Intelligent Machines

The Attacker's Advantage

  • by Erica Naone
  • June 22, 2010
  • Last year, Google was the victim of cyber attacks originating in China that stole software and targeted human-rights activists.

No one is exempt from cyber attack. In January, Google admitted that its systems had been breached and intellectual property stolen; in April, it was revealed that hackers had stolen military documents from India’s government; and stories about the online theft of credit-card numbers and other personal information are constantly streaming in. Why are computer systems so vulnerable?

It comes down to how most software is designed, says Andy Ellis, senior director of information security and chief security architect for Akamai, an Internet infrastructure company based in Cambridge, MA. Companies build systems that often have more functions than users really need. Security is often an afterthought. But if any one of those functions has a mistake in design or implementation, that’s all it takes to give attackers the opening they need.

This story is part of our July/August 2010 Issue
See the rest of the issue
Subscribe

One widely used attack takes advantage of a vulnerability known as a buffer overflow. When information sent to a program over the network exceeds the space that the programmer has set aside for incoming data, the excess is stored in other parts of the computer’s memory. Forcing this to happen can change the system’s behavior, even inducing it to execute malicious code.

Attackers also trick users into installing malicious software–for example, by using deceptive e-mail messages containing links to bogus websites. And sometimes the attacks come from within: experts say that internal security policies are often lax or poorly implemented, giving people ample opportunity to steal from or sabotage their employers.

There have been some glimmers of hope. Many programs now install security updates automatically, without requiring user intervention. Antivirus companies have developed ways to recognize the characteristic behavior patterns of malware so that the system can respond more quickly to new breeds of infection. Cloud security providers have begun offering Web application firewalls, which filter Internet traffic before it’s allowed to enter a victim’s data center (see “Threats Create Opportunities”).

However, many organizations don’t keep abreast of these improvements. Applications for functions such as payroll are often custom-built and can’t easily be upgraded to run on modern systems. ­Jeremiah Grossman, founder and chief technology officer of ­WhiteHat Security, a website risk management company based in Santa Clara, CA, estimates that up to a third of the Web is currently running on systems with known vulnerabilities.

Grossman says researchers are seeking creative solutions, such as systems that wrap outdated software in a protected layer or make it possible to do business safely on infected machines. But as long as new software is written, new vulnerabilities will keep surfacing.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.