Warding Off The Cyberspace Invaders

By now, you’ve surely heard of Kevin D. Mitnick, the notorious hacker who was hunted down and arrested by FBI agents on Feb. 15. His crimes: a string of network break-ins that included the pilfering of thousands of credit-card numbers from an Internet service provider and sensitive programs from a security expert’s home computer. It was a chilling warning to the millions of consumers and corporations trying to do business in cyberspace. “The Internet is like a bad neighborhood where a lot of people are looking for trouble,” says Ray Ozzie, president of Iris Associates, which created Notes for Lotus Development Corp. “It’s wild out there.”

Network-related crime is not new–it has been going on as long as there have been networks. But as more individuals and businesses discover the Internet, the opportunities multiply. The Computer Emergency Response Team, based at Carnegie Mellon University, reported 2,241 Internet security breaches last year, twice as many as in 1993.

WELL POISONING. The good news is that, with a little planning, companies and consumers can usually protect themselves. And despite the headlines, the risk of attack by criminal hackers such as Mitnick may be greatly exaggerated. M.E. Kabay, director of education at the National Computer Security Assn. (NCSA) in Carlisle, Pa., contends that of all the damage estimated to be done to computer networks, only a small fraction can be traced to criminal hacking. The bigger danger, warns Kabay: careless employees who give away secret passwords or workers bent on sabotage.

Ask MCI Communications Corp. The Secret Service charges that Ivy James Lay, a technician in MCI’s Greensboro (N.C.) facilities, programmed an MCI PC to capture more than 50,000 credit-card numbers. Before he was nabbed in September, Lay had sold the numbers to a network of dealers, resulting in more than $50 million in fraudulent charges. For MCI, the incident was “a real wake-up call,” says Robert E. Wilson, director of technical security.

And while the idea of a hacker like Mitnick marauding through the Internet certainly gives business pause, it turns out that many of the computers he hit weren’t well protected. “Many of the recent break-ins are a result of leaving doors open,” says William Finkelstein, vice-president in charge of direct-access financial services at Wells Fargo Bank. “If you leave the bank vault open, people are going to walk in with their shopping carts.”

Mitnick, for example, frequently used The Well, a San Francisco-based online service that is linked to the Internet, as a base of operation. Before he was caught, he had cracked an account on The Well and stashed hundreds of programs there stolen from Tsutomu Shimomura, a security expert at the San Diego Supercomputer Center. He also wiped out some of the service’s accounting records. “The Well really brought a lot of this Mitnick affair on themselves through their cavalier attitude, ” says Winn Schwartau, executive director for security consultant Interpact Inc. Schwartau knows: Last July, Mitnick hacked into his Well account.

The Well was lucky. Credit-card numbers and subscribers’ personal data were stored, unprotected, on a main server. But Mitnick did not tamper with it. NetCom, a San Jose (Calif.) company that sells Internet access, wasn’t spared. Mitnick was able to steal some 20,000 credit- card numbers that he later stashed on a Well account.

What can be done to safeguard computers connected to the Net? One of the most basic steps a company can take is to erect barriers, called firewalls, between internal networks and the Internet. Firewalls are dedicated computers running programs that screen incoming traffic so only “trusted” computers can gain entry. Firewall programs are available–at prices ranging from a few thousand dollars to several thousand–from companies including IBM, Digital Equipment, and Trusted Information Systems, a Glenwood (Md.) startup. After Mitnick’s arrest, The Well shut down for two days to bolster security. One step: moving subscribers’ credit-card information behind a firewall.

Firewalls, by themselves, are not completely hacker-proof. Mitnick, for instance, used a technique known as protocol spoofing to fool otherwise secure computers into thinking he was an authorized user. By probing a remote computer, a hacker can glean information about other trusted computers. Then, the hacker masquerades as a trusted computer to gain access, copy files, and even take control of a system.

SPOOF-PROOF. To crack down on spoofing, software makers are designing “filters” to guard against such tricks. Filters can make sure that a message that appears to come from a trusted system on an internal network did not actually originate elsewhere. Filters also can block unauthorized outgoing messages, so if a hacker manages to seize control cf a system he can’t move on to other networks.

Firewalls and filters can defend your network, but they do nothing to protect information when it leaves your computers to travel across the Internet. To safeguard credit-card information, E-mail messages, or other sensitive data, encryption is the best bet. The most popular type of encryption is public key, which uses software “keys” to scramble and unscramble messages. Many software makers license patented public-key technology from RSA Data Security Inc. as the basic building block for security systems.

For now, however, most information sent over the Net is unencrypted and therefore vulnerable. A favorite trick of hackers is to secretly install on networks programs called “packet sniffers” that record the contents of packets of information as they cross the network. Packets include such goodies as passwords and user names, which can then be used to gain entry to a computer system or send out messages under another person’s name.

One way to foil packet sniffing is to use one-time passwords. Since they are only used once, if a password is snatched off the Net–or exposed through carelessness–it cannot be used again to gain access. There are several methods for issuing one-time passwords, including password generator cards such as SecurID, which is sold by Security Dynamics. SecurID works by displaying a number that changes every minute based on a predefined algorithm. When a user logs on to the network, the server asks for the number currently displayed on the card’s screen and compares that with the number it calculates the card should be displaying. If they match–and the user also provides a secret PIN number–he is allowed to sign on.

Formidable technology, to be sure. But it’s humans, not machines, that cause the most damage. “Ninety percent of what we did was not through a hole in the system,” says Bruce Fancher, a former hacker who now runs an Internet software company. Hackers do much better through “social engineering,” a term that refers to all the scams they use to cajole passwords and other information from unwitting employees. “You need a lot of processes–some technical and some administrative–to deal with the people problem,” says Vincent Cerf, senior vice-president for data architecture at MCI. “There is no magic in this.” Yes, but there are plenty of tricks.

Protecting your Assets on the Net

FIREWALLS

Secured gateways that erect a wall between private networks and the Internet, keeping unwanted intruders out.

FILTERING PROGRAMS

Used with firewalls to prevent “spoofing,” a ploy to gain unauthorized entry by masquerading as a trusted system.

ENCRYPTION

A method of scrambling messages such as E-mail or credit-card numbers so they cannot be read by cybersnoops.

AUTHENTICATION

Techniques to ensure that the sender of a message is who it claims to be. One approach: One-time passwords that can’t be reused.

PERSONNEL POLICIES

The best defenses are screening technical hires and training employees to protect passwords and confidential data.

Copyright 1995 McGraw-Hill, Inc. All rights reserved.

By Amy Cortese in New York, with bureau reports,

WARDING OFF THE CYBERSPACE INVADERS., 03-13-1995.