Hackers to concentrate on moving targets

Hackers to concentrate on moving targets
Hackers to concentrate on moving targets

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By David Neal
IT Week
19 May 2008

In a long and illustrious career in both the public and private sectors, 
Howard Schmidt has earned a reputation for being one of the world=E2=80=99s 
foremost authorities on computer security.

Schmidt first made a name for himself as an expert in computer crime 
while working for the FBI. As head of the Bureau=E2=80=99s Computer Exploitation 
Team, he gained recognition as a pioneer in computer forensics and 
computer evidence collection. Next he headed up the US Air Force=E2=80=99s 
Computer Forensic Lab and Computer Crime and Information Warfare 

His involvement with national security continued with his appointment in 
December 2001 as the vice chair of the President=E2=80=99s Critical 
Infrastructure Protection Board and as the Special Adviser for 
Cyberspace Security for the White House.

Schmidt has also worked in the private sector. He served as chief 
information security officer at online auction giant eBay, and as chief 
security officer for Microsoft, where his duties included forming and 
directing the Trustworthy Computing Security Strategies Group.

Today, Schmidt divides his time between his role as chief executive of 
R&H Security Consulting, delivering keynotes and writing. One of his 
main messages is that the IT industry has to take more responsibility 
for security. =E2=80=9CWe have a huge dependency on applications these days, and 
our expectation is that the suppliers will do more to secure them,=E2=80=9D he 
said. =E2=80=9COr, you can look at the infrastructure that we use, and ask, =E2=80=98Why 
don=E2=80=99t the ISPs just block infections, or bad networks?=E2=80=99.=E2=80=9D

But while vendors and service providers have a responsibility to provide 
security, this does not get users off the hook. =E2=80=9CAs consumers we have to 
do things to be better protected. We have to follow through on the work 
being done by the vendors, and the applications,=E2=80=9D he said.

Schmidt said he has been impressed by the steps the industry has taken 
to combat online threats. =E2=80=9CLook at phishing, for example. I have 
multiple email accounts, but phishing mails only ever end up in my spam 
folder, not my inbox. Should one get through and I click on the link, I 
am presented by a warning, and then, should I ignore that, it is likely 
that my browser will block my access anyway,=E2=80=9D he said.

But the threat landscape is constantly changing, Schmidt warned, with 
mobile applications likely to be the next prime target for hackers. =E2=80=9CI 
don=E2=80=99t carry a laptop around much anymore, but I do carry two mobile 
devices. Companies are releasing SDKs for developers to use so there are 
lots of mobile applications out there, but this also means that there 
are lots of applications for the bad guys to exploit. I don=E2=80=99t know if 
the industry has put much focus on protecting them,=E2=80=9D Schmidt said.

Another problem he has with mobile devices relates to the increasing 
amount of storage they offer. As business users have come to rely on 
these devices more and more, so the amount of potentially sensitive data 
stored on them has increased. =E2=80=9CWhat do you do about encrypting that?=E2=80=9D he 
asked. =E2=80=9CVery few manufacturers make software protection for mobiles=2E=E2=80=9D

Schmidt believes organisations are far too reliant on patching to secure 
their systems =C2=AD a situation that he feels simply cannot be allowed to 
continue for much longer. =E2=80=9CPatching is frustrating, but as we get better 
at secure coding the need to do this will become less. But now, we have 
to work in a much more reactive way, applying fixes as and when they are 
released. Often it can cost more to run a software solution than it does 
to buy it. We need to be looking forward. Looking for ways to prevent 
things from happening in the first place, not after they become an 
issue,=E2=80=9D he said.

Asked whether new regulations such as a breach notification law would 
help to improve standards of system security, Schmidt agreed =C2=AD up to a 
point. =E2=80=9CBreach notifications would be of benefit, but the requirement 
must be consistent. In the US, individual states make their own [rules] 
and there is a lot of complexity, which makes things difficult to 
manage,=E2=80=9D he said.

But for Schmidt, the one sure-fire way tominimise online threats is the 
adoption of two-factor authentication =C2=AD a form of logging on that 
requires both a password and some form of physical token.

=E2=80=9CI said two years ago that passwords and logins should have been 
declared dead already. People use the same password with their bank and 
their email accounts, despite the fact that these may not be as secure 
as each other. [If bad guys get hold of a password] they will try them 
against all of your accounts,=E2=80=9D he said. =E2=80=9CIf we move away from the 
log-in/password method a lot of the low-hanging attacks would be 

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. 

Site design & layout copyright © 1986-2015 CodeGods