By Andy Greenberg
Vint Cerf, Google's chief Internet evangelist, says the Internet is
insecure. And he should know he helped build the thing.
Cerf, who helped design the first protocols that allowed information to
be sent across computer networks in the late 1970s, expressed regret in
a speech Tuesday that he hadn't designed the Internet to be a safer,
more regulated system.
"We didn't pay a great deal of attention to the security side of the
Internet when it was first being designed because we didn't really know
if it would work at all," Cerf said in the keynote address at Georgia
Tech's annual security summit. "Much of the problems that you all face
every day might be caused by that."
One fundamental flaw, he said, is the relative anonymity provided by the
Internet's system of IP addresses, which only identify a user's general
location, not a specific computer. Cerf said that using only general
locations was a compromise designed to help routers get packets of
information to the right destination. If he could start over, Cerf
added, he would have built a protocol that allowed "multi-homing,"
giving each user a unique IP address.
Today, Cerf lamented, the Internet does little to authenticate either
servers, like those that host Web sites, or users themselves. That
loophole lets cybercriminals host "phishing" sites, in which they
impersonate legitimate pages and ask for users' bank codes or other
sensitive information. It also lends anonymity to hackers using
"botnets" herds of personal computers turned into zombies by malicious
software. Botnets can send spam and flood Web sites with countless
requests for information, a cyber attack also known as distributed
denial of service.
"Distributed denial of service attacks are probably the worst threat we
face on the Net," said Cerf, who estimated that about 15% of the
computers on the Internet or more than 150 million machines have been
hijacked into botnet armies. "This is really a fundamental vulnerability
in the system. The ability to launch large-scale attacks is a very
Cerf didn't place all the blame on himself and other Internet pioneers
he also pointed out that current Web browsers leave people vulnerable to
hackers who would either hijack their computers or plant malicious bot
software. Dynamic content sites touch PCs' operating systems, and so
should force browser builders to install tougher defenses. "We're at
very great risk because of the way that browsers work today," he said.
"This is an area where some serious research and development would be
Cerf also plugged the contributions of Google (nasdaq: GOOG - news -
people ) to Web security. The search engine's Web-crawling spider now
keeps an eye out for viruses and malware as it combs the Web, and shows
users a warning page before allowing them to access malicious sites.
Firewalls, Cerf said, were a "necessary but not sufficient" mechanism
for security private networks are too easily infected, he said,
especially when employees use USB flash drives, laptops and other mobile
devices. He suggested that security professionals instead explore ideas
like "hardware-based security," which would allow only privileged users
to gain access to certain elements of a server's memory.
But Cerf admitted that much of the Internet's exploitability could have
been avoided at its advent. In the early days of his research, Cerf
said, he worked on a more secure version of his networking protocol for
the National Security Agency, but wasn't able to implement that
technology in what would become the public Internet.
"Unfortunately, it was all classified," he said. "I felt kind of
schizophrenic about it because I knew we could do a better job of
securing the Internet, but I couldn't tell anyone except those who had
the proper clearances. So the network grew up without the kind of
protection it could have had."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com