Computer Crime Research Center

hack/spy.jpg

Security is an ongoing process

Date: October 16, 2007
Source: hindu.com
By: D. Murali and Goutam Ghosh

Chennai: Like many organisations, American Century Casualty Co. (ACCC), an insurance company based in Houston, US, used to insist that its network access be restricted to users on the corporate LAN (local area network), as narrates Charlie Rubin in a recent article in Communications News (www.comnews.com).

ACCC had to think of a policy change ‘during the year-end holiday break in 2006, when some of the state-wide claims managers asked if they could do some work from home’. However, Stephen Gentilozzi, the company’s IT manager, had no real solution for the managers at the time.

“We gave them access through our Citrix client as a temporary fix, but we also started looking for a permanent solution that would satisfy our users as well as our own security requirements,” he would recount to Rubin. “The goal was to eventually provide some 150 claims managers, field appraisers and other executives with anytime, anywhere access to the corporate network, with full security.”

Gentilozzi was looking for ‘a secure socket layer virtual private network (SSL VPN),’ which would allow access from any browser-based PC (personal computer). And the product that he zeroed in on, early this year, was SSL VPN-Plus from NeoAccel, a company founded by an Indian entrepreneur, Michel Susai.

“The solution took less than two hours to deploy, and ACCC first rolled it out to claims managers and adjusters,” informs Susai, sharing his success case study with Business Line. “Users immediately liked the ease of installation, and some noticed better network response time than they had gotten with the old IPsec VPN solution.”

With a successful rollout to claims managers and underwriting managers complete, Gentilozzi will soon add the appraisers who take photos and handle estimates with body shops, he adds.

Susai, a B.S. in computer science and engineering from the Pune Institute of Computer Technology and Research, describes himself as ‘a serial entrepreneur and an innovator of pioneering technologies that optimise the performance of Internet applications,’ with ‘a passion for pure science and innovation’. He likes to transform his ideas ‘into industry changing business applications’.

NeoAccel, headquartered in the US, and with development offices in Mumbai and Pune, is ‘backed by strategic investors such as Sabeer Bhatia, Silicon Valley investor Prabhu Goel and venture fund NTT Leasing, who have pooled in around five million dollars into the start-up’.

Excerpts from the e-mail interview.

There is no end to security concerns because there is no end to hacking. Isn’t this an on-going process?

Yes, security is an ongoing process, just as learning is. Computer technology was developed to provide solutions, but we have learned how hackers have leveraged the same technology to misuse and steal valuable information. The trend right now is for software vendors to fix problems in their solutions and come up with more secure solutions. But at the same time, hackers are finding loopholes in new technology and are able to circumvent this new security. So it’s a learning process: software vendors keep finding potential flaws and fixing them, and hackers keep finding new flaws.

But no matter how secure technology and solutions become, there is always a method to break into it. The reason being the core concept of computers: a computer is nothing but a machine that maps one symbol to another. A hacker can always use brute force techniques to break into any kind of security. Software vendors just make just hacker’s work harder but cannot stop them from working.

For example, data encryption is considered to be the strongest security technology ever developed. But it is still not 100 per cent hacker-free. Given infinite time and processing power hackers can still break any kind of encryption.

Some enthusiast broke into Google’s server. How did that happen?

Considering that security is meant to make a hacker’s job harder, even a single flaw that provides hackers a shorter path to achieve their goals makes all technology solutions vulnerable to hackers.

A software solution is usually a combination of multiple security and non-security domain technologies. The security holes lie at the boundary where one technology integrates with other. For example, a solution might have strong authentication features to identify users, but the security might get compromised when the browser has cached the session key in cookies to provide seamless access to users across different applications and domains.

Any solution that is not well designed to handle the integration boundary issues is prone to getting hacked, and this can happen with any of the reputable solutions. Google is no exception.

What happened at Google was an error in Google’s domain name system (DNS) – not a hack. DNS translates domain names (google.com) into addresses (123.456.789.123) and, most likely, a maintenance in Google’s DNS was caught by an enthusiast and was able to take advantage of it (by re-directing visitors to Google’s Web site) for a very short time. Nevertheless, this points out that even if you think no one (i.e., a hacker) is watching, they actually are!

What is the state-of-the-art defence mechanism against hackers? How is your VPN superior to the substitutes available in the market?

A state-of-the-art defence mechanism is to have “security by design”. Each and every technology has to be validated as per the solution requirement and should be integrated without leaving any gap in integration. Three requirements for a VPN solution are: authentication, integrity and confidentiality.

NeoAccel has implemented an industry-standard implementation of the latest technologies to develop a state-of-the-art solution. NeoAccel uses SSL, an Internet encryption standard, to address integrity and confidentiality factors. Our strengths are: strong authentication, information control, strong encryption, and a secure hardware platform to run these capabilities on.

NeoAccel does not claim to be a flawless solution because hackers are always just one step behind. With a complete analysis of current technologies, they are almost ready to break the most secure solutions today!

Is anyone thinking of unified e-defence application that will forever bar hackers?

Computer software started as a facilitation tool. Take information access as an example: there was a need to “access” information so the Internet was born. Then came a requirement to for “remote access”, so that information is accessible from anywhere.

Until now, information was accessible only to authorised resources from authorised sources. With remote access technologies came a threat of information leaks, and so we are talking about “secure remote access”, and people are working on building unified e-defence applications for common people.

Unfortunately, adoption to security has been slow because security comes with restrictions and cost. We are giving due importance to security; but we are still giving more importance to “facilitation” than to “control”.

We will, therefore, see a new generation of applications that will defend itself from attackers. An e-defence application will detect when it is being attacked. It will respond by blocking access to such resources as a first level of security and then try to trace the attacker. Application could be intelligent to set up a trap, let the attacker enter the system and then doom the offender.

There are technologies in place, like intrusion detection systems (IDS), intrusion prevention systems (IPS), ‘Honeypots’, and others. Honeypots lure hackers into what appears to be a real server, but is actually a server specifically designed to identify the hacker. But these are still peripheral technologies. An e-defence application will combine all these technologies to build a single solution. Reassuringly, though, sophisticated technologies are already being used by government organisations working on detecting cybercrimes.
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo