Wipe Out Web Graffiti by Going Back to Basics

FRAMINGHAM (02/14/2000) - It totally baffles me that more people haven't returned to the basics to solve a fairly elementary information security problem: Web graffiti and illicit data modification. The basics of information security consist of a simple triad:

Confidentiality: making sure prying eyes cannot read information in storage or transmission.

Availability: keeping systems up and running at all times, especially mission-critical applications.

Integrity: insuring that data is not accidentally or intentionally modified or corrupted.

Confidentiality is generally achieved through encryption of data transmissions, such as e-mail, as well as encrypting files in storage. Denial-ofservice attacks - a major threat to availability - are being prevented through better intrusion detection, high-speed reaction mechanisms, redundancy, fault tolerance, disaster planning and system reconstitution.

But what about Web graffiti, which is not only the most prevalent form of hacking we see today, but also a major threat to data integrity?

Integrity attacks modify content without the knowledge or permission of the owner. Typically the hacker replaces the words or pictures on the home page with a political, pornographic or juvenile message of some sort. The common hacker message "U R Owned" seemingly refers to the complete takeover of your network, when in fact it more often refers to poor Web server configuration or unpatched vulnerabilities.

For the life of me I can't understand why Web hacks have continued when, since the late 1970s, we have had many integrity protection methods to protect the contents of files from illicit modification.

The simplest method is called cyclic redundancy check (CRC). The contents of the file are X-or'd with another set of (random) data and the results create an integrity key. If, when the reverse CRC process is run, the integrity key doesn't match the original, the file has been corrupted.

A stronger integrity method is called message authentication code (MAC), a cryptographic technique that is based on the Data Encryption Standard. Again, a key is generated when the file is encoded. Upon decoding, the key must match if the file is to be trusted. MAC was designed for use in electronic financial transactions to make sure that a $1,000 wire transfer doesn't become $1,000,000.

Fast forward to the Web. When we go to eBay Inc., we want our bids and product descriptions to be accurate. Airlines and service industries want the correct hotel rooms or flights, billed at the right price to the right customer. News outlets want to make sure that an item is not subtly changed to alter its meaning.

Why hasn't the industry picked up on the importance of data integrity not only in Internet applications but for intranet usage as well? Part of the reason is that vendors have yet to create decent tools and make them readily available to customers.

However, in 1992, Gene Spafford and Gene Kim of Purdue University reopened the integrity issue by developing Tripwire, the first comprehensive file integrity checker (www.tripwiresecurity.com). Systems such as Tripwire can be configured to check for integrity violations - unauthorized file modifications - on a periodic basis (for example, hourly or daily) and will check only those files chosen by the administrator.

Integrity checkers address many security needs. They can detect accidental system and file corruption early, preventing additional damage as errors compound themselves. They can protect against viruses by looking at file and system behavior rather than static signatures. By their very nature, viruses cause integrity violations. They become unwanted and unchecked files on a system and/or modify files - especially system files - without permission.

Products such as Integrity Master from Stiller Research (www.stiller. com) offer a dynamic means of virus protection unlike the classic signature-based mechanisms.

Web sites are the most visible and vulnerable targets of integrity attacks - most of which are easily preventable. Integrity checkers are well worth the investment.

Schwartau is the president of Interpact Inc., founder of InfoWar.com and author of Cybershock, to be published in March. He can be reached at winns@gte.net.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark