Understanding The Latest Net Security Breach

Jason Romney (jromney@werple.mira.net.au)
Mon, 16 Oct 1995 03:20:05 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jason Romney: "Court won't divine difference between video and paper bingo"
Previous message: Jason Romney: "Web Site Offers Security Check For Your Browser"

[IMAGE]

This material is for individual use only. Not for republication or
redistribution without special arrangement with the New York Times
Syndicate. (e-mail requests)

__________________________________________________________________

[INLINE]

Understanding The Latest Net Security Breach (10/14)

By DAVID JOACHIM
c.1995 Interactive Age

Concerns about Internet security flared again earlier this week, with
reports surfacing of fundamental flaws in the core Internet protocols
that could be exploited by hackers to disrupt electronic commerce.

The same group of students and faculty at the University of California
at Berkeley that recently reported a security flaw in the popular
Netscape Navigator browser posted the latest warning last week.

The latest weakness in Internet Security lies in the basic structure of
TCP/IP, according to David Wagner, one of the graduate students who
authored the report.

Specifically, the problem lies in the Internet-standard Network File
Systems protocol. An attacker, using software located on an Ethernet
segment between the client and the Internet server, can snoop on a
session between two servers, and ultimately forge a reply to the
client. From there, if the client receives the forged reply before the
legitimate reply, the imposter is accepted and can alter data without a
trace.

Today, most efforts at improving Internet security focus on
protecting--using sophisticated encryption techniques--a file while it
is en route to its destination, Wagner said. But those efforts won't
stop this latest attack, which attempts to manipulate access to secure
information rather than simply use brute force to crack encrypted data.

``As the channel becomes more secure, it becomes more appealing to
attack the endpoints, where you can tamper with the (security) program
and turn off the protections,'' said Wagner.

Security vendors insist such warnings are welcome, and will not slow
commerce on the Internet.

Indeed, the major focus of industry vendors right now is developing
digital ID and signature technology that will solve just the problem
posed last week: the need for authenticating the identity of the buyer
and seller in a transaction and validating that a file has not been
altered along the way.

``What we're seeing now is the discovery that scrambling the bits is
not enough,'' said Stratton Sclavos, president and CEO at VeriSign
Inc., Redwood City, Calif. ``Authentication is the next necessary piece
that needs to be implemented. The identity of the sender and the
integrity of the message are the keys.''

NYT-10-14-95 1327EDT

__________________________________________________________________

[LINK] [LINK]

© The Interactive Connection

Next message: Jason Romney: "Court won't divine difference between video and paper bingo"
Previous message: Jason Romney: "Web Site Offers Security Check For Your Browser"