Broadband Could be Hackland

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/technology/0,1282,39235,00.html

by Farhad Manjoo
2:00 a.m. Oct. 23, 2000 PDT

Recently, Steve Gibson, an independent software developer in Southern
California, received a call from the FBI.

"Apparently, some hacker was getting into people's computers and
posting notes on their Windows desktops," Gibson said. "The notes were
telling people that their computer was insecure, and that they should
go to GRC.com. So the FBI said, 'Steve, did you do this?'"

It seemed like a reasonable question. Gibson's GRC.com offers a
popular service called "Shields Up!," which tests your computer's
vulnerability to attack. Companies have been known to employ guerrilla
tactics to get attention.

But Gibson didn't do it.

The FBI's note-posting hacker was apparently benevolent -- trying to
show people, by violating the sanctity of their Windows desktop, that
their computer could easily come under attack.

Obviously, all hackers aren't such goody-goodies. And now, say Gibson
and other security experts, the playground in which hackers can romp
is rapidly expanding, thanks to the very thing that has been hyped as
revolutionizing the Internet: broadband.

Consumers with high-speed connections to the Internet, like those
provided by DSL and cable modems, are surfing at their own risk unless
they take pains to protect their computers, said Frank Prince, an
analyst at Forrester Research.

Prince said that because broadband consumers are online for long
periods of time, and because their computers have a constant IP
address during an online session, they are prime targets for malicious
activity.

The worst part of the situation, said Gibson, is that most consumers
aren't aware that broadband connections are making their computers
insecure.

"People have this vague uneasiness about security," he said. "They
know that there are 'hackers' out there, and people are worried, but
they don't know they have to do anything."

But it's precisely the consumers who need to do something, he said:
"Nobody else is taking responsibility for this right now. It's just
like the anti-virus problem -- only end-users can solve it."

Forrester's Prince agreed. "Security (in broadband) is a real, if at
yet largely unrealized, problem," he said.

But broadband providers say that the service they provide to their
users is safe -- though they do concede that consumers who are
especially concerned about safety should install security software to
protect their computers.

"Our consumer customers get dynamic IP addresses," said Sean Danes, a
spokesman for Pacific Bell DSL, a large DSL provider. With a dynamic
IP address, a computer's "location" on the Internet is periodically
changed, thereby decreasing the chance of attack.

"This adds a level of additional security, and we encourage DSL users
to 're-authenticate' every once in a while to get a new IP address,"
Danes said.

Richard Holden, a director of product development at the cable modem
provider Excite@Home, also pointed to security measures that his
company takes to make consumers safe.

"For example," he said, "as part of the installation process for
@Home, we always turn off a computer's file sharing."

But Holden also said that the media have been giving this situation
more attention than it deserves.

"The fear created in consumers' minds is actually greater than the
risk that exists," he said. "If a customer operates the computer in a
safe manner, there shouldn't be any problem."

Holden added that only if people are using their computers to store
sensitive information will extra security software be necessary.

Neither Pacific Bell nor Excite@Home provide their customers with such
software. Each company's officials said, though, that they would help
its users install the software if they required it.

Forrester's Prince rejected Holden's argument that only some users
need to make their computers secure.

"Have you ever clicked the button that says 'Save this password?'" he
asked, suggesting that an unsafe connection leaves the virtual keys to
anything from online bank accounts to stock portfolios open to a
hacker's snooping.

Prince said that while shutting down file sharing increases a
computer's safety, by no means does it make it "secure." He said that
a hacker could still easily set up a Trojan application on a computer
to serve up its files.

The solution for users, Prince said, is to take security into their
own hands, by purchasing a security agent called a "personal
firewall."

A personal firewall on a computer acts just like a doorman on Park
Avenue: It lets in only the traffic you've previously OK'd, and tells
everyone else to buzz off.

Sam Curry, a security architect at the software firm McAfee, which
makes one such personal firewall, said that while he is "obviously
biased," he thinks that everyone with a broadband connection needs to
look into getting a personal firewall.

Curry suggested that the frenzy of hacker attacks on large sites that
occurred earlier in the year and were perpetrated through a so-called
"distributed denial-of-service attack" could be repeated using at-risk
home computers.

In a DoS attack, a hacker invades a network of computers, puts them
under his control, and then forces them to send out thousands of
packets of information to a specified site. The site becomes
overloaded and crashes.

In the past, the computers that were taken over by hackers were large
servers at universities, but those institutions log their traffic,
which makes it easier to trace the attack back to an individual.

A less traceable attack on a large site could conceivably involve a
network of vulnerable home computers, which don't log their network
traffic, Prince said.

The hacker "would have to take over 10,000 of these computers instead
of 500 large servers," he said, "so it means more work for them, but I
don't doubt that we'll see it.

"Sooner or later, there is no question that someone will have
marshaled a large number of private computers to be used in a
high-profile attack," he said.

"Then we'll have to go back to (the broadband providers) and ask them
what happened."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".