Holes In The Net

The Web assaults show how the qualities that make the Net work leave it vulnerable. What to worry about next.

By Jared Sandberg
Newsweek, February 21, 2000

It all seemed so scary. There was Attorney General Janet Reno, flanked by FBI brass and a clutch of cyber white hats, assuring the world that the Feds were hard on the trail of the most debilitating vandalism the Net has seen in years. But the even more frightening scenario wasn't on the agenda. Last week's attacks, however worrying, required the skill level of a spitballer. So if that's all it took to hijack multibillion-dollar businesses, think of the chaos real hacking pros could cause.

Just look at what happened to RealNames. On Wednesday the California company, which develops technology to make navigating the Net easier, apparently made it too easy for a malicious hacker to navigate through its customer database. The thief jumped the company's digital security fence and possibly stashed personal records, including credit-card numbers, inside computers in China. RealNames informed the FBI, users and credit-card companies that it was hacked but doesn't know of any instances where the cards were used-yet.

The Internet, the powerful engine of the new economy, is surprisingly frail. In fact, every benefit of the Net seems to have an ugly cousin. Its globe-girding nature virtually eliminates distances between people, but it can expose them to a world of criminals from far-off regions. The same connectedness that makes the Net so robust also makes it vulnerable to the "weak link in the chain" effect; the openness and ease with which millions of people can share information also endangers privacy. The recent attacks weren't designed to break into systems, but simply to slow them. Breaking in, though, isn't hard to do-and a survey of the holes in the Net suggests more trouble down the road.

Infrastructure: Some of the security problems stem from the Internet's basic architecture. Launched by the Defense Department 30 years ago, the Internet was built to allow trusted users-not the public-to share information instead of concealing it. Many security measures are simply patches on an older open system. "The system is getting worse faster than we can patch it," warns Bruce Schneier, chief technical officer of Counterpane Internet Security Inc.

One of the most potent threats is a direct hit to the Net's vital organs-the "root name servers." These machines contain master lists of Internet addresses and direct data traffic. There are only 13 of them worldwide, and they have already shown weaknesses. In July 1997 a new master list of the Net's addressing scheme was automatically transmitted among the machines. But the list was effectively empty. The gaffe, attributed to human error, caused one of the Internet's worst brownouts, making Web pages unreachable and leaving e-mail undelivered for several days. While holes among these megaservers have been largely plugged, experts fear others remain. "If all of these machines become unreachable," says Bill Cheswick, senior security researcher at Lucent, "most of what we call the Internet grinds to a halt."

Software: Many of the Net's fundamental vulnerabilities arise from inherent weaknesses in software. By its very nature, software is buggy, and complex software is often infested. Programs contain millions of lines of instructions and there's no effective way to test them all before releasing them to the marketplace. Bugs are often exploited by hackers, who use them to gain access to Web sites and personal computers. "We don't know how to write bug-free software," laments Steve Bellovin, a researcher at AT&T Labs. He notes that the breached computers used to blast last week's victims had well-known bugs that could allow unauthorized users to issue commands-and the vandals knew how to capitalize on them.

Bugs in Web sites, browsers and operating systems have plagued the good guys for years. Hackers manipulated software glitches, for example, to rewrite the CIA's Web site in 1996 to read "Central Stupidity Agency" and include links to porn sites. Similarly, a known bug in the U.S. Army Web site in Stuttgart, Germany, was abused in 1998, allowing cybervandals to deface it: "now don't arrest me or nothing cause im gunna cover up the security holes that I used to get in," they wrote. Earlier this month, a security firm discovered that 11 of the "shopping cart" programs used on e-commerce Web sites could allow for users to rewrite the price of items. Just think of it: Chevy Blazers for $1.99!

Privacy: All the personal, sensitive information now going online leaves the Web open to the worst kind of privacy violation if the data are not properly protected: identity theft. That's when a crook takes over your bank and credit accounts-a nightmare scenario that can take years to unravel. Even before the Net became popular, people's lives were ruined when thieves filched their Social Security numbers and credit cards, going on spending sprees using the victim's good name and often ringing up a criminal record. Many financial-services firms require Social Security numbers to gain access to their Web sites. With an increasing number of always-on Net connections such as cable modems, malevolent hackers could digitally sniff out the master locks to people's lives.

Thieves have already made headway. A little more than a month ago, a hacker calling himself "Maxim" exploited bugs in software at online music-retailer CDUniverse and lifted, he claimed, 300,000 credit-card numbers. Then he tried something relatively new to online crime: extortion. He said he'd destroy the records for $100,000. Otherwise, he'd post them on the Net. And that's exactly what he did. On Christmas Day, he began listing the credit numbers, names and addresses online. CDUniverse refused to pay and called the Feds, while credit-card companies began reissuing cards.

Consumers are also vulnerable if legitimate businesses pry too much. Internet advertising firm DoubleClick has compiled profiles of roughly 100 million Internet users, tracking where they go online. But the company outraged privacy advocates when it began to attach their names, addresses and phone numbers to these formerly anonymous profiles. "It's been amazing how little the companies on the Net are willing to internalize privacy concerns," says Scott Bradner, a Harvard University technical guru. "It's just insane." (DoubleClick lets people opt out of the program.) Privacy advocates now fret that the federal crackdown after last week's assaults could lead to intrusive monitoring of innocent users. "The overreaction opens the doors to more surveillance," says Peter Krapp, a professor at the University of California, Santa Barbara, which was one of dozens of sites from which the hackers mounted their barrage in last week's attacks.

The talent gap: One of the most critical unsung problems is the chronic lack of talented people to keep Internet systems innoculated. The "zombie" computers that were hijacked last week to flood victims contained well-known security flaws for which fixes were readily available, security experts say. Prying hackers employ easy-to-use software tools to scan the network so they can find the weaknesses that site operators haven't plugged. We are at the mercy of the administrators of Web sites and Internet service providers to keep current with well-known bug insecticides and security patches. And the scary fact is that most administrators don't - out of ignorance, if not negligence, which is at the root of countless Net security breaches. It's said there are only a few hundred people who possess the skills to protect the 8,000 ISPs already in business. Compounding the crisis is the fact that there are fewer students graduating from college with computer-science training than there were 12 years ago. That makes Rich Pethia, a director at Carnegie-Mellon's Software Engineering Institute, "break into a cold sweat," he says. "We're beyond the point where we can pull all these system administrators up the learning curve."

The shame of it all: hackers could get legitimate jobs these days as easily as dot-com companies can get venture-capital funding. Sure, crime may pay - but it doesn't include stock options.

With Thomas Hayden

© 2000 Newsweek, Inc.

 

This was published February 21, 2000.

www.krapp.org
All rights reserved.