Push comes to shove
Push comes to shove

Internet companies are banding together against a common enemy, says PayPal's Andy Steingruebl. Karen Epper Hoffman reports.

Andy Steingruebl wants you to know that he's a glass-half-full kind of guy when it comes to information security.

The reason for this optimism is not strictly rooted in the groundbreaking work that Steingruebl, senior manager of customer and ecosystem security for PayPal, and his team are doing to protect users from today's assortment of internet threats. It is also related to teamwork underway among the larger network of internet giants, PayPal included. There is a growing understanding that for one company to succeed in the hostile skies of cyber, everyone must chip in. 

No wonder Steingruebl is feeling confident about the future.

“It's easy to think of security guys as pessimists,” says Steingruebl. “I'm not.” 

Working to protect their own customers from all-too-common threats, like SQL injection and cross-site scripting, as well as collaborating with each other, PayPal and its peers are fighting a security war on multiple fronts. The good news is they may be winning. 

Despite admitted “scalability problems” as the internet expands exponentially, Steingruebl says security is becoming more and more important, and the web is getting safer. While common security threats do persist, he says that the industry has come a long way in its approach to contending with multiple vulnerabilities at once. 

“Worrying about one thing is just too narrow,” he says. “Attackers go to the lowest point across a multitude of fronts.” And, it's not just the technical pieces and the protocols that security executives are focused on, he adds. “You need to have a diverse approach, like an investment strategy.”

Part of this involves getting to the root of web security and focusing on core issues, where Steingruebl says the industry has had some good success. Embedding fundamental protections into the web and browsers themselves is key, he says. 

“One of the places where we have been spending a lot of energy over the past four years, which has come to the foreground, is with the issues around HTTPS…or SSL,” he says. The internet protocol HTTPS (HTTP over SSL) adds another element of security – the secure socket layer (SSL), which employs digital certificates so users can authenticate senders – to normal transmissions over the internet.

Steingruebl references the recent hacking tools – BEAST (Browser Exploit Against SSL/TLS) and CRIME (Compression Ratio Info-leak Made Easy) –  that were created in 2011, respectively, and 2012 by security researchers Thai Duong and Juliano Rizzo to showcase the vulnerabilities in the ubiquitous transfer protocol. For example, CRIME allows hackers to get access to encrypted web traffic by tricking a vulnerable browser into sending compressed encrypted requests to an HTTPS-enabled website and then exploiting the information that gets leaked. Similarly, BEAST enlists JavaScript with a network sniffer to decrypt encrypted cookies and hijack confidential sessions.