[Home] [Current Edition] [Compendium] [Forum] [Web Archive]
[Email Archive] [Guestbook] [Subscribe] [Advertising Rates]
 
ADDSecure.Net Inc. Logo
Journal of Internet Security
JISec Logo

JISec Editorial

Vasilis Katos
Editor in Chief
E-mail: katosv@yahoo.com  

These are exciting times for security and the Internet. The real potential of e-business has been revealed. Apart from the fraction of dot COMs who where a commercial success, the real added value for a company rests in the realm of e-integration. Integration with partners, suppliers, customers and service providers created virtual networks and the value chain improved significantly. So did the attacks.

It can be argued that dot COM infrastructures have reached some level of maturity with respect to security. A firewall is a typical component and the hardening of the servers placed in the demilitarized zone is a routine task. But the attackers are not that interested in these infrastructures as they were a couple of years ago. Why spend time mounting a Denial of Service on buyagoldfish.com, when there are more attractive targets?

Talking about attractive targets, email is definitely one. From the day we were born we unconsciously perform risk management and our behaviour and actions are subtly guided from the risks we are willing to take – the way we drive, the food we eat, and so on. However, when an email with subjects “fun”, “please review” or “I love you” arrives with an attachment of an executable file, we forget all about risk management. We also tend to forget that most likely we are logged into our computer with administrator privileges, making the “life” of the malicious code much easier. In fact, we should not talk about malicious code anymore; I cannot accept that there is anything malicious in “rm * –rf ” (unix equivalent of “delete all files without asking”) as long as I decide to execute it.

The scenario described above satisfies the vanity of the attacker, but with a slight variation it can satisfy her purse. Imagine a company employee with a laptop working in the protected network environment of his company who decides to continue the work home. The employee copies interesting confidential documents – say the secret recipe of a soft drink – on his laptop and connects to the Internet from home. Then, an attacker who knows about the value of the contents of the laptop sends an email to the employee with a Trojan that posts “*.doc” to a specific address. In this scenario the breach of confidentiality can be crucial to the company.

To make things worse, there are new trends where the above scenarios are implemented on web sites rather than emails. “Why chase the victim when the victim can come to me?”, kind of attitude. With an attractive hyperlink and a cool download on the web page, the job can be neatly done. And the firewall will happily allow all traffic passing subliminally through the HTTP port…

Vasilis Katos
Editor in Chief
ISSN 1206-4890