HOW SAFE ARE YOU?
OCTOBER 4, 1995
Think the Internet is secure? Think again. Time Magazine Senior Editor Philip Elmer-DeWitt tells the story of a computer hacker who broke into the system and obtained the credit card numbers of 20,000 people who had used them to buy Internet access. Elmer-DeWitt explores ways of improving security along the information highway.
PHILIP ELMER-DeWITT, Senior Editor, Time Magazine: When Tom Feegel signed up with Netcom, a company that sells computer users access to the Internet, he did what thousands of others have done; he paid for the new service with his charge card. He thought his credit card information would be protected. He was wrong. To his surprise, his credit card number, along with 20,000 others, turned up in the computer files of Kevin Mitnick, the world's most notorious hacker.
TOM FEEGEL, First Virtual Holdings: My trust in Netcom and the security of machines like theirs has been devastated, and I'll never put my credit card online. If you put sensitive financial information on a machine that's connected to the Internet, it is vulnerable, and it is very likely that those people to whom it becomes an attractive target--criminals--will, in fact, steal that information.
MR. ELMER-DeWITT: Mitnick was caught and agreed in July to plead guilty to one count of possessing stolen cellular telephone numbers. The remaining 22 charges against him were dismissed in a plea bargain. Many hackers like Mitnick often break into computers not to steal anything of value but just to prove that they can. But the case underscores a growing problem on the global computer network called the Internet. The network was designed to be open and easily accessible. That's one of the keys to its success. That's also one of its greatest vulnerabilities, because sensitive information stored on Internet computers--proprietary research, corporate secrets, medical records, even love letters--may also be easily accessible. Right now, the Internet leaks like a sieve. As the number of computers on the Internet grows, so do the incidents of break-ins. The computer emergency response team at Carnegie Mellon University reported over 2200 Internet security breaches last year. And that number is considered conservative because most companies don't like to talk publicly about their computer security problems. Still, businesses are rushing to set up shop on the Internet. Virtual malls filled with electronic storefronts are cropping up all over the World Wide Web, the multimedia portion of the network. Companies want to use the Internet to advertise and eventually sell goods and services to millions of customers around the world. Millions of Internet subscribers, in turn, are using the network as a new form of communication, trusting that conversations carried out over e-mail can be as secure as private letters or phone calls. That's why computer companies are working so hard to make the systems connected to the Internet and the information that travels over them more secure. Sun Microsystems, for instance, has recruited three of the world's leading computer security experts to help shore up the Internet. We spoke to them recently about the Internet's security problems.
DAN FARMER, Computer Security Expert: I think the Internet against individuals is fairly ineffective in defenses. I think that anyone who knows what they're doing pretty much anywhere in the world can break into almost literally any other computer.
WHITFIELD DIFFIE, Computer Security Expert: I think business should be worried about transmitting any information it considers confidential, whether it's personnel information or trade secret information or product plans or marketing plans.
TSUTOMU SHIMOMURA, Computer Security Expert: We want to be able to trust the Net. We want to be able to engage in commerce. I want to be able to place an order, and if I receive an order for something, I want to know that it's for real; I want to be able to fill it.
MR. ELMER-DeWITT: Each of these men has helped make the Internet safe, each in his own way, either by protecting the data that travels over the Internet, or protecting the systems where that information is stored, or pursuing the intruders who steal that information. Whitfield Diffie's concern is protecting sensitive information from prying eyes. He helped design the Public Key Encryption Scheme, a system for scrambling data.
WHITFIELD DIFFIE: Cryptography is the process of sending messages by transforming them from their normal what we call their plain text form into a cybertext that is only understandable and usable by people who have particular secret keys that are used to unscramble it.
MR. ELMER-DeWITT: Not only does it scramble messages, but it stamps them with the electronic equivalent of an unforgeable digital signature.
WHITFIELD DIFFIE: For example, if you're a stockbroker, you'd like to receive an order to sell 10,000 shares of stock and charge your customer a brokerage fee for it, and you want to know that it's actually the customer who owns the stock who is ordering you to sell the stock and that nobody along the way has changed the order from a sale to a buy, something of that sort.
MR. ELMER-DeWITT: Diffie's system has now been adopted by companies like IBM, Lotus, and Netscape looking to do business on the Internet. Dan Farmer's concern is the security of large multiuser computer systems connected to the Internet. He wrote a controversial program called "Satan" that seeks out and locates security holes in those computer systems.
DAN FARMER: That's right. The program can tell you, okay, point it to the Pentagon or point it to Cairo or Japan, here are the weak spots of these systems and here's how you can break into them.
MR. ELMER-DeWITT: To ensure its widespread use, Farmer released "Satan" to the Internet, where it could be retrieved for free by system administrators and hackers alike. On the day of its release, tens of thousands of copies were downloaded. Many system administrators later wrote Farmer to thank him for pointing out weaknesses in their systems so that they could fix them.
DAN FARMER: The most frequent comment was that, "Well, thanks for the tool because now I found some problems that were there. I just never would have found them without, without this."
MR. ELMER-DeWITT: Rather than bringing the Internet to a halt, as some had feared, Farmer's program seems to have made it more secure. Finally, there is Tsutomu Shimomura, who became something of a hero on the Internet when he tracked down Kevin Mitnick following an electronic trail from California to North Carolina. The story began last December.
TSUTOMU SHIMOMURA: I had a break-in on my machines over Christmas of last year, and it wasn't clear who they were or who was involved, but there were some fairly clear pointers. And there was a reasonably clear trail to follow, and so in February, we proceeded to, you know, pull the thread, see what was at the other end, where the other end was.
MR. ELMER-DeWITT: And the thread--
TSUTOMU SHIMOMURA: Went through the Net. We spent a couple of weeks tracking backwards, got onto the phone network after transing the Internet, you know, found that the phone network had been modified in order to make tracing more difficult, but we were able to bypass that and eventually found Kevin at the other end of a cellular telephone.
MR. ELMER-DeWITT: The highly-publicized case put the Internet community on notice that intruders like Mitnick should be pursued and stopped.
TSUTOMU SHIMOMURA: As we have more commerce on the Net, as there's more stuff of commercial value, there will be more incentive for people to break in for personal gain. There may be more things that they can acquire or more services or perhaps real wealth or real world goods that they can acquire by defrauding services on the Net, and so I would expect there will be more break-ins and more intrusion attempts certainly.
MR. ELMER-DeWITT: No one really knows how many people on the Internet have an incentive to break into powerful computer systems.
DAN FARMER: There's a lot of people out there that are interested in accessing things that other people don't want them to have.
WHITFIELD DIFFIE: We are talking about something that ranges from, from young people just getting into their experience with computers to organized crime or large corporations or intelligence agencies. I think this sort of thing is so hard to, to measure that it's very hard to make an estimate of who the players are.
MR. ELMER-DeWITT: At this flower shop in New York City, most business is done person-to-person. Buyers and sellers know who they're dealing with. They recognize their face, their voice, their signature. But when that same flower shop does business in cyberspace, taking an order and a credit card number online, there is no absolute guarantee that the order is real or that the transaction is secure. Business will not flourish on the Internet until it provides those assurances. That's a problem for the thousands of companies and millions of customers getting ready to do business on the World Wide Web. Until basic protections are in place, most people are likely to buy their flowers the old-fashioned way, at the shop down the street.