Thursday, February 16, 2006

Calling Cryptographers

With hardware, software, and networks constantly under attack, security experts says they're ready to fight back.

By Kate Greene

Microsoft CEO Bill Gates kicked off the annual RSA Conference on information security in San Jose this week with a call for a simpler approach to making computers more secure. His big-picture vision: the entire computing industry working together to fashion a "true ecosystem" of security, as businesses continue facing cyberattacks.

Although the solutions for data security won't be foolproof, experts agree, they believe that hardware, software, and networks can be made much safer by creating a multilayered solution. At least, that's the argument Gates and others made to an estimated 14,000 conference attendees -- from software developers and cryptographers to hackers and lawyers.

Gates' most radical solution is replacing password protections, often too easily defeated by phishing and other forms of low-tech hacking, with an InfoCard, a digital identity that can be stored in the microchip of a smart card and used to access password-protected websites.

Of course Microsoft has a keen interest in promoting more secure computing environments, since its operating systems are routinely the target of virus attacks. The InfoCard is one of many new security features supported by Internet Explorer 7 and Vista, the latest incarnation of Microsoft's ubiquitous operating system (see "A Window into Vista"). Gates noted, however, that the shift away from passwords would likely take as long as four years because it requires the collaboration of numerous vendors.

While the InfoCard technology should be useful for personal data security, large institutions, such as banks, are looking at large-scale defenses to tackle Internet scams. Art Coviello, CEO of RSA Security International, discussed his company's network-based solution, which he dubbed "community policing." By using the very networks that hackers exploit, he says, companies can fight fraud and cybercrime at different nodes, instead of in isolation. For instance, if a cybercriminal in a third-world country exploits a stolen credit card number, then tries to hide behind a proxy server in New York, RSA's system quickly blacklists that New York IP address and immediately notifies banks and other organizations.

In addition to software and network defenses proposed by Microsoft and RSA, Scott McNealy, CEO of Sun Microsystems, addressed the steps his company has taken to ensure that computer hardware in servers and data centers is as secure as possible. Sun has built computer processors that support a form of encryption called "elliptical curve" cryptography (ECC), a standard approved by the National Security Agency. ECC uses a smaller "key" -- the collection of bits used to encrypt and decrypt a message -- than traditional cryptographic methods, and is therefore ideal for not only computers, but also small devices such as cell phones and even sensors.