Panelists at the technology showcase agreed security problems will be around for a while and suggested different ways for reducing the risk.
Computer security specialists, gathering at this week's Demo conference in Phoenix to examine the escalating threat scene, said the sheer number of devices linked to the Internet will continue to exacerbate security issues.
During a panel discussion, all agreed that hackers, identity thieves and writers of malicious code are on the upswing and not going away, but there are some solutions. John Patrick, president at Attitude LLC, led the discussion on security with panelists Partha Dasgupta, an associate professor at Arizona State University specializing in cryptography; Hillarie Orman, chief technology officer and vice president of engineering at Shinkuro Inc.; and Charles Palmer, who runs the security unit at IBM Research.
Panelists agreed security problems will be around for awhile. "Computers weren't built with security in mind, and we are paying for it with band-aids and patches," Palmer said. "Instead of having graffitists and drive-by hackers" those attempting to steal information "realize the money is in the Internet."
Dasgupta suggested the security industry needs to head toward Public Key Infrastructure (PKI) and smart cards. Social security numbers and bank numbers will leak regardless of how secure banking and commerce sites are, and people can't depend on shared authentication.
"It (PKIs) will not obliterate crime -- someone could steal your card or put a gun to you-- but makes it incredibly difficult to do identity theft," Dasgupta said. Financial institutions are resisting the move because they don't want to admit a mistake, PKIs are difficult to deploy, and many have spread out the risk as part of the cost of doing business, Dasgupta said. Rather, they installed intrusion software to detect fraud.
Orman worries that smart cards are physically vulnerable to hackers and are not the correct tool for high-value transactions. Timing and radiation attacks on the physical devices can be used to extract data.
Securing operating systems is challenging because they are complicated and huge, panelists said. "A secure OS strategy doesn't solve the problem because you've got applications that misbehave," Dasgupta said. "I can install a bot on top of a secure operating system."
Coming soon is a set of hardware enhancements for computers that independently verify the delivery of content to the machine, checking for rootkits, viruses and corruption inside operating systems.
Dasgupta said these secure approaches, such as Trusted Platform Module from Trusted Computing Platform. Virtual machines are considered far more secure than operating systems. Universities also need to teach students how to write safe code. Unsafe code is contributing to the problem.
Companies also are developing technology that can analyze voices for stress and patterns, Orman said.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.