Tuesday, December 20, 2005

ATLANTA, Georgia (CNN) -- In a world where a park bench can function as an office cubicle, iPods play video and cell phones serve as mini-computers, the risk for both the consumer and the corporate world is sometimes overlooked.At a recent summit held by the Georgia Tech Information Security Center, Chris Rouland, the chief technology officer for Internet Security Systems, and Richard A. DeMillo, the dean at Georgia Tech's College of Computing, spoke to CNN's Manav Tanneeru about some of the security issues associated with the emergence of a truly wireless society.CNN: It almost seems like the beginning of a new era with the movement toward a more wireless platform for the Internet versus the traditional, wired version. How have things changed over the last two or three years?DEMILLO: One of the things you have to believe is that the train is clearly leaving the station, you don't know if it's just going to pick up steam or head into a brick wall, and one of the things you have to believe is that whatever we learned about security in the wired world probably has to be rethought for wireless.Take the issue of using Windows updates to patch your operating system. It's a different world when you have a million [cell phones] floating around. Where is the update button on here, and who do I go to if there is an intrusion on the device. I think a lot of the basic business issues are yet to be [solved].ROULAND: In general, as we move to wireless, one of the biggest challenges and one of the things to overcome is ease of use. Today, for instance, to deploy a wireless network in your home, you might skip some things that are hard to do. So, as the vendors are making things easier to use, we also need to encourage them to make security easier to use. Some of the important research that's going on at Georgia Tech is how to make security automatic and easier to understand in wireless and other areas.CNN: How concerned are you about the common consumer who is going from traditional Internet usage to a wireless world where the boundary between the public and private space is shrinking? What concerns you the most about the behaviors about the common consumer?ROULAND: If you look at what we are seeing in the wired world today -- the wild, wired world maybe -- it's becoming very difficult for big businesses to protect themselves -- not because they can't protect their own networks, but because they can't protect what the consumer sees. You can receive an e-mail and it really looks like it's from the Bank of America, or Paypal; however, it's not. It's some guy from Kazakhstan who is waiting for you to click "yes" so that he can drain your bank account. Then, the consumer will go to the financial institution to mediate, and they'll end up taking the loss.So, the extension of the network to the end consumer and the end consumer being hijacked is great concern, it's a very difficult problem.DEMILLO: [Chris], are you worried about people just sort of radiating their identity? For instance, if you walk through this space, [this cell phone] is radiating. It's radiating the number, it's got personal information that's stored on it, and you don't know who's picking up on it. I think that's something really different in the mobile world.ROULAND: A metaphor...is that you are not really aware of it, but if you have a wireless network on your laptop at home, when you turn that on, it beacons out a broadcast saying, "Where are you, where are you?" Even if that SSID, or the identification of that network, is hidden, it actually beacons that out. It's analogous to standing out [on a street corner] and shouting out your Social Security number.CNN: Could you speak a bit about how iPods, portable hard drives, and other USB devices -- which now have the capability of storing large amounts of information -- are creating new security concerns?ROULAND: That's a big a concern for us and our customers as well. We're one of the market leaders in protecting corporate desktops and one of the concerns our customers have is someone plugging in their iPod and copying all their corporate secrets onto the iPod because an iPod not only stores music, but large amounts of data. So, just as we saw 10 years ago when companies started taking out floppy drives because there was no real use for them, they're taking out USB drives as well.CNN: Many media outlets speak of the convergence of online media going to wireless devices. For example, video being broadcast on cell phones or iPods, or Web sites being available on the same devices. What kind of security issues might such a convergence raise?DEMILLO: I'm not sure convergence by itself buys you that much more in terms of risk. It really has to do with the number of devices, the sheer scale, and what you're going to do on those devices. If all you're doing is streaming video, there's one set of applications, but if it's interactive video -- for example, are you pushing games out to a CNN portal -- then there's financial transactions taking place, and I think that's where the risk, at least the initial risk.CNN: What is approaching on the horizon that is worrisome in regards to security?ROULAND: The windows for attacks have become so compressed now. From the time a vulnerability is found to the time it is actually exploited, it is very a short period now. One of the key reasons for that is the profitability for this type of fraud. Whereas 10 years ago when a lot of computer viruses were written to send out greetings and for bragging rights, today it's all about the money.So, as we enable these devices with more and more capability, and the capability of a mobile device becomes as rich as a personal computer, it will become a richer target to attack. There is a linear relationship between the amount of bandwidth and the amount of devices an attacker can take over. So, the faster the bandwidth, the richer the resources available, and the more attractive the target becomes, then they will be taken over.CNN: What are you general impressions on the current state of wireless security?DEMILLO: I think it's too hard for the average consumer. For someone who knows how to use a personal computer, it's different. There is the educational issue and the vendors have to be more engaged in security. The infrastructure will continue to build up and we'll make progress there.ROULAND: I think we're very much at a stage of immaturity in wireless security. We're just graduating past the "OK, make it work stage." While we are rapidly trying to add features, we're also trying to add security, and as we overcome some of these stumbling blocks of making security easy to use, I think we'll see security catch up with features and functions.

0 Comments:

Post a Comment

<< Home