Computer security specialists, gathering at this week's Demo conference in Phoenix to examine the escalating threat scene, said the sheer number of devices linked to the Internet will continue to exacerbate security issues.
During a panel discussion, all agreed that hackers, identity thieves and writers of malicious code are on the upswing and not going away, but there are some solutions. John Patrick, president at Attitude LLC, led the discussion on security with panelists Partha Dasgupta, an associate professor at Arizona State University specializing in cryptography; Hillarie Orman, chief technology officer and vice president of engineering at Shinkuro Inc.; and Charles Palmer, who runs the security unit at IBM Research.
Panelists agreed security problems will be around for awhile. "Computers weren't built with security in mind, and we are paying for it with band-aids and patches," Palmer said. "Instead of having graffitists and drive-by hackers" those attempting to steal information "realize the money is in the Internet."
Dasgupta suggested the security industry needs to head toward Public Key Infrastructure (PKI) and smart cards. Social security numbers and bank numbers will leak regardless of how secure banking and commerce sites are, and people can't depend on shared authentication.
"It (PKIs) will not obliterate crime -- someone could steal your card or put a gun to you-- but makes it incredibly difficult to do identity theft," Dasgupta said. Financial institutions are resisting the move because they don't want to admit a mistake, PKIs are difficult to deploy, and many have spread out the risk as part of the cost of doing business, Dasgupta said. Rather, they installed intrusion software to detect fraud.
Orman worries that smart cards are physically vulnerable to hackers and are not the correct tool for high-value transactions. Timing and radiation attacks on the physical devices can be used to extract data.
Securing operating systems is challenging because they are complicated and huge, panelists said. "A secure OS strategy doesn't solve the problem because you've got applications that misbehave," Dasgupta said. "I can install a bot on top of a secure operating system."
Coming soon is a set of hardware enhancements for computers that independently verify the delivery of content to the machine, checking for rootkits, viruses and corruption inside operating systems.
Dasgupta said these secure approaches, such as Trusted Platform Module from Trusted Computing Platform. Virtual machines are considered far more secure than operating systems. Universities also need to teach students how to write safe code. Unsafe code is contributing to the problem.
Companies also are developing technology that can analyze voices for stress and patterns, Orman said.