Tuesday, March 13, 2007

Father knows Infrastructure, not Web Apps

I was reading a Dark Reading interview with Vint Cerf, co-designer and the TCP/IP stack and chief Internet evangelist at Google. Anyone with that type of street cred is elite in my book. Vint shared his thoughts on the Internets biggest threats.

“His move from MCI to the post of chief Internet evangelist at Google in late 2005 led him to a part of the Net he hadn't focused on before: the applications. "Having spent a good portion of my career on the infrastructure of the Internet, it’s fun to work on new ways to use it."

Vint is a network/infrastructure guy now focusing on applications. I’ll give you one guess as to where he things the biggest threats are. Give up?

"Cerf says the biggest threats are the proliferation of spam, botnets, malware, and denial-of-service attacks. "Much work is needed to increase the security of the Internet and its connected computers," he says, "and to make the environment more reliable for everyone."

Cerf says the emerging Domain Name Security (DNSSEC) technology could help secure the Net's DNS servers, which have increasingly become targets. And more filtering of source IP addresses is needed. "And use of IPSec would foil some higher-level protocol attacks, and digital signing of IP address assignment records could reduce some routing/spoofing risks," he says. OSes need to be more airtight, too, and two-factor authentication should be more the norm than plain old passwords, he says.

I agree these are big and important threats, but I don’t think they are the biggest anymore. Far more damage can be done with simple web application hacks. I think XSS and CSRF are probably going to be the main threats over the next 10 years. Then again, I’m a web application and not a network security guy and have the same biases.

2 comments:

Anonymous said...

As you say at the end, our biases influence our viewpoints. I think I talked to you at Black Hat Japan last year about how I mostly believe that if you are not taking care of layer 7 you are not securing your network, but OTOH I've always had lots of respect for the work required at layers 2-4 as well.

Andy Steingruebl said...

I guess one way of looking at it though is not how many vulnerabilities exist, but what countermeasures exist. In the case of CSRF attacks a website designer can actually design their site to prevent regular XSS and also use one of several CSRF prevention strategies to prevent the attack.

In the case of spam and botnets, I'm not convinced that there are solutions other than being lucky. Defending against a major botnet attack is extremely difficult, as was shown with the recent DNS ddos in the UK.

Sure its a scalability problem, but its one that strictly speaking we don't have a technical fix for, and even if we did its not one a single provider can implement.

At least in the case of CSRF attacks we can strictly bound the effort on it. If we use a certain format CSRF token we can turn cracking it by random and/or brute force into a relatively imple mathematics problem.

With botnets and ddos attacks, we haven't yet found a way to actually make it exponentially harder to attack the infrastructure. At best we're linearly scaling at a slower pace than the attackers can ramp up.