THINGS YOU OUGHT TO KNOW (IT SECURITY) – II

The Internet was built on trust. Back in the mid 1960s, computers were very expensive and slow by today’s standards, but still quite useful. To share the expensive and scarce computers installed around the country, the U.S. government funded a research project to connect these computers together so that other researchers could use them remotely. This project was called the ARPAnet, named after the government research agency – ARPA, the Advanced Research Projects Agency – that funded and managed the project.

Key to the ARPAnet was the level of trust placed in its users; there was little thought given to malicious activity. Computers communicated using a straightforward scheme that relied on everybody playing by the rules. The idea was to make sharing ideas and resources easy and as efficient as the technology of the day provided. This philosophy of trust colors many of the practices, procedures, and technologies that are still in place today.

Only within the last few years, when Internet commerce (known as e-commerce) began to spread, it has become inadequate to rely principally on trust. Since the days of the ARPAnet, we’ve changed the way we use computer networks while others have changed the underlying technologies, all in an attempt to improve the security of the Internet and the trust we place on it.

Let’s dig deeper into examples of what we trust in our daily lives. When you receive mail through the post office, many envelopes and the letters in them contain the sender’s address. Have you ever wondered if those addresses were valid; that is, do they match the address of the person or persons who really sent them? While you could check to see that those addresses are valid and refer to the person they name, it’s not an easy task.

How would you go about it? Would you call the phone number provided with the letter? That number could also be invalid, and the person that answers the phone could be as misleading as the original address. Perhaps you could call directory assistance or the police department that has jurisdiction over the town where the letter was supposedly from. They might be helpful, but that is likely to take lots of time. Most people wouldn’t bother.

And it’s not just return addresses either. How about advertisements, news stories, or the information printed on groceries? Suppose you were on a low-fat diet. You’d want to buy foods low in fat. To select the right foods, you’d read the product label at the grocery store. How do you know that the label information is valid? What’s to say it’s not forged? And how would you know?

The Internet has many of the same issues, and email is one of the best examples. In an email message, an intruder can easily fabricate where the came from. But this information forging – called spoofing by intruders and security professionals – is not limited to just email. In fact, the basic unit of information transferred on the Internet – called a packet – can also be easily forged or spoofed.

What does this mean and why should you care? It means that any information you receive from some other computer on the Internet should not be trusted automatically and unconditionally. When you trust an email message that turns out to have a harmful virus attached to it, your computer can be infected, your files destroyed, and your work lost. And that’s why you should care.

This is how the Internet works. It was built on trust. Over time, there have been technological changes that are worthy of a higher level of our trust than before. Nonetheless, a true sense of insecurity is better than a false sense of security. So, think about the information you trust. Be critical and cautious.

Source: www.cert.org