Skip to Content

The Attacker’s Advantage

June 22, 2010

No one is exempt from cyber attack. In January, Google admitted that its systems had been breached and intellectual property stolen; in April, it was revealed that hackers had stolen military documents from India’s government; and stories about the online theft of credit-card numbers and other personal information are constantly streaming in. Why are computer systems so vulnerable?

It comes down to how most software is designed, says Andy Ellis, senior director of information security and chief security architect for Akamai, an Internet infrastructure company based in Cambridge, MA. Companies build systems that often have more functions than users really need. Security is often an afterthought. But if any one of those functions has a mistake in design or implementation, that’s all it takes to give attackers the opening they need.

One widely used attack takes advantage of a vulnerability known as a buffer overflow. When information sent to a program over the network exceeds the space that the programmer has set aside for incoming data, the excess is stored in other parts of the computer’s memory. Forcing this to happen can change the system’s behavior, even inducing it to execute malicious code.

Attackers also trick users into installing malicious software–for example, by using deceptive e-mail messages containing links to bogus websites. And sometimes the attacks come from within: experts say that internal security policies are often lax or poorly implemented, giving people ample opportunity to steal from or sabotage their employers.

There have been some glimmers of hope. Many programs now install security updates automatically, without requiring user intervention. Antivirus companies have developed ways to recognize the characteristic behavior patterns of malware so that the system can respond more quickly to new breeds of infection. Cloud security providers have begun offering Web application firewalls, which filter Internet traffic before it’s allowed to enter a victim’s data center (see “Threats Create Opportunities”).

However, many organizations don’t keep abreast of these improvements. Applications for functions such as payroll are often custom-built and can’t easily be upgraded to run on modern systems. ­Jeremiah Grossman, founder and chief technology officer of ­WhiteHat Security, a website risk management company based in Santa Clara, CA, estimates that up to a third of the Web is currently running on systems with known vulnerabilities.

Grossman says researchers are seeking creative solutions, such as systems that wrap outdated software in a protected layer or make it possible to do business safely on infected machines. But as long as new software is written, new vulnerabilities will keep surfacing.

Keep Reading

Most Popular

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

images created by Google Imagen
images created by Google Imagen

The dark secret behind those cute AI-generated animal images

Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.