WARDING OFF THE CYBERSPACE INVADERS
By now, you've surely heard of Kevin D. Mitnick, the notorious hacker who was
hunted down and arrested by FBI agents on Feb. 15. His crimes: a string of network
break-ins that included the pilfering of thousands of credit-card numbers from
an Internet service provider and sensitive programs from a security expert's
home computer. It was a chilling warning to the millions of consumers and corporations
trying to do business in cyberspace. ``The Internet is like a bad neighborhood
where a lot of people are looking for trouble,'' says Ray Ozzie, president of
Iris Associates, which created Notes for Lotus Development Corp. ``It's wild
out there.''
Network-related crime is not new--it has been going on as long as there have
been networks. But as more individuals and businesses discover the Internet,
the opportunities multiply. The Computer Emergency Response Team, based at Carnegie
Mellon University, reported 2,241 Internet security breaches last year, twice
as many as in 1993.
WELL POISONING. The good news is that, with a little planning, companies and
consumers can usually protect themselves. And despite the headlines, the risk
of attack by criminal hackers such as Mitnick may be greatly exaggerated. M.E.
Kabay, director of education at the National Computer Security Assn. (NCSA)
in Carlisle, Pa., contends that of all the damage estimated to be done to computer
networks, only a small fraction can be traced to criminal hacking. The bigger
danger, warns Kabay: careless employees who give away secret passwords or workers
bent on sabotage.
Ask MCI Communications Corp. The Secret Service charges that Ivy James Lay,
a technician in MCI's Greensboro (N.C.) facilities, programmed an MCI PC to
capture more than 50,000 credit-card numbers. Before he was nabbed in September,
Lay had sold the numbers to a network of dealers, resulting in more than $50
million in fraudulent charges. For MCI, the incident was ``a real wake-up call,''
says Robert E. Wilson, director of technical security.
And while the idea of a hacker like Mitnick marauding through the Internet
certainly gives business pause, it turns out that many of the computers he hit
weren't well protected. ``Many of the recent break-ins are a result of leaving
doors open,'' says William Finkelstein, vice-president in charge of direct-access
financial services at Wells Fargo Bank. ``If you leave the bank vault open,
people are going to walk in with their shopping carts.''
Mitnick, for example, frequently used The Well, a San Francisco-based online
service that is linked to the Internet, as a base of operation. Before he was
caught, he had cracked an account on The Well and stashed hundreds of programs
there stolen from Tsutomu Shimomura, a security expert at the San Diego Supercomputer
Center. He also wiped out some of the service's accounting records. ``The Well
really brought a lot of this Mitnick affair on themselves through their cavalier
attitude, '' says Winn Schwartau, executive director for security consultant
Interpact Inc. Schwartau knows: Last July, Mitnick hacked into his Well account.
The Well was lucky. Credit-card numbers and subscribers' personal data were
stored, unprotected, on a main server. But Mitnick did not tamper with it. NetCom,
a San Jose (Calif.) company that sells Internet access, wasn't spared. Mitnick
was able to steal some 20,000 credit- card numbers that he later stashed on
a Well account.
What can be done to safeguard computers connected to the Net? One of the most
basic steps a company can take is to erect barriers, called firewalls, between
internal networks and the Internet. Firewalls are dedicated computers running
programs that screen incoming traffic so only ``trusted'' computers can gain
entry. Firewall programs are available--at prices ranging from a few thousand
dollars to several thousand--from companies including IBM, Digital Equipment,
and Trusted Information Systems, a Glenwood (Md.) startup. After Mitnick's arrest,
The Well shut down for two days to bolster security. One step: moving subscribers'
credit-card information behind a firewall.
Firewalls, by themselves, are not completely hacker-proof. Mitnick, for instance,
used a technique known as protocol spoofing to fool otherwise secure computers
into thinking he was an authorized user. By probing a remote computer, a hacker
can glean information about other trusted computers. Then, the hacker masquerades
as a trusted computer to gain access, copy files, and even take control of a
system.
SPOOF-PROOF. To crack down on spoofing, software makers are designing ``filters''
to guard against such tricks. Filters can make sure that a message that appears
to come from a trusted system on an internal network did not actually originate
elsewhere. Filters also can block unauthorized outgoing messages, so if a hacker
manages to seize control cf a system he can't move on to other networks.
Firewalls and filters can defend your network, but they do nothing to protect
information when it leaves your computers to travel across the Internet. To
safeguard credit-card information, E-mail messages, or other sensitive data,
encryption is the best bet. The most popular type of encryption is public key,
which uses software ``keys'' to scramble and unscramble messages. Many software
makers license patented public-key technology from RSA Data Security Inc. as
the basic building block for security systems.
For now, however, most information sent over the Net is unencrypted and therefore
vulnerable. A favorite trick of hackers is to secretly install on networks programs
called ``packet sniffers'' that record the contents of packets of information
as they cross the network. Packets include such goodies as passwords and user
names, which can then be used to gain entry to a computer system or send out
messages under another person's name.
One way to foil packet sniffing is to use one-time passwords. Since they are
only used once, if a password is snatched off the Net--or exposed through carelessness--it
cannot be used again to gain access. There are several methods for issuing one-time
passwords, including password generator cards such as SecurID, which is sold
by Security Dynamics. SecurID works by displaying a number that changes every
minute based on a predefined algorithm. When a user logs on to the network,
the server asks for the number currently displayed on the card's screen and
compares that with the number it calculates the card should be displaying. If
they match--and the user also provides a secret PIN number--he is allowed to
sign on.
Formidable technology, to be sure. But it's humans, not machines, that cause
the most damage. ``Ninety percent of what we did was not through a hole in the
system,'' says Bruce Fancher, a former hacker who now runs an Internet software
company. Hackers do much better through ``social engineering,'' a term that
refers to all the scams they use to cajole passwords and other information from
unwitting employees. ``You need a lot of processes--some technical and some
administrative--to deal with the people problem,'' says Vincent Cerf, senior
vice-president for data architecture at MCI. ``There is no magic in this.''
Yes, but there are plenty of tricks.
Protecting your Assets on the Net
FIREWALLS
Secured gateways that erect a wall between private networks and the Internet,
keeping unwanted intruders out.
FILTERING PROGRAMS
Used with firewalls to prevent ``spoofing,'' a ploy to gain unauthorized entry
by masquerading as a trusted system.
ENCRYPTION
A method of scrambling messages such as E-mail or credit-card numbers so they
cannot be read by cybersnoops.
AUTHENTICATION
Techniques to ensure that the sender of a message is who it claims to be. One
approach: One-time passwords that can't be reused.
PERSONNEL POLICIES
The best defenses are screening technical hires and training employees to protect
passwords and confidential data.
Copyright 1995 McGraw-Hill, Inc. All rights reserved.
By Amy Cortese in New York, with bureau reports,
WARDING OFF THE CYBERSPACE INVADERS., 03-13-1995.
