instructions. This duality of data and data-operations is ingeniously exploited on our networks, which are interchanging more and more data all the time.
So why don’t we spot those buggers and eradicate them? We do, and quite successfully. But the war is not over. The bad guys have an answer for us, a new form of malware known as rootkit.
This bug exploits another key design issue: the black-box concept. It is this concept that allows us to negotiate the incredible complexity of computers and networks. With black box, the innards of a computer function are hidden from the other computer components that interface with it. So if the operating system sends a file to the printer, it is oblivious to what exactly happens with the printable characters on their way from the screen to the printed sheet.
Similarly, when a virus hunter searches for malware, it queries something called an API (application programmer interface) as to the existence of a dangerous file. If the API has been compromised by a rootkit, the answer will be: “no, of course not!”—deceiving the interrogator. This is also known as the man-in-the-middle technique. When Alice and Bob converse in cyberspace, they may actually be conversing with a hacker who passes himself off as Bob talking to Alice, and as Alice talking to Bob, and nobody is the wiser.
The man-in-the-middle attack steals your keystrokes as you type your password. It even steals the “secure” information you type into a “secure” Web site form (see the Zeus Trojan). When you hit “submit,” you again activate an API, which, if it’s infected, redirects or copies your form content. Hackers have infected very popular Web sites so that when you download a white paper or the latest Adobe version from your trusted bank, you may bring an uninvited guest right into your system.
What to do? First, ditch the notion of a silver bullet. It doesn’t exist. Second, designate a cyber intelligence officer in your shop. If you are a small organization, this may be a part-time assignment; if you are a large organization, hire a reputable security consultant. Next, read security blogs like the one we maintain at agsgo.wordpress.com. Finally, consider the “brute-force defense.” For example, we tell our clients to store super-sensitive documents on a standalone computer, and to access super-sensitive bank accounts from a machine running the Unix operating system (free PC versions are available), simply because most malware is Windows-specific.
One other point is worth remembering. The cyberwar is not a campaign you can opt out of. So you might as well face it well-armed.
