Interview: Must-know security insights for 2007

January 16, 2007, 3:00 AM UTC
Fortune

0701kocher_bw

Security has become something of a niche for this blog, since there are few things you can do that are of greater utility than protect your stuff. So for some insights into the trends that will matter in 2007, I chatted with Paul Kocher, president of Cryptography Research and one of the architects of the Secure Sockets Layer 3.0 protocol.

Kocher, who helped discover a strange and fascinating type of attack where hackers can discover weaknesses by analyzing the power consumption of a device, talked about today’s threats and how consumers and business can defend against them. Below is an edited IM transcript.


Fortt:
It seems that along with the digital lifestyle has come an unprecedented volume of threats from hackers. What are some of the most troubling strategies and tactics you’ve seen lately?


Kocher:
If I had to choose a single trend, it would be that the attackers are being driven by more rational motives. A few years ago, the main focus was on viruses written by the electronic equivalent of graffiti taggers, whose primary objective was attention and ego. Today, money is usually the motive.


Fortt:
I keep hearing that it’s more about profit now. But who are these people, and where are they finding the talent? I can’t imagine they’re posting on Monster.com.


Kocher:
There are a lot of smart people with poor employment prospects in countries with weak economies. For virtually all the attacks we run into, the technical work is effectively outsourced. Only portions of the attack process that require a physical presence, such as withdrawing money from ATM machines, are done locally. Most of the work gets done in countries where wages are low.


Fortt:
Interesting. We usually think of low-wage countries as places where people lack technical know-how. But I suppose that’s not the case. Is it a particular issue in Eastern European countries?


Kocher:
It’s not necessarily fair to single out any one place, though Eastern Europe has been a source of quite a bit of payment fraud.


Fortt:
Are there less than obvious things the average person should be doing to guard against security breaches? What would

be some of your top recommendations?


Kocher:
For ordinary consumers, some simple things can make a big difference. First, encrypt your laptop. You’ll lose it someday, and you don’t want your data to be exposed. Second, don’t reuse the same password everywhere. Attackers compromise minor websites then use the user data to attack others. Third, put a fraud alert on your credit history. It’ll make identity theft much more unlikely.


Fortt:
You say “encrypt your laptop.” Most people have no idea where to start. How should they go about it?


Kocher:
Windows Vista will ship with disk encryption. There are also third-party products, such as PGP Disk that can do this.


Fortt:
And you have suggestions for companies? Small businesses in particular, I would think, could use the advice.


Kocher:
The first challenge is user education. The bigger an organization gets, the more likely someone will run a virus, choose a bad password, or make some other security mistake. A close second is to use sure that basic network hygene – firewalls, virus scanners, etc. Finally, when critical data is involved, try to physically separate it. For example, at Cryptography Research, we have two networks, one for sensitive data and the other for email, web browsing, etc.


Fortt:
I had never heard the advice regarding physically separate networks. Makes a lot of sense. Any other trends or concerns you wanted to point out? Maybe you can touch on payments. There have been a lot of rumblings from the

banks lately that they want to leverage their online banking security systems to grab some of the online payments business away from the credit card folks. Do you get the sense that this is something we’re likely to see happen? Would it be good for security?


Kocher:
I don’t expect change in the payment space to come from the banks who issue credit cards. They get paid twice, first by the merchants then interest from the consumer. They don’t really have any motivation to change things. I think we will see innovation from merchants, particularly in the on-line space where they’re being charged high Interchange fees and

receive no fraud protection.

The ATM networks are also overdue for an overhaul. They protect cash (which is more desirable to thieves than merchandise) and they don’t have a large fee base to cover fraud. The security mechanisms are also antiquated and really aren’t designed

to handle large-scale compromises of card/PIN data.


Fortt:
So I was intrigued when I heard that you have been looking into some verynovel types of hacking threats. There’s one you protect against that involves power surges?


Kocher:
One of the major areas we’ve been studying is the how to protect cryptographic keys stored in semiconductor chips. We discovered that the amount of electrical power consumed by chips varies during computations, and that by measuring and analyzing these variations it’s possible to find secret keys. This is a big problem in any application where attackers can get physical possession of a device.


Fortt:
How did you figure that out? Do you know of any systems that have been compromised using that method?


Kocher:
We first discovered the problem in the mid 1990’s while studying low-cost, non-invasive ways that keys could be compromised. We then found statistical methods that could identify keys even if the measurement quality is very poor, which made the attack very powerful. Pirates attacking pay TV systems have used power analysis attacks. Companies

that make knock-off ink cartridges have also used the approach. Smart cards of all kinds also need to be protected, including those used for payment, mobile telephony, and identity applications.


Fortt:
So what’s the next phase in the cat-and-mouse game the world’s institutions are playing with criminal hackers? Weve been through the age of the amateur hacker, and we’re in the age of the professional criminal hacker now. What’s on the horizon?


Kocher:
The pros are here to stay. Although countermeasures to individual problems occasionally make one area of fraud less profitable, technical advances are constantly creating new business models for attackers and new vulnerabilities to

exploit. One area I’m concerned about that hasn’t received much attention yet is long-term privacy. For example, consider what dirty tricks political party could play 50 years from now if they made archives of material available today on sites such as MySpace and Match.com.


Fortt:
Oh believe me, I think about that all the time. What’s your advice about that? Just stay off all social network sites? Never post anything you don’t want the whole world to know?


Kocher:
It’s essentially impossible to grow up in today’s world without creating any embarassing digital records. It’s simply not realistic to expect that teenagers will never do an emabarssing search. The solution will have to come from the companies that receive data from users. For example, Google needs to stop storing queries. In the long run, the U.S. is going to end up with strict privacy legislation – it’s only a matter of time before there is an egregious violation which acts as a catalyist.


Fortt:
You say Google needs to stop storing queries: Do you really think there will be legislation to force that issue?


Kocher:
If companies like Google don’t establish dramatically better voluntary standards, the government will get involved eventually. It probably won’t be anything Google does that triggers legislation, but they’ll be affected by it.


Fortt:
I hate to keep you long, but I’d love to hear your closing thoughts on piracy and Hollywood and what the next challenges are.


Kocher:
To a large degree, Hollywood’s challenges are economic. Today the security of digital content is largely being decided by engineers whose employers have no direct economic incentive to do a good job. For example, if you ran a consumer electronics company, how much money would you spend solving Hollywood’s problem?

If studios lose

control of their product (which is a real possibility – it’s happening in the music space), content will become an poorly-profitable raw material used by high-margin businesses run by other companies. On the other hand, if the studios can figure out how to stay relevant when the content is distributed in digital form through intermediary services,

they’ll do great.


Fortt:
Well, we’ll see if Steve Jobs can convince them to let him help solve their problem (and make some money in the process). Thanks for taking the time to chat.


Kocher:
Thank you very much, Jon. I enjoyed the conversation.