Newsweek (International), September 15, 1997
You’re astounded by the convenience, speed and sleek modernity of the Internet and the World Wide Web. Suddenly you can connect to customers and suppliers all over the world. No more heavy expenses manning call centers. No more spending a fortune on postage and shipping costs for brochures or marketing materials. Why wait for a check to clear when you can take somebody’s credit-card information through your Web server? As wonderful as all the bright promise of the Internet might be, there’s an equally troubling dark side: diminished security.
Security for the Web Server
One of the best ways to keep external hackers out of your internal network is firewall technology. Firewall solutions exist in a number of different forms including packet filters, which look at each “packet” of data entering or leaving a network and allow it to pass depending on whether it meets certain specified rules. and gateways, which limit who gets to specific parts of your internal network depending on his identity.
The greatest source for security software updates and patches is probably the CERT Coordination Center. Based at Carnegie Mellon University, CERT developed out of the computer emergency-response team created by the U.S. Department of Defense. CERT has made Internet security its mission from the time of its creation in 1988 — the dawn of time in Internet terms.
“Vendors have become much more responsive about getting security patches out and making them available,” says CERT’s daily operations manager, Kathy Fithen. “They’re working harder at trying to meet the demands and the needs of the security antes issues for their customers.” If there’s a problem, CERT will likely be the first to identify it. If’ there’s a fix, CERT will tell you where and how to find it. Most recently, Fithen says, CGI (Controlled Gateway Interface) scripts have been a soft spot. CGI is an Internet standard that allows Web servers to run external applications such as search engines. Using “sniffer” software, hackers can distract a server, then monitor its traffic and automatically capture and store user name and password pairs. Once they have that information, of course, nothing on your system is safe. The best means of protection is to set up the system right in the first place and keep on top of new problems by getting on an e-mail list to receive security bulletins. Also, hiring a security consultant to put a system through its paces before it’s unveiled to the public will help you find leaks before hackers do.
Protecting Information in Transit
Protecting information in transit is perhaps more crucial than protecting it when it’s residing on a server. The same sniffer software that snags user names and passwords can be programmed to log and store credit-card numbers. The answer to such invasions is encryption technology — scrambling data into code that both the sender and the receiver need a key to access.
Secure Electronic Transaction (SET) protocol, for example, is one of the most important developments in cyber payment schemes. SET is the mechanism by which credit-card information may be securely transferred over the Internet. Developed by a consortium of IT companies and financial institutions, SET technology uses digital signatures and encryption technology to transmit credit-card information in a tamper-proof package.
U.S. law currently forbids the export of so-called strong encryption — codes larger than 40 bits. European software developers such as Ireland’s Baltimore Technologies and Germany’s SiemensNixdorf Information Systems (SNI) are racing to make a profit on this technology vacuum.
SNI’s TrustedWeb, for example, is designed to protect information shuttled around an organization’s internal network. “Now that companies can keep hackers out by firewalls, what happens if the thief is inside’?” queries Robert Gogel, executive vice president at Siemens. TrustedWeb, incorporating 128-bit encryption technology, uses a “role-based” filtering mechanism. What this means is that once you sign on to the network, TrustedWeb allows you access to the documents or sites that you are programmed to be able to access. Further, adds Gogel, TrustedWeb can be used for extranet systems — that is, Internet connections among the intranets of trading partners. Once you allow a trading partner to cross your firewall, TrustedWeb can give it access only to particular databases, depending on its identity.
“Ultimately,” says cryptographer Kevin McCurley, “criminals have found uses for every other technological advance — the car and the telephone, for example. They’re finding a use for the Internet too.” The increasing number of Internet commercial transactions are at stake. Fortunately, the solutions to such digital shenanigans are multiplying and increasing in sophistication.