ECW17

Office Futures

Home page > Reference pages > eComWatch archive > ECW17

ECW17

Issue 17

21 January, 2002

Network security: is government a threat?

Still not getting the idea

About eComWatch

Last time, I promised a look at how the British and American governments are passing spook-friendly and business-friendly legislation in the aftermath of what is now being termed “9-11”. (This is the first bombing in history in which the clearing up has enlisted the aid of marketing men. “Ground Zero”, "9-11", “Homeland Defense”, “PATRIOT ACT” and all these other twee labels are pure Hollywood.)

To start us off, here is a contributed opinion piece about the American government's response. I'll look at the British and other European responses in the next issue.

Regards,

Roger Whitehead

*****

Network security: is government a threat? [top of page]

Does the average company have anything to worry about from increased governmental surveillance as an after-effect from the attacks of 11 September? Probably not. Does it still have to worry about recreational and professional hackers, web-browsing and MP3-downloading employees and other mundane threats to the network? Most certainly.

Nothing has changed for user organizations or for the network security industry, despite all the ink stating otherwise. Network administrators still need to keep their systems up and running and the network security industry still needs to provide the tools. Life goes on.

What has changed is the ease in which the American government can now eavesdrop on email and electronic transactions. In October 2001, President Bush signed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 -- fittingly acronymed the USA PATRIOT Act. Among other actions, this allows law enforcement agents to gain access to public and private networks to trace hackers' activities. They can do so without a warrant, so long as the Internet service provider (ISP) or network administrator allows it. This reverses a previous law designed to protect user privacy. Before PATRIOT, ISPs were specifically forbidden to grant network access without customer permission or a judge's order.

Now it is much easier. For agents to tap without a warrant, an ISP must own its network, law enforcement must be making a lawful investigation and can intercept only the suspect's communications. All that needs proving is that the agents have reasonable grounds to believe that the content of the communications will be relevant to the investigation. Further, the law is not specific to hackers or terrorists and is applicable to any computer crime investigation.

If that isn't sobering enough, the means to enforce this Act are already in place. The DCS1000 e-mail and surveillance system, once known as Carnivore, works by capturing data packets that pass through an ISP. A box with the DCS1000 software is installed at the ISP and can set to oversee all transmissions to and from a specific Internet Protocol address. There is even talk of extending DCS1000 abilities to cover wireless transmissions.

Adding to the mixture is the Combating Terrorism Act of 2001, which the Senate passed two days after the World Trade Center incident. It was included in an amendment to the fiscal year 2002 appropriations budget for the departments of Commerce, Justice and State, and the Judiciary. The Act broadens existing law to include terrorism as one of the crimes that merits high-tech surveillance. It would give all U.S. Attorneys the authority to order the installation of Carnivore, a power previously reserved only for U.S. Deputy Assistant Attorneys General. Federal agents could then tap into any Internet account in the USA without a warrant. They would merely need to feel they had reasonable expectation of finding something relevant to a computer crime investigation.

Should this bother anyone? Again, probably not, given the enormous volume of electronic communications and transactions that occur daily. There are limited resources available for the systematic capture and analysis of even a fraction of those transmissions. The comings and goings to the average Internet-connected company are as close to anonymous as possible.

As an example, look at Echelon. This, never admitted to by the US Government, is a signals intelligence project that screens satellite-based e-mail, fax, telephone and other traffic. Since it officially doesn't exist, no warrants are used. Yet with all of this unlimited access to worldwide communications, nobody had a clue that the largest terrorist act in US history was about to take place. No, adding to the pool of signals that can be tapped won't help the war on terrorism. Agents should try bribing more taxi-drivers. Espionage the old-fashioned way -- but it works.

Unless they target you specifically, prying G-men are the least of your worries. Sadly but truly for conspiracy theorists, the average computer network faces a far greater threat from worms and Trojan horses than from spooks. Of course, if you are harbouring terrorists on your network and are silly enough to let them openly use your email server to plan attacks without using code words, you deserve to be bugged!

What it all boils down to is that the biggest threats to a corporate network remain the same as they were last week, last month and last year -- wasted bandwidth, casual hackers, disgruntled staff and dodgy hard drives. So boring, yet so dangerous.

Rather than worrying about what Big Brother is doing, network administrators and security officers should worry about the basics. They need to be encrypting confidential email, limiting excessively large email attachments, setting reasonable use policies for browsing the Web during working hours, scanning for viruses and worms, and blocking spam. Not as exciting as marching in the streets declaiming the erosion of human rights but much more cost-effective.

It is our job as security professionals to avoid getting caught up in shrill exercises in cyber-paranoia and to get on with our job. This is to ensure that our clients' networks work in a robust and secure manner. If we lose the plot and start looking for problems where none exist, we could be doing ourselves, and our industry, a disservice. Why worry about the 2% of threats that we have no control over, when we can focus on the remaining 98%. And we can do an excellent job of keeping them under control. It's the sensible approach.

This article is based on original material by Martin Oxley. He is founder and director for Marshal Software, a supplier of security products (see http://www.marshalsoftware.com). Our thanks go to him.

Martin's company will be appearing at Infosecurity Europe. Its organizers describe this as Europe's largest IT security event. It takes place on 23-25 April 2002 at Grand Hall, Olympia, London. More details at http://www.infosec.co.uk, telephone: 0208 910 7931, email: infosecurity@reedexpo.co.uk.

*****

Still not getting the idea [top of page]

The company details database at the Companies House Web site has opening hours!

“24 x 7 operation? Not Pygmalion likely -- 17 x 6 is good enough for anyone. People should count themselves lucky they get even that.”

See for yourself, at http://ws2.companieshouse.gov.uk/frame.cgi?OPT=free.

*****

About eComWatch [top of page]

eComWatch is edited and published by Roger Whitehead and Christopher Ogg. Copyright Roger Whitehead and Christopher Ogg, 2002. eComWatch may be circulated freely in its original format with copyright notice intact. For permission to reproduce any article,