INTERNET SECURITY BREACH -- it will happen again and again till it is important enough to fix it (li

[David Farber <>]

> From Washington Post (front page)
4 Feb 1994
Break-Ins Hit Huge Network of Computers
Internet's Managers Act to Guard Security
Tens of thousands of users of the Internet, the global computer
communications network, last night were advised to change their
security passwords following a rash of break-ins to Internet
computers here and abroad.


The federally funded Computer Emergency Response Team (CERT) issued
the advisory, saying that thousands of passwords already have been
collected illicitly by people using advanced surveillance software.
The illegal collection may be continuing and accelerating, it said.


Authorized users of the Internet must type in a supposedly secret
password when they link their own computers to the network to send or
receive information. anyone who discovers another person's password
can enter the system as that person, gain access to their
confidential files and destroy or alter them.


The security breach raises the specter of larger ones in the future
as technology permits a more advanced *information highway,: a
high-speed channel for video, sound and text that the Clinton
administration is promoting as a boon to the U.S. economy and
society. *The highwaymen are taking over the highway,: said Eugene
Spafford, a computer security specialist at Purdue University.


CERT declined to give details of the incidents or to say where they
had occurred. Neither would it comment on whether people had used the
illicitly obtained passwords to destroy information or cause other
damage. But it said it was sending out software that would strengthen
Internet computers against such intrusion.


An official at Rice University in Houston confirmed that that school
had been hit. The operator of the campus's computer network began
getting notice from other Internet systems of unusual events and cut
off the university's network from Internet on the night of Jan 23.


Investigators found intruding programs in several computers on the
campus. To repaid the breach, they replaced more than 3,000
passwords, beefed up their computer security and repaired incidental
damage.


*We're keeping our fingers crossed in trying to get things up and
running,: said Patrick Humphrey, a network operator at the
university.
the incident was first investigated by reporter David L. Wilson of
the Chronicle of Higher Educations, a trade newspaper. It also has
confirmed a similar event at Bard College in New York State.


Computer security specialist Spafford said he had heard the number
put at dozens in the last several months.


The Internet serves an estimated 15 million people worldwide. It
allows people to use their computers to exchange electronic mail,
browse through distant electronic libraries and transfer pictures and
sounds.


Operators of Internet computers have been reporting scattered
break-ins for several months, but the numbers had been viewed by many
security experts as a routine hazard of running a network. Notable
was Panix Public Access Network, a New York company that serves as a
*gateway: to the Internet.


computer security experts say the method of operation in the cases
cited by CERT< the Internet's security overlord, is similar. All are
aimed at large computers such as Panix's, which are wired to the
Internet 24 hours a day.


Individual users typically connect their home or office computers to
the large one by telephone lines and through it gain access to the
network at large.


According to Vint Cerf, head of the Internet Society, a computer
industry group, the CERT advice on new passwords does not apply to
passwords that people use to dial up that *gateway: computers.


It applies only to passwords used by people who, after making that
first connection, then *reach out: across the network and sign on to
a second machine. That second password travels across the Internet
when the person types it in and is therefore vulnerable to
interception.


The password-collecting software exploits the same so-called *trap
door: that a graduate student named Robert Morris used in 1989 to
paralyze thousands of Internet computers. He sent out a so-called
virus program that replicated itself and spread from machine to
machine.


In the recent incidents, unknown parties have transmitted to the
target computer a so-called Trojan Horse program, called that because
it is not what it appears to be.


The program enters the computer on an apparently innocent errand. But
in fact, it sits and monitors traffic passing through the machine. As
people cross the Internet and *log on: to that computer, the program
takes note of their names and passwords.


It remains unclear who is behind the acts. But Spafford said that
special software that can accomplish this has been written and
apparently traded electronically among many people.


The software is sophisticated enough to disable security features in
the host machines that are supposed to sound an alarm when an
intruder enters.


Cerf predicted the incident would lead to new calls for security on
the network. Simple passwords, he said, might be replaced with
systems by which the password changes with each use.