Battening down the Net's hatches

Whether the context was encryption, secure business transactions, Internet viruses, or the proliferation and subsequent consolidation of security-related companies, security was on everyone's radar.

CNET News staff
4 min read
Security was a much bandied-about word over the last 12 months. Whether the context was encryption, secure business transactions, Internet viruses, or the proliferation and subsequent consolidation of security-related companies, the topic was on everyone's radar.

Much of 1996's security news emanated from Washington, D.C., as computer firms and security vendors tried to get the White House to loosen restrictions on exporting encryption software. Under Cold War-era regulations, encryption is classified as munitions and subject to export controls.

Both software companies and privacy advocates have lambasted new guidelines, which go into effect January 1, that will loosen export controls on the condition that the vendor provides a way to store the cryptographic keys to unscramble encrypted data. Encryption keeps communications over the Net private, which is considered a precondition for e-commerce.

The controversy now centers around "key recovery," which law enforcement agencies want (with a warrant) for security purposes and businesses want for operational reasons. But software vendors fear would-be buyers may be spooked knowing the government could get access their keys.

On the consumer front, credit card giants Visa and MasterCard agreed to back one standard for secure credit card transactions over the Net, then found finalizing that protocol was tougher than expected.

Under their Secure Electronic Transactions protocol, buyers and sellers must get "digital certificates," which function as "digital IDs" to verify identity. VeriSign, which just added $30 million to its war chest, is number-one today, but GTE's CyberTrust, the U.S. Postal Service, and others are active too.

Smart cards, which look like credit cards but have an embedded chip, gained momentum as a security device, even though they require readers that almost no one has today. Smart cards are considered a more secure method of authenticating a user's identity than software.

Companies engaged in security software also garnered headlines as never before, thanks to the phenomenal growth of the Web and the resulting need for all matters security-related. RSA Data Security remained the favorite supplier of encryption algorithms. In fact, it grew in stature?at least from a business perspective--when it merged with Security Dynamics, a Massachusetts maker of secure token hardware.

In another acquisition that signaled the consolidation trend in the security industry, firewall vendor Secure Computing acquired rival Border Network Technologies, authentication firm Enigma Logic, and Web-site filterer Webster Network Strategies. To remain independent, Secure and other firewall firms, including Check Point Technologies, Raptor Systems, and Trusted Information Systems went public.

And finally, outside the Washington wonk-talk circuit, colorful language enlivened the lingo of Internet security: "Hare viruses," "hostile Java applets," "black widow scares," and "SYN-floods" were all in the news. Hackers, bugs, and viruses are now so commonplace that "virus hoax" has entered the American vernacular.

Of the viruses that attacked the Net this year, SYN floods, also known as denial-of-service attacks, had the widest impact. Three times this year, hackers swamped Web sites with so many bogus connection requests that no one could get through. The latest incident came this month and knocked Web Communications (and the 3,000 sites it hosted) out of commission for 40 hours.

Concerns about malicious Java applets led a few corporate network managers to ban them altogether, but Java proponents urged other measures. Sun Microsystems' JavaSoft unit said applets should get "digital IDs" so their source can be known; Microsoft outlined a similar plan, called "Authenticode," for downloadable ActiveX controls.

Predictions for 1997
"1997 will be the year when Web merchants rethink their strategies in light of growing consumer concerns about security. It may also be the year when semiorganized hackers and virus creators will infect 20 to 30 percent of Web sites. That will cause buyers to have second thoughts about dealing with online merchants. Finally, the Clinton administration and cyber-security firms like RSA Data Security will come to an agreement that the bad guys already have access to robust security and there's no reason left for North American manufacturers of security software to be restricted from globally selling their products."
-- Vic Wheatman, analyst, Gartner Group

"Security issues are being pushed by companies trying to sell products, not by people trying to solve problems. We're not sure that business customers are as sensitized to security as the vendors are. They figure the external threat is fairly easily [to solve] with user authentication. It's not a nonissue, but it's not a killer issue that people are dressing it out to be."
--Steve Auditore, president, Zona Research

 related news stories
"helvetica"=""> Judge rejects crypto links
"helvetica"=""> Crypto export approved
"helvetica"=""> Virus hoaxes infect Net
"helvetica"=""> Crypto companies regroup
"helvetica"=""> HP has crypto export plan
"helvetica"=""> Government warns about smart card security
"helvetica"=""> A new enemy for hackers
"helvetica"=""> Hacker bombardment keeps site in check
"helvetica"=""> HP has ticket to secure
"helvetica"=""> Microsoft strengthens encryption
"helvetica"=""> D-Day for the Hare virus arrives
"helvetica"=""> Digital certificates planned for Java
"helvetica"=""> Government OKs Netscape encryption
"helvetica"=""> White House alters encryption stance
"helvetica"=""> Credit cards strengthen security
"helvetica"=""> AOL promises security to shoppers
"helvetica"=""> 'Black widow' scare on Web
"helvetica"=""> Security Dynamics buys RSA Data
"helvetica"=""> Five sign w/ Verisign
"helvetica"=""> Another Java bug creeps out