Skip to Content

The Attacker’s Advantage

June 22, 2010

No one is exempt from cyber attack. In January, Google admitted that its systems had been breached and intellectual property stolen; in April, it was revealed that hackers had stolen military documents from India’s government; and stories about the online theft of credit-card numbers and other personal information are constantly streaming in. Why are computer systems so vulnerable?

It comes down to how most software is designed, says Andy Ellis, senior director of information security and chief security architect for Akamai, an Internet infrastructure company based in Cambridge, MA. Companies build systems that often have more functions than users really need. Security is often an afterthought. But if any one of those functions has a mistake in design or implementation, that’s all it takes to give attackers the opening they need.

One widely used attack takes advantage of a vulnerability known as a buffer overflow. When information sent to a program over the network exceeds the space that the programmer has set aside for incoming data, the excess is stored in other parts of the computer’s memory. Forcing this to happen can change the system’s behavior, even inducing it to execute malicious code.

Attackers also trick users into installing malicious software–for example, by using deceptive e-mail messages containing links to bogus websites. And sometimes the attacks come from within: experts say that internal security policies are often lax or poorly implemented, giving people ample opportunity to steal from or sabotage their employers.

There have been some glimmers of hope. Many programs now install security updates automatically, without requiring user intervention. Antivirus companies have developed ways to recognize the characteristic behavior patterns of malware so that the system can respond more quickly to new breeds of infection. Cloud security providers have begun offering Web application firewalls, which filter Internet traffic before it’s allowed to enter a victim’s data center (see “Threats Create Opportunities”).

However, many organizations don’t keep abreast of these improvements. Applications for functions such as payroll are often custom-built and can’t easily be upgraded to run on modern systems. ­Jeremiah Grossman, founder and chief technology officer of ­WhiteHat Security, a website risk management company based in Santa Clara, CA, estimates that up to a third of the Web is currently running on systems with known vulnerabilities.

Grossman says researchers are seeking creative solutions, such as systems that wrap outdated software in a protected layer or make it possible to do business safely on infected machines. But as long as new software is written, new vulnerabilities will keep surfacing.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.