Paranoia Strikes Deep on Net

By

Cyberspace is looking less like the final frontier and more like a frontier town.

Cyberspace is looking less like the final frontier and more like a frontier town.

Wherever man may go, no matter how boldly, crime will surely follow, and the Internet is no exception. The explosive growth of new Internet uses has been more than matched by an acceleration in security breaches on the Net.

The latest threat to the Net occurred in early February, when "password sniffer" programs were discovered on hundreds of networks. These programs enable intruders to monitor and capture passwords in transit across the Net, similar to Trojan horse programs favored by hackers.

In response to these incidents, the Science, Space and Technology's subcommittee on science conducted a hearing on Internet security this week that attracted representatives from the Internet Society, the private sector, the FBI, the federal Computer Emergency Response Team, or CERT, and the National Institute of Standards and Technology, or NIST.

According to L. Dain Gary, manager of operations for CERT, his group responded to 1,334 computer security alerts in 1993, an average of 111 per month. CERT was created by the Pentagon's Advanced Research Projects Agency 72 hours after the Morris Worm virus -- created and executed by the son of a high-level official at the National Security Agency -- infested the Internet in 1988. Since then, CERT has worked with other private and public Internet SWAT teams, who together comprise the Forum of Incident Response and Security Teams, or FIRST.

Gary said there is a direct relationship between the number of new users and number of incidents on the Net. The proliferation of new technologies that are quickly disseminated throughout the Net makes CERT's job exceedingly difficult. And the cutting-edge current intruder community, he said, is always ready to exploit an opening with a new technology.

The recent "password sniffer" programs, Gary said, are far more serious than earlier attacks on the Net. CERT believes the programs were widely disseminated throughout the intruder community, and at least one hacker was using encryption techniques to protect his or her surveillance data. Two of the sites reporting sniffer program intrusion were network service providers, he said, with log files from one compromised computer containing 20,000 entries. The intruders also gained access to systems critical to the Net, and although no harm was done, the potential for catastrophic damage exists, he warned.

Thomas T. Kubic, chief of the FBI's Financial Crimes Section, said computer crime is a growing phenomenon that defies quantification. Based on various studies, he said, it results in an annual economic loss of anywhere from $164 million to $5 billion.

Kubic said the FBI estimates that in approximately 80 percent to 90 percent of its pending investigations, intruders penetrated computer systems via the Internet. Motives, he said, range form greed to intellectual challenge, especially the latter. Most hackers, he said, are ensnared by boasting about their exploits. "Self-admiration is often their downfall," he said.

Vinton G. Cerf, president of the Internet Society -- and a senior vice president at MCI -- said the Internet community is experiencing urban sprawl.

Citizens of the Internet community used to live in a small town that has now become a big city plagued with cybercrime. Everybody used to know each other, he said, but now they are putting up fences and locking their doors.

Cerf argued that security concerns for Net users vary widely, and must be addressed accordingly.

"No single security procedure, policy or technology can be uniformly applied throughout the Internet environment to meet all its needs," Cerf said. "Flexible technologies are needed which can be applied in varying degrees or not at all. We need a semi-permeable membrane that will allow that portion of information to be open and some to be closed."

Cerf said the federal government can help by reviewing its policy on the application, use and export of cryptographic technologies. Current policy, embodied by the controversial Clipper chip proposal, places U.S. companies at disadvantage and will inhibit the growth of a global information infrastructure. "The Clipper chip is not as well thought out as it needs to be," he said.

Stephen D. Crocker, vice president of Trusted Information Systems in Glenwood, Md., said the sniffer programs demonstrate that it is no longer safe to transmit passwords over any network.

Maintaining a viable U.S. encryption industry, Crocker said, is crucial to such concerns. But export controls on cryptographic software, he said, make no sense when foreign software is freely available overseas and over the Net.

The Clipper chip, he said, is deservedly encountering strong resistance from American companies, and will be impossible to sell abroad.

"The main effect of the Clipper chip will be to slow down the entire activity of implementing security on the Internet," he said.

Similarly, Crocker argued, NIST's ongoing effort to develop a government standard for digital signatures is equally pointless, since industry is already using a proven and robust technology.

"The simplest and least-expensive way to develop a government standard is to say it exists and buy it."

Lynn McNulty, associate director for computer security with NIST, said the agency has developed a government standard for digital signatures that works, but has been held up in court.

"The cost of litigation has more than exceeded the cost of writing a check and buying the existing standard," Crocker said.