By William Jackson
Speaking at a telecommunications trade show in Chicago last week, AT&T
Chairman and Chief Executive Officer Randall Stephenson said the
evolution of communications from fixed voice service to a suite of
mobile IP-enabled services represents more than a rebirth of a moribund
telecom industry; it is, he said, the next phase of the Internet.
Funny thing about this next phase: Its creators appear to be making the
same mistake that was made with the first Internet. Everyone is rushing
headlong toward new functionality and leaving security as an
afterthought. We know where that got us the first time around, and with
the Internet becoming more deeply embedded in our lives and in our
business, it looks like it is going to get worse before it gets better.
The driver for the new Internet appears to be consumer demand for more
and better ways to watch video. AT&T is beginning a limited rollout of
its Video Share service, which allows cell phone users to stream live
video to each other. At the same show, Motorola CEO Ed Zander said his
companys newest phone will be capable of storing 16 hours of high
definition, 30-frames-per-second video. But it isnt just about video;
its about many-to-many collaboration over any kind of link to any kind
of device, and wireless connectivity is becoming ubiquitous and embedded
in more computing devices.
Yet for all the talk of building out new broadband networks and the
great new services they will carry, there was no talk at the show of
security. There were frequent references to YouTube, the darling of the
next phase, but none to security. There were predictions that the
Internet would become integral to all aspects of our lives but no
discussion of how to do this securely.
It is understandable that the Internet originally was developed without
much thought to security. The developers were building from scratch,
trying to see if they could get it to work. No one knew at the time what
its capabilities would be or that it would become a utility in everyday
use by businesses and individuals. Who knew we needed to secure it?
Now we know. Security companies, systems administrators and legislators
are playing a high-stakes game of cat and mouse with hackers and
criminals in a desperate effort to close vulnerabilities before they are
exploited. As the Internet becomes more mobile and more functional,
things are only going to get worse.
Mobile spam has the potential to explode as spam-Trojan authors develop
mobile malware, Craig Schmugar, a researcher at McAfee Avert Labs, wrote
recently. And voice communications are vulnerable to something called
SPIT Spam over Internet Telephony he wrote. Spoofed VOIP phishing
attacks will likely be more successful than their e-mail counterparts
because anti-SPIT technology is far behind that of anti-spam, and many
VOIP users will not expect attacks to come from numbers that match those
of their banks.
Stephenson called the Apple iPhone the embodiment of innovation.
Security researchers see it as a new and particularly rich vector for
malicious software. It is likely that researchers are going to
investigate what its possibilities are, Schmugar said recently.
The news is not all bad. IPv6, the next generation of Internet Protocols
expected to enable many new mobile technologies, should also enable
better security at the network layer. And Microsofts new Windows Vista
operating system is a step toward better security, Schmugar said. But he
also said that in applications and services, in Web 2.0 there is still a
lot of room for improvement.
Maybe the network carriers, service providers, equipment manufacturers
and application developers really are paying attention to security.
Maybe they just dont trumpet it at trade shows because security doesnt
sell cell phones any more than seat belts sell cars. But I, for one,
would be glad to know that the device I am expected to use for
everything from telephone calls to financial transactions and will carry
all the details of my life was built with security in mind.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com