November 2001

Information Warfare

Breaking into networks is more than a joyride-it's the coming mission of criminals, industrial spies and terrorists. Can new security techniques stop them?

By David H. Freedman

The middle-aged man-call him john-peered at the numbers rolling across his computer monitor, which provided the only illumination in the cramped basement. One number, 307, caught his eye. Like the others, it designated a port, or gateway, between a certain corporation's computers and the outside world. John had just run a program on his PC that sent electronic probes throughout the corporation's network to find a complete list of these ports. Port 307 was "open"-any data coming through it could be displayed on John's screen. Would the information prove useful?

It did. Port 307 turned out to be where one network server sent bad passwords, along with the usernames of whoever typed them in. Network administrators had taken the trouble to hide legitimate passwords from prying eyes but hadn't worried about rejected passwords. John knew, however, that most failed passwords aren't wild guesses but rather are "fat-fingered," or typos. It was pretty easy to guess what "valentime3" was meant to be. Seconds later, John had logged onto the server. Three minutes after that he discovered a password file that listed one user's password as blank-a shortcut favored by systems administrators out to avoid having to type in a password hundreds of times daily. Now John had "root access," meaning the server recognized him as God. He whooped and called Jim Settle, former head of the FBI's computer crime squad and now CEO of Washington, DC-based security consultancy SST. "I'm in."

Settle congratulated him, hung up and called the chief information officer of the corporation whose network his man had just penetrated. "Guess who just took over your network?" asked Settle. The man was stunned-but grateful. After all, he had quietly retained Settle's services precisely to learn if his network was vulnerable. Now he knew. Before Settle and his crew finished, they would find dozens of other ways to take control.

Though Settle's break-in took place with the victim's blessing, it echoes tens of thousands of malicious invasions. Each year the Computer Security Institute, a San Francisco-based organization of computer security professionals, and the FBI survey computer security managers at large companies and government agencies. In this year's survey of 538 managers, 85 percent of these organizations suffered security breaches; most suffered financial loss as a result. The average reported loss: about $2 million.

That probably offers an optimistic view of the problem's scope. Settle has been hired by more than 60 companies to "red team" their computer systems-that is, to test security by breaking in the way hackers would. Not only did his people gain intimate access to every system, but only one firm even detected a breach. Moreover, the problem's not just corporate: according to a review by the U.S. General Services Administration, outsiders broke into and temporarily controlled at least 155 computer systems at 32 federal agencies last year.

And that's not even the bad news. While computer network break-ins have long been almost exclusively the work of joyriding, bored teenagers, security and law-enforcement professionals believe the threat is about to shift from run-of-the-mill hackers toward professional criminals, industrial spies, hostile governments and terrorists. Eventually, say experts, computer attacks are likely to bankrupt companies, compromise U.S. security and perhaps even kill hundreds or thousands of citizens by disrupting computer control of anything from traffic signals to food supply transport. "These threats are real," says Jack Holleran, former technical director of the National Security Agency's National Computer Security Center and now an independent computer security consultant. "It's just a matter of when, and it will be sooner rather than later."

The rising stakes have touched off an escalating stream of network skirmishes between those determined to break into organizations' computers and those charged with protecting them. Right now, the bad guys are winning. "Internet security is a big mess," says Bill Cheswick, a chief scientist at Lumeta, a Somerset, NJ, computer-security software firm spun off from Lucent Technologies. "It gets discouraging sometimes." That sobering reality has sent Cheswick and other top computer scientists into their labs to come up with new weapons for the intensifying battle.