--- begin forwarded text

 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 17 Jul 2005 21:14:39 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Bellovin, et al., in WSJ: Where the Dangers Are


 The Wall Street Journal

  July 18, 2005

 Information Security
  Where the Dangers Are

 July 18, 2005

 In the world of cybercrime, the bad guys are getting smarter -- and more

 In recent months, hackers have carried out a flurry of increasingly
 sophisticated attacks, highlighting the vulnerability of key computer
 networks around the world.

 Criminals penetrated the database of CardSystems Solutions Inc., nabbing up
 to 200,000 Visa, MasterCard, American Express and Discover card numbers and
 potentially exposing tens of millions more. Leading high-tech companies in
 Israel allegedly planted surveillance software on the computers of their
 business rivals. British security officials warned of a computer attack
 aimed at stealing sensitive information from banks, insurers and other
 parts of that country's "critical infrastructure."1 THE JOURNAL REPORT?See
 the complete Technology report2.

 What new threats do cyber criminals pose? How can computer security be
 improved? Listen to WSJ reporter David Bank's interview3 with Steven
 Bellovin, professor of computer science at Columbia University and a
 longtime researcher at AT&T Labs.


 Cybersecurity experts discuss how to keep personal data and information
 safe in the tech world. Readers can join the discussion4 or submit

 Security experts fear things will only get worse. As technology gets more
 complex, more vulnerabilities are springing up in computer networks -- and
 more criminals, terrorists and mischief makers are rushing to exploit them.

 "What people can do on computer networks and what they can find on them has
 increased tenfold from a few years ago," says Bill Hancock, chief security
 officer of Savvis Inc., a major Internet-service provider. Infiltrating
 those machines and using them for evil intent is easier than ever, he says.

 Some of the threats are well known; home-computer users for years have
 battled viruses and spam and more recently have been barraged with spyware,
 adware and fraudsters "phishing" for sensitive information. Less visible is
 the constant probing of corporate networks by would-be intruders seeking
 trade secrets or competitive intelligence, and the data breaches caused by
 disgruntled or dishonest insiders.

 Meanwhile, government authorities report that hackers are stepping up
 attempts to attack critical systems such as water, electricity, finance,
 transportation and communications. Last year, the Department of Homeland
 Security prepared a worst-case cyberdisaster scenario where criminals broke
 into financial-services facilities.

 Twenty million credit cards were canceled, automated teller machines failed
 nationwide, payroll checks couldn't be delivered, and computer malfunctions
 caused a weeklong shutdown of pension and mutual-fund companies. "Citizens
 no longer trust any part of the U.S. financial system," the scenario

 Here's a look at the threats the security experts worry about the most --
 and what businesses and consumers can do to protect themselves.


 The mass mailings of worms and viruses that clogged email in-boxes and
 corporate networks in recent years have given way to less visible but more
 dangerous attacks aimed at specific business and government targets.

 In many cases, these invasions involve a Trojan -- malicious software that
 hides inside another, innocuous program. Once planted on a victim's
 computer system, the Trojan can, among other things, steal information at
 will and send it back to a criminal. Trojans that are customized for a
 specific target are particularly dangerous, since conventional antivirus
 programs are designed to spot and block previously identified threats.

 "Because these things are one-off, the virus scanners do not recognize them
 at all," says Bryan Sartin, director of technology for Ubizen, a unit of
 Cybertrust Inc. of Herndon, Va.

 Criminals use a variety of methods to get Trojans onto their targets'
 systems. Often, they trick employees at a targeted company into installing
 the software. In the Israeli case, law-enforcement officials discovered
 that the alleged perpetrators gave victims floppy disks containing
 seemingly legitimate business proposals. The disks contained Trojans that
 used "key logger" software to record what users typed, and then transmitted
 that data, along with documents and emails, to a computer in London.

 Hackers also take advantage of security flaws in Web browsers. Last year,
 hackers invaded the computer system of a large bank using a known, but
 unpatched, vulnerability in Microsoft Corp.'s Internet Explorer, says
 Alfred Huger, senior director of engineering for computer-security firm
 Symantec Corp., Cupertino, Calif., who investigated the break-in. For 90
 days, the criminals collected network and database passwords and
 intercepted secure communications, among other things. Mr. Huger says he
 doesn't know how much money was lost.

 Security experts are increasingly concerned about break-ins that come via a
 company's partners and vendors. These smaller companies often have
 privileged access to their larger partner's computer systems, but may not
 be as well protected. Last year, John Pironti, a security consultant with
 Unisys Corp., of Bluebell, Pa., says he helped discover a powerful Trojan
 that had been planted in the computer network of a major financial
 institution. A hacker penetrated one of the bank's custom-software
 suppliers and discovered the "open pipe" to the financial-services
 provider's network.

 The most effective method for protecting against such attacks is also the
 simplest -- disconnect databases containing sensitive information, such as
 credit-card data, from the Internet. "Systems like that should not have
 Internet access, period," says Ubizen's Mr. Sartin.
 Threats to the security of computer systems come in many forms. Here are
 profiles of some of the people behind them and their motivation:

  Hackers who take over multiple systems in order to distribute phishing
 schemes (the use of fraudulent email and Web sites to deceive people into
 disclosing personal information), spam and malware (viruses and other
 software designed with malicious intent).

  Criminal groups use spam, phishing and malware to commit identity theft
 and online fraud.

  Conduct industrial espionage by breaking into competitors' systems.

  Gather information by penetrating computer systems. In addition, several
 countries are working to develop the capability to disrupt the supply
 chains, communications and economic infrastructure that support the
 military power of an enemy.

  Break into networks for the thrill of the challenge or for bragging rights
 in the hacker community.

  The disgruntled insider is a principal source of computer crime, and often
 is able to gain unrestricted access to cause damage to the system or steal

  Individuals or small groups who use fraudulent email and Web sites to
 extract personal information from their victims that can then be used for
 monetary gain.

  Individuals or organizations with malicious intent carry out attacks
 against users by producing and distributing malware, like viruses or worms,
 and spyware, which is software secretly put on victims' computers to gather
 information about them.

  May seek to destroy, incapacitate or exploit critical infrastructure in
 order to threaten national security, cause mass casualties, weaken the
 economy or damage public morale. Also may use phishing or other schemes to
 generate funds or gather sensitive information.

 Source: GAO analysis based on data from the Federal Bureau of
 Investigation, the Central Intelligence Agency and the Software Engineering
 Institute's CERT Coordination Center.

 If that's not possible, all such systems should have "firewall" technology
 that monitors Internet connections and raises a red flag if it detects
 suspicious activity, such as high volumes of data sent at unusual times.
 Other tools can take a snapshot of legitimate system configurations and
 sound alarms when changes occur.

 And, of course, all computers need to be kept up to date with security
 patches and antivirus software, and users need to be educated about opening
 unknown attachments or visiting suspicious Web sites.


 A single computer infected with a Trojan is bad enough. An army of infected
 computers is a weapon of mass digital destruction.

 "Botnets," short for robot networks, are made up of home and business PCs
 that have been taken over by hackers and joined together to create
 remote-controlled networks. The hackers (sometimes called "bot herders")
 use the combined power of these machines to mount a variety of Internet
 attacks, right under the noses of the PCs' rightful owners. The size, and
 power, of such botnets is growing rapidly, as bot herders learn how to
 manage networks of tens of thousands of compromised "zombie" or "drone" PCs.

 Here's how it works: Hackers or criminals slip Trojans carrying the bot
 software onto the PCs of unwitting targets. The infected computers are then
 programmed to listen for instructions, generally sent via instant-messaging

 Once assembled, the botnet can be used to send spam, launch phishing
 attacks or disrupt a Web site by flooding it with visits, a so-called
 denial-of-service attack. One popular tactic of organized cybercriminals:
 denial-of-service attacks against Internet gambling sites. The criminals
 then extort the sites for payment to halt the attack.

 Home computers, which generally lack sophisticated network-monitoring
 tools, are most vulnerable to becoming unwitting conscripts. Early last
 year, Time Warner Cable began sending Matt McKay "spam ticket" citations
 and threatened to turn off his Internet service. The 32-year-old Charlotte,
 N.C., attorney wasn't moonlighting as a spammer. A hacker had hijacked his
 computer. "I was spamming people, and I didn't know it," he says.

 The Federal Trade Commission in May urged Internet-service providers to
 more actively combat botnets, which the FTC estimated send as much as 80%
 of spam. The FTC suggested ISPs monitor their customers for suspicious
 emailing patterns, block Internet connections favored by bot herders and
 help consumers clean up infected machines.


 In last season's television thriller "24," terrorists used the Internet to
 penetrate control systems at dozens of U.S. nuclear power plants -- and
 cause one to melt down. Hollywood fantasy? Security experts warn that such
 an attack is not as far-fetched as it might seem.

 The systems used to control the nation's water, power, transportation and
 communication systems are increasingly being connected to corporate
 networks that are in turn connected to the Internet. That makes it easier
 to control and maintain the systems remotely, but also makes the systems
 vulnerable to viruses, worms and other Net-based threats.

 Cyberattacks that successfully penetrate such "supervisory control and data
 acquisition," or Scada, systems appear to be increasing. The British
 Columbia Institute of Technology and the PA Consulting Group in London,
 which documented a handful of such incidents through 2000, have reports of
 at least 80 successful attacks world-wide since 2001. "Some just snoop
 around, some do damage," says Eric Byres, who manages the research project.

 In May, the General Accounting Office reported similar findings. Security
 consultants cited in the report said hackers are continuously probing the
 power grid for vulnerabilities; in some cases, intruders gained access to
 utilities' control systems and affected operations, though not causing
 serious damage.

 The vulnerability of vital networks was highlighted by the Northeast
 blackout of 2003. Though not caused by a cyberattack, the incident was
 exacerbated by one: The "Blaster" worm, which had been released days
 earlier, clogged communications links and hurt operators' ability to stem
 the cascading blackout.

 Security experts say such power-control systems are unlikely to be the
 primary target of terrorists, who arguably are more interested in
 spectacular physical attacks that generate casualties. But experts are
 increasingly concerned that attacks on critical systems could be used in
 conjunction with more-violent tactics to compound the damage -- for
 instance, by disabling emergency-response systems.

 Some of the vulnerabilities of these control systems can be offset by
 rigorous compliance with standard cybersecurity practices. Congress is
 considering adding such requirements to the federal energy bill now
 pending. But many security experts say existing Scada systems are obsolete
 and need to be replaced by new sensors with multiple layers of security,
 including in the hardware, the network and the application.

 Perhaps more important, says S. Shankar Sastry, a professor of electrical
 engineering at the University of California, Berkeley, are strategies for
 "graceful degradation," for example by installing several layers of
 defenses, to ensure that vital networks remain at least partly operational
 during and after a major attack. "We should expect in the future for
 attacks to succeed," Mr. Sastry says. "The question is: How do you keep the
 infrastructure from completely falling apart?"


 Hackers can take down a corporate computer network. But could they crash
 the whole Internet? The same qualities of trust and openness that have made
 the Internet successful also make it vulnerable to major outages.

 The experts' top worry: an arcane mechanism known as the "border gateway
 protocol." The protocol is used by the hundreds of networks that make up
 the Internet to advertise their routes so they can carry each other's
 traffic. By falsifying such announcements, hackers could intercept Internet
 traffic, modify it or simply make it vanish by directing it to bogus or
 nonexistent routes. And by directing a flood of traffic onto a route too
 small to handle it, a hacker could overload and crash at least parts of the
 global Internet.

 "You can take out some portion of the Net for some amount of time," says
 Steven Bellovin, a longtime security expert at AT&T Labs and now professor
 of computer science at Columbia University. If a sophisticated adversary
 sent out fraudulent routing announcements from a dozen different points,
 "you could have a very serious situation," he says.

 In the past decade, security specialists say, inadvertent glitches in the
 protocol have caused a half-dozen large network outages and many smaller
 ones. In December 1999, such a mistake took down AT&T's Worldnet Internet
 service for most of a day, leaving 1.8 million customers without Web
 access. An even larger outage occurred two years earlier, when a small
 Internet-service provider mistakenly advertised incorrect routes, causing a
 two-hour disruption for large parts of the Internet.

 Now, security experts are seeing apparently intentional attacks exploiting
 the weaknesses in the protocol. In one case, the Web site of a large
 Internet-networking company vanished, meaning no traffic could reach it for
 several hours. In another, some Internet traffic went into a "black hole"
 along an advertised route that didn't really exist; email, Web requests and
 so on simply disappeared. Neither incident was considered serious, but they
 showed "the threat is real," says Craig Labovitz, director of engineering
 at Arbor Networks Inc., a network-security firm in Lexington, Mass.

 Spammers are also starting to take advantage of the technique. By
 advertising fake Internet addresses for just long enough to launch their
 spam, then withdrawing the addresses, it's possible to erase any trail that
 law enforcement might follow. "Nobody can find it," Mr. Bellovin says.
 "It's not in the database. You can't map your way to it. It's just gone."

 Because the Internet is used by nearly everybody but owned by no one,
 systemic vulnerabilities have proved difficult to correct. For starters, a
 change would require upgrades to thousands of routers. And there's no
 consensus on how to fix the border-gateway protocol.

 Still, the Net has proved remarkably resilient against large-scale attacks.
 "We've been hearing these end-of-the-Internet stories for the last 10
 years," Mr. Labovitz says. "But we haven't seen many of these
 mega-attacks." The most likely reason: Hackers, thieves and terrorists have
 come to depend on the Internet just like everybody else, and don't want it


 Internet-related fraud accounted for 53% of all consumer-fraud complaints
 made to the Federal Trade Commission last year. Among the biggest threats
 are those involving scammers who use elaborate ruses to pretend to be
 someone else.

 In "phishing" scams, fraudsters send emails that appear to come from a
 trusted source, like Citibank or eBay. Click on a link in the email, and
 you're directed to a fake Web site, where you're asked to reveal account
 numbers, passwords and other private information. In some cases, phishing
 sites plant hidden programs, such as key loggers, on victims' computers. So
 even if a visitor doesn't enter any data into the phony site, the phisher
 can try to filch it later.

 Then there's "pharming," where hackers attack the server computers where
 legitimate Web sites are housed. Type in the address of the legitimate
 site, and you are redirected to a look-alike. In a similar ruse, hackers
 use Trojans to manipulate the browser cache on a victim's computer, where
 copies of Web pages are stored so that they don't have to be reloaded from
 scratch with each visit. When you visit a site stored in your cache, you
 are directed to a fake site instead.

 In "Evil Twin" attacks, hackers set up Wi-Fi hot spots that trick your
 computer into thinking it's accessing your home wireless network or a safe
 public network. While you use the network, attackers can monitor your moves
 and steal the information you enter into a Web site, if the site doesn't
 have the right safety measures.

 To combat phishing, assume that any email asking for personal information
 is a fake, says Robert C. Chesnut, senior vice president of rules, trust
 and safety at eBay Inc. Consumers can also get help from new phishing-site
 blockers from service providers Time Warner Inc.'s America Online unit and
 EarthLink Inc.

 As for pharming, some banks are beginning to look at ways to help consumers
 distinguish real sites from fake ones, such as letting consumers choose
 personalized images that appear on the site whenever they visit. To combat
 the variation on pharming that involves meddling with PCs, consumers should
 be sure to regularly sweep for Trojans with antivirus and antispyware
 programs available from companies such as Symantec, McAfee Inc. and Webroot
 Software Inc.

 For Evil Twin attacks, wireless users should enter private information only
 into sites that protect data with encryption technology, which is signified
 by a little lock on the bottom of the page.


 Many hackers who covertly take control of your computer are looking to
 draft it into a botnet. But there are a host of other ways to get hijacked.
 Aggressive marketers are using "adware" to hijack Web searches, display
 pop-up ads and drag surfers to unwanted Web sites. Adware's more insidious
 cousin, spyware, can capture users' keystrokes and follow their browsing
 activities. These programs often arrive bundled with free software or sneak
 onto users' computers when they visit dodgy Web sites.

 Viruses, meanwhile, have become a tool for delivering malicious payloads
 and not just a form of causing mischief. Hackers are using them to install
 bots and Trojans that give them control of PCs, allowing them to send spam
 and steal private personal information silently.

 After Mr. McKay, the Charlotte attorney, cleared up his botnet problem, the
 home page of his Web browser was hijacked by an adware program, forcing him
 to view a "flashy, gaudy" page featuring links to mortgage lenders and
 pornography. Only when his girlfriend refused to touch the computer did he
 cave. "I said, 'All right, this is embarrassing,' " he recalls. " 'I'm
 going to fix it.' "

 Mr. McKay had to undergo a crash course in Internet security to get rid of
 the programs that hijacked his computer. He ran a battery of different
 security programs, killing anything that looked suspicious. But after a
 slew of software failed to clean out his machine, he turned to extracting
 the pests manually.

 Security experts advise consumers to make sure they install and use
 firewall and up-to-date antivirus programs, combined with regular sweeps
 with a spyware-removal program. Increasingly, Internet-service providers
 are offering their embattled customers security tools. Many people are also
 switching to Apple Computer Inc.'s Macintosh machines and the Firefox Web
 browser, which have rarely been the target of malicious code.


 In the future, security attacks will come out of thin air. Smartphones and
 some personal digital assistants boast always-on wireless connections and
 run more-sophisticated software than standard cellphones, making them
 susceptible to viruses, worms and data theft just like PCs.

 The hackers' current pathway of choice: Bluetooth. This radio technology
 allows short-range wireless communication for sending messages, exchanging
 electronic business cards and using wireless headsets. But hackers can
 exploit flaws in Bluetooth to steal information from digital gadgets or
 spread viruses.

 For now, mobile viruses have done little more than drain their victims'
 phone batteries and send off text messages using their account. But bigger
 threats may be coming. The invasions so far were merely "science projects"
 for hackers wanting to see if they could attack mobile devices, says Victor
 Kouznetsov, senior vice president of mobile solutions for McAfee. "They
 discovered it's not that hard."

 Mr. Pironti of Unisys says people should use built-in Bluetooth security
 features that let only authorized headsets and PCs talk to their phones.
 They should also change default passwords for wireless headsets. Meanwhile,
 security-software companies are rushing to offer antivirus protection for
 mobile devices. Japanese carrier NTT DoCoMo Inc. sells phones with built-in
 antivirus software from McAfee. A number of large carriers offer similar
 protection from F-Secure Corp. of Finland.

 But the best defense will come from wireless carriers blocking attacks
 within their networks, before they can reach people's phones, says Gartner
 Inc. analyst John Pescatore. Cellphone users should start asking their
 providers what protection they offer or intend to provide, he says.
 F-Secure, for one, says its network-level technology has been deployed by
 nine wireless operators that altogether serve 32 million subscribers.


 What's the quickest way to get your computer infested with spyware, bots
 and Trojans? Let your kids use it.

 Kids often use music and video file-sharing programs like Kazaa, LimeWire
 and BitTorrent, where they can unwittingly download adware and spyware.
 They also pick up nasty programs at "code and cheat" sites, which help them
 get higher rankings in online games. And curiosity will take them to plenty
 of other risky places, including porn sites.

 Some security experts advise parents to have a separate computer for the
 kids. John Esposito of Ridgewood, N.J., keeps financial records on his own
 laptop, so they won't be endangered if nine-year-old Zoe or 13-year-old
 Zach inadvertently lets in a hacker program.

 In addition to protecting their PC with the usual array of security
 software, parents can use parental-control tools to restrict access to
 inappropriate sites. Parry Aftab, executive director of WiredSafety Group,
 a New York-based advocate for online safety, recommends kid-safe search
 engines, such as Yahoo Inc.'s Yahooligans and Ask Jeeves Inc.'s Ask Jeeves
 Kids. These sites won't steer kids to sites meant for adults, including
 porn sites that try to lure visitors with misspellings of popular keywords.

 Parents should also talk to their children about online dangers and set
 ground rules for computer use. Parents may even want to use some spyware
 tools of their own to monitor what kids do online. Ms. Aftab recommends
 monitoring software from SpectorSoft Corp. because it's able to capture
 instant messaging in multiple formats.

 --Mr. Bank is a staff reporter in the Wall Street Journal's San Francisco
 bureau, and Ms. Richmond is a reporter for Dow Jones Newswires in Jersey
 City, N.J.

 R. A. Hettinga <mailto: [EMAIL PROTECTED]>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 Clips mailing list

--- end forwarded text

R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to