Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Introduction Read chapter Read first chapter

2011 | OriginalPaper | Chapter

16. Sneakaway Programs: Everybody’s Predicament

Author : Derek Partridge

Published in: The Seductive Computer

Publisher: Springer London

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

In-use IT system confidence becomes suspect every time an IT system is exposed to potential change-access. The elements of IT-system access control are introduced and discussed. Inadvertent change, due to clumsiness, or covert malicious change causes IT systems to sneakaway. All IT systems must be open to change; usually managed through passwords. Bio-metric access control, such as fingerprint matching, is a growing alternative to passwords. These avoid the memorisation task of many passwords but: successful duplication or simulation will open all doors (whereas use of multiple passwords can protect against this); we lose the convenience of giving (perhaps temporary) access to someone else; and matching to approve access becomes complicated (and thus error prone). Beyond the privacy concerns of read-only access, access to change IT systems must be closely controlled and monitored. This control is it odds with ease of access for essential system changes, e.g. just adding new information, or making corrections. Change-access control for an IT system may be a complex, multi-level procedure, i.e., different users require access to different system-modification possibilities. Further complication to the ever-present threat of malicious system access and modification is introduced through the convenience of computer networking, such as made possible by the Internet.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter Runaway Programs: Dr Frankenstein’s Predicament
next chapter Hooptedoodle 4: Bases for Data Security
Footnotes
1
This extract is taken from The Cuckoo’s Egg by Clifford Stoll (Pan Books: 1989). The author recounts, in a very entertaining way, how his task of tracking down a trivial accounting error in a California computer led him to uncover military espionage based in Germany.
In the first decades of the twenty-first century this is till happening as a consequence of very poor IT-system management. The USA is attempting to extradite Gary McKinnon, a UK citizen who infiltrated a number of ‘secure’ US IT systems. McKinnon, who claims that he was merely looking for evidence of the existence of UFOs, maintains that many break-ins were unbelievably easy. He just tried the obvious passwords (like “Field” and “Service” in the opening story), and supposedly secure and sensitive IT systems let him in.
Computer Weekly ( www.computerweekly.com posted 13-6-08, accessed 11-11-09) reported: “It was child’s play to get into US military systems, McKinnon said. Many were running Netbios over TCP/IP with blank or default passwords, which allowed him to access-administrator privileges.
He admitted writing scripts to harvest passwords, and to using password crackers to get into more protected systems. Gaining secret access was clearly seductive. McKinnon speaks of ‘megalomaniacal’ feelings when he was deep inside systems. But he was not alone, he said. By querying who else was connected and investigating IP addresses, he found Chinese, European and other nationals visiting the same computer systems. ‘At first I thought they might be offsite contract workers, but that was not the case,’ he said.
Once he was inside a network, especially a military network, McKinnon found that other computer systems considered him a trusted user. This was how he was able to get into the Pentagon’s network. ‘It was really by accident,’ he says.” And notice that he also described the experience as “seductive.”
 
2
The happy ending to this story is that the BBC contacted the US Department of Homeland Security (the blighted couple had already done so, but got no response). This department, which is responsible for the IT system in question, then made the necessary switch of biometric data and passport details. Because this system is ‘ultra-secure’, authority to change the data must be ‘ultra-protected’ which, in practice, means that changing the data will be a big hassle (as it should be). Change-access authority is fundamentally at odds with IT-system reliability, and yet it must be possible. The proposed UK system for ID cards, which is presented as an ultra-reliable system for identity proof, must grapple with exactly this conundrum, further complicated by the difficulties that will accompany the necessarily approximate matching of biometric data. Password matching is simple – exact match, or no match; biometric data is never exactly the same on two different occasions, so the decision becomes – near–enough match, or not-near-enough match.
 
3
The coarse distinction between read-only -access and read-write -access rights is the simplest case. All manner of intermediate access rights are possible in a complex IT system. It may well be the case that various system users are given limited rights to change (or simply enter data), and the limitations may be different for different classes of user. The guiding principle should be that each class of user is given the minimum necessary access rights, and that all accesses are automatically logged.
This problem is one (but by no means the only one) that is bedevilling the UK Government’s attempts to produce a comprehensive IT system to support the National Health Service. In this case the problems are compounded by a further incompatibility between widening valid access to personal medical data records for those who have a right and a need to know the details, and maintaining the strict privacy of the same data by excluding access to everyone else who has no right to read it (let alone change it).
 
4
The complete story is in Clifford Stoll’s book (see note 1 above). For further details: K. Fitzgerald, “The quest for intruder-proof computer systems” IEEE Spectrum, vol 24, no. 8, pp. 22–26, 1989.
 
5
Since 9-11, the US authorities, in particular, have put much time and money into monitoring global communications in an effort to automatically filter out the ‘suspicious’ ones. This task is made virtually impossible by:
1.The ease with which messages can be disguised once the perpetrators have some idea what the programmed system’s ‘keys’ for ‘suspicion’ are.
2.Messages can be easily encoded to eliminate all potentially obvious keys.
3.The real decisions, which must be based on human understanding, are overwhelmed by the sheer volume of data, even after filtering.
In April 2009 the UK Government announced that it was dropping plans to similarly monitor email communications. The good reason was erosion of civil liberties; the real reasons suggested were cost (in a time of national budget crunch) and likely ineffectiveness due to the very poor quality of natural-language understanding systems.
 
Metadata
Title
Sneakaway Programs: Everybody’s Predicament
Author
Derek Partridge
Copyright Year
2011
Publisher
Springer London
Book
The Seductive Computer

Print ISBN: 978-1-84996-497-5

Electronic ISBN: 978-1-84996-498-2

Copyright Year: 2011

DOI
https://doi.org/10.1007/978-1-84996-498-2_16

Premium Partner

    Image Credits