[Clips] Bellovin, et al., in WSJ: Where the Dangers Are
R.A. Hettinga
rah at shipwright.com
Sun Jul 17 21:27:57 EDT 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Sun, 17 Jul 2005 21:14:39 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Bellovin, et al., in WSJ: Where the Dangers Are
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://online.wsj.com/article_print/0,,SB112128442038984802,00.html>
The Wall Street Journal
July 18, 2005
THE JOURNAL REPORT: TECHNOLOGY
Information Security
Where the Dangers Are
By DAVID BANK and RIVA RICHMOND
Staff Reporters of THE WALL STREET JOURNAL
July 18, 2005
In the world of cybercrime, the bad guys are getting smarter -- and more
ambitious.
In recent months, hackers have carried out a flurry of increasingly
sophisticated attacks, highlighting the vulnerability of key computer
networks around the world.
Criminals penetrated the database of CardSystems Solutions Inc., nabbing up
to 200,000 Visa, MasterCard, American Express and Discover card numbers and
potentially exposing tens of millions more. Leading high-tech companies in
Israel allegedly planted surveillance software on the computers of their
business rivals. British security officials warned of a computer attack
aimed at stealing sensitive information from banks, insurers and other
parts of that country's "critical infrastructure."1 THE JOURNAL REPORT?See
the complete Technology report2.
ON GUARD
What new threats do cyber criminals pose? How can computer security be
improved? Listen to WSJ reporter David Bank's interview3 with Steven
Bellovin, professor of computer science at Columbia University and a
longtime researcher at AT&T Labs.
JOIN THE DISCUSSION
Cybersecurity experts discuss how to keep personal data and information
safe in the tech world. Readers can join the discussion4 or submit
questions.
Security experts fear things will only get worse. As technology gets more
complex, more vulnerabilities are springing up in computer networks -- and
more criminals, terrorists and mischief makers are rushing to exploit them.
"What people can do on computer networks and what they can find on them has
increased tenfold from a few years ago," says Bill Hancock, chief security
officer of Savvis Inc., a major Internet-service provider. Infiltrating
those machines and using them for evil intent is easier than ever, he says.
Some of the threats are well known; home-computer users for years have
battled viruses and spam and more recently have been barraged with spyware,
adware and fraudsters "phishing" for sensitive information. Less visible is
the constant probing of corporate networks by would-be intruders seeking
trade secrets or competitive intelligence, and the data breaches caused by
disgruntled or dishonest insiders.
Meanwhile, government authorities report that hackers are stepping up
attempts to attack critical systems such as water, electricity, finance,
transportation and communications. Last year, the Department of Homeland
Security prepared a worst-case cyberdisaster scenario where criminals broke
into financial-services facilities.
Twenty million credit cards were canceled, automated teller machines failed
nationwide, payroll checks couldn't be delivered, and computer malfunctions
caused a weeklong shutdown of pension and mutual-fund companies. "Citizens
no longer trust any part of the U.S. financial system," the scenario
concluded.
Here's a look at the threats the security experts worry about the most --
and what businesses and consumers can do to protect themselves.
TARGETED ATTACKS
The mass mailings of worms and viruses that clogged email in-boxes and
corporate networks in recent years have given way to less visible but more
dangerous attacks aimed at specific business and government targets.
In many cases, these invasions involve a Trojan -- malicious software that
hides inside another, innocuous program. Once planted on a victim's
computer system, the Trojan can, among other things, steal information at
will and send it back to a criminal. Trojans that are customized for a
specific target are particularly dangerous, since conventional antivirus
programs are designed to spot and block previously identified threats.
"Because these things are one-off, the virus scanners do not recognize them
at all," says Bryan Sartin, director of technology for Ubizen, a unit of
Cybertrust Inc. of Herndon, Va.
Criminals use a variety of methods to get Trojans onto their targets'
systems. Often, they trick employees at a targeted company into installing
the software. In the Israeli case, law-enforcement officials discovered
that the alleged perpetrators gave victims floppy disks containing
seemingly legitimate business proposals. The disks contained Trojans that
used "key logger" software to record what users typed, and then transmitted
that data, along with documents and emails, to a computer in London.
Hackers also take advantage of security flaws in Web browsers. Last year,
hackers invaded the computer system of a large bank using a known, but
unpatched, vulnerability in Microsoft Corp.'s Internet Explorer, says
Alfred Huger, senior director of engineering for computer-security firm
Symantec Corp., Cupertino, Calif., who investigated the break-in. For 90
days, the criminals collected network and database passwords and
intercepted secure communications, among other things. Mr. Huger says he
doesn't know how much money was lost.
Security experts are increasingly concerned about break-ins that come via a
company's partners and vendors. These smaller companies often have
privileged access to their larger partner's computer systems, but may not
be as well protected. Last year, John Pironti, a security consultant with
Unisys Corp., of Bluebell, Pa., says he helped discover a powerful Trojan
that had been planted in the computer network of a major financial
institution. A hacker penetrated one of the bank's custom-software
suppliers and discovered the "open pipe" to the financial-services
provider's network.
The most effective method for protecting against such attacks is also the
simplest -- disconnect databases containing sensitive information, such as
credit-card data, from the Internet. "Systems like that should not have
Internet access, period," says Ubizen's Mr. Sartin.
ROGUES' GALLERY
Threats to the security of computer systems come in many forms. Here are
profiles of some of the people behind them and their motivation:
* BOT NETWORK OPERATORS
Hackers who take over multiple systems in order to distribute phishing
schemes (the use of fraudulent email and Web sites to deceive people into
disclosing personal information), spam and malware (viruses and other
software designed with malicious intent).
* ORGANIZED CRIME GROUPS
Criminal groups use spam, phishing and malware to commit identity theft
and online fraud.
* CORPORATE SPIES
Conduct industrial espionage by breaking into competitors' systems.
* FOREIGN INTELLIGENCE SERVICES
Gather information by penetrating computer systems. In addition, several
countries are working to develop the capability to disrupt the supply
chains, communications and economic infrastructure that support the
military power of an enemy.
* HACKERS
Break into networks for the thrill of the challenge or for bragging rights
in the hacker community.
* INSIDERS
The disgruntled insider is a principal source of computer crime, and often
is able to gain unrestricted access to cause damage to the system or steal
data.
* PHISHERS
Individuals or small groups who use fraudulent email and Web sites to
extract personal information from their victims that can then be used for
monetary gain.
* SPYWARE/MALWARE AUTHORS
Individuals or organizations with malicious intent carry out attacks
against users by producing and distributing malware, like viruses or worms,
and spyware, which is software secretly put on victims' computers to gather
information about them.
* TERRORISTS
May seek to destroy, incapacitate or exploit critical infrastructure in
order to threaten national security, cause mass casualties, weaken the
economy or damage public morale. Also may use phishing or other schemes to
generate funds or gather sensitive information.
Source: GAO analysis based on data from the Federal Bureau of
Investigation, the Central Intelligence Agency and the Software Engineering
Institute's CERT Coordination Center.
If that's not possible, all such systems should have "firewall" technology
that monitors Internet connections and raises a red flag if it detects
suspicious activity, such as high volumes of data sent at unusual times.
Other tools can take a snapshot of legitimate system configurations and
sound alarms when changes occur.
And, of course, all computers need to be kept up to date with security
patches and antivirus software, and users need to be educated about opening
unknown attachments or visiting suspicious Web sites.
BOTNETS
A single computer infected with a Trojan is bad enough. An army of infected
computers is a weapon of mass digital destruction.
"Botnets," short for robot networks, are made up of home and business PCs
that have been taken over by hackers and joined together to create
remote-controlled networks. The hackers (sometimes called "bot herders")
use the combined power of these machines to mount a variety of Internet
attacks, right under the noses of the PCs' rightful owners. The size, and
power, of such botnets is growing rapidly, as bot herders learn how to
manage networks of tens of thousands of compromised "zombie" or "drone" PCs.
Here's how it works: Hackers or criminals slip Trojans carrying the bot
software onto the PCs of unwitting targets. The infected computers are then
programmed to listen for instructions, generally sent via instant-messaging
channels.
Once assembled, the botnet can be used to send spam, launch phishing
attacks or disrupt a Web site by flooding it with visits, a so-called
denial-of-service attack. One popular tactic of organized cybercriminals:
denial-of-service attacks against Internet gambling sites. The criminals
then extort the sites for payment to halt the attack.
Home computers, which generally lack sophisticated network-monitoring
tools, are most vulnerable to becoming unwitting conscripts. Early last
year, Time Warner Cable began sending Matt McKay "spam ticket" citations
and threatened to turn off his Internet service. The 32-year-old Charlotte,
N.C., attorney wasn't moonlighting as a spammer. A hacker had hijacked his
computer. "I was spamming people, and I didn't know it," he says.
The Federal Trade Commission in May urged Internet-service providers to
more actively combat botnets, which the FTC estimated send as much as 80%
of spam. The FTC suggested ISPs monitor their customers for suspicious
emailing patterns, block Internet connections favored by bot herders and
help consumers clean up infected machines.
BLACKOUTS
In last season's television thriller "24," terrorists used the Internet to
penetrate control systems at dozens of U.S. nuclear power plants -- and
cause one to melt down. Hollywood fantasy? Security experts warn that such
an attack is not as far-fetched as it might seem.
The systems used to control the nation's water, power, transportation and
communication systems are increasingly being connected to corporate
networks that are in turn connected to the Internet. That makes it easier
to control and maintain the systems remotely, but also makes the systems
vulnerable to viruses, worms and other Net-based threats.
Cyberattacks that successfully penetrate such "supervisory control and data
acquisition," or Scada, systems appear to be increasing. The British
Columbia Institute of Technology and the PA Consulting Group in London,
which documented a handful of such incidents through 2000, have reports of
at least 80 successful attacks world-wide since 2001. "Some just snoop
around, some do damage," says Eric Byres, who manages the research project.
In May, the General Accounting Office reported similar findings. Security
consultants cited in the report said hackers are continuously probing the
power grid for vulnerabilities; in some cases, intruders gained access to
utilities' control systems and affected operations, though not causing
serious damage.
The vulnerability of vital networks was highlighted by the Northeast
blackout of 2003. Though not caused by a cyberattack, the incident was
exacerbated by one: The "Blaster" worm, which had been released days
earlier, clogged communications links and hurt operators' ability to stem
the cascading blackout.
Security experts say such power-control systems are unlikely to be the
primary target of terrorists, who arguably are more interested in
spectacular physical attacks that generate casualties. But experts are
increasingly concerned that attacks on critical systems could be used in
conjunction with more-violent tactics to compound the damage -- for
instance, by disabling emergency-response systems.
Some of the vulnerabilities of these control systems can be offset by
rigorous compliance with standard cybersecurity practices. Congress is
considering adding such requirements to the federal energy bill now
pending. But many security experts say existing Scada systems are obsolete
and need to be replaced by new sensors with multiple layers of security,
including in the hardware, the network and the application.
Perhaps more important, says S. Shankar Sastry, a professor of electrical
engineering at the University of California, Berkeley, are strategies for
"graceful degradation," for example by installing several layers of
defenses, to ensure that vital networks remain at least partly operational
during and after a major attack. "We should expect in the future for
attacks to succeed," Mr. Sastry says. "The question is: How do you keep the
infrastructure from completely falling apart?"
CRASHING THE NET
Hackers can take down a corporate computer network. But could they crash
the whole Internet? The same qualities of trust and openness that have made
the Internet successful also make it vulnerable to major outages.
The experts' top worry: an arcane mechanism known as the "border gateway
protocol." The protocol is used by the hundreds of networks that make up
the Internet to advertise their routes so they can carry each other's
traffic. By falsifying such announcements, hackers could intercept Internet
traffic, modify it or simply make it vanish by directing it to bogus or
nonexistent routes. And by directing a flood of traffic onto a route too
small to handle it, a hacker could overload and crash at least parts of the
global Internet.
"You can take out some portion of the Net for some amount of time," says
Steven Bellovin, a longtime security expert at AT&T Labs and now professor
of computer science at Columbia University. If a sophisticated adversary
sent out fraudulent routing announcements from a dozen different points,
"you could have a very serious situation," he says.
In the past decade, security specialists say, inadvertent glitches in the
protocol have caused a half-dozen large network outages and many smaller
ones. In December 1999, such a mistake took down AT&T's Worldnet Internet
service for most of a day, leaving 1.8 million customers without Web
access. An even larger outage occurred two years earlier, when a small
Internet-service provider mistakenly advertised incorrect routes, causing a
two-hour disruption for large parts of the Internet.
Now, security experts are seeing apparently intentional attacks exploiting
the weaknesses in the protocol. In one case, the Web site of a large
Internet-networking company vanished, meaning no traffic could reach it for
several hours. In another, some Internet traffic went into a "black hole"
along an advertised route that didn't really exist; email, Web requests and
so on simply disappeared. Neither incident was considered serious, but they
showed "the threat is real," says Craig Labovitz, director of engineering
at Arbor Networks Inc., a network-security firm in Lexington, Mass.
Spammers are also starting to take advantage of the technique. By
advertising fake Internet addresses for just long enough to launch their
spam, then withdrawing the addresses, it's possible to erase any trail that
law enforcement might follow. "Nobody can find it," Mr. Bellovin says.
"It's not in the database. You can't map your way to it. It's just gone."
Because the Internet is used by nearly everybody but owned by no one,
systemic vulnerabilities have proved difficult to correct. For starters, a
change would require upgrades to thousands of routers. And there's no
consensus on how to fix the border-gateway protocol.
Still, the Net has proved remarkably resilient against large-scale attacks.
"We've been hearing these end-of-the-Internet stories for the last 10
years," Mr. Labovitz says. "But we haven't seen many of these
mega-attacks." The most likely reason: Hackers, thieves and terrorists have
come to depend on the Internet just like everybody else, and don't want it
wrecked.
PHRAUD
Internet-related fraud accounted for 53% of all consumer-fraud complaints
made to the Federal Trade Commission last year. Among the biggest threats
are those involving scammers who use elaborate ruses to pretend to be
someone else.
In "phishing" scams, fraudsters send emails that appear to come from a
trusted source, like Citibank or eBay. Click on a link in the email, and
you're directed to a fake Web site, where you're asked to reveal account
numbers, passwords and other private information. In some cases, phishing
sites plant hidden programs, such as key loggers, on victims' computers. So
even if a visitor doesn't enter any data into the phony site, the phisher
can try to filch it later.
Then there's "pharming," where hackers attack the server computers where
legitimate Web sites are housed. Type in the address of the legitimate
site, and you are redirected to a look-alike. In a similar ruse, hackers
use Trojans to manipulate the browser cache on a victim's computer, where
copies of Web pages are stored so that they don't have to be reloaded from
scratch with each visit. When you visit a site stored in your cache, you
are directed to a fake site instead.
In "Evil Twin" attacks, hackers set up Wi-Fi hot spots that trick your
computer into thinking it's accessing your home wireless network or a safe
public network. While you use the network, attackers can monitor your moves
and steal the information you enter into a Web site, if the site doesn't
have the right safety measures.
To combat phishing, assume that any email asking for personal information
is a fake, says Robert C. Chesnut, senior vice president of rules, trust
and safety at eBay Inc. Consumers can also get help from new phishing-site
blockers from service providers Time Warner Inc.'s America Online unit and
EarthLink Inc.
As for pharming, some banks are beginning to look at ways to help consumers
distinguish real sites from fake ones, such as letting consumers choose
personalized images that appear on the site whenever they visit. To combat
the variation on pharming that involves meddling with PCs, consumers should
be sure to regularly sweep for Trojans with antivirus and antispyware
programs available from companies such as Symantec, McAfee Inc. and Webroot
Software Inc.
For Evil Twin attacks, wireless users should enter private information only
into sites that protect data with encryption technology, which is signified
by a little lock on the bottom of the page.
HIJACKING
Many hackers who covertly take control of your computer are looking to
draft it into a botnet. But there are a host of other ways to get hijacked.
Aggressive marketers are using "adware" to hijack Web searches, display
pop-up ads and drag surfers to unwanted Web sites. Adware's more insidious
cousin, spyware, can capture users' keystrokes and follow their browsing
activities. These programs often arrive bundled with free software or sneak
onto users' computers when they visit dodgy Web sites.
Viruses, meanwhile, have become a tool for delivering malicious payloads
and not just a form of causing mischief. Hackers are using them to install
bots and Trojans that give them control of PCs, allowing them to send spam
and steal private personal information silently.
After Mr. McKay, the Charlotte attorney, cleared up his botnet problem, the
home page of his Web browser was hijacked by an adware program, forcing him
to view a "flashy, gaudy" page featuring links to mortgage lenders and
pornography. Only when his girlfriend refused to touch the computer did he
cave. "I said, 'All right, this is embarrassing,' " he recalls. " 'I'm
going to fix it.' "
Mr. McKay had to undergo a crash course in Internet security to get rid of
the programs that hijacked his computer. He ran a battery of different
security programs, killing anything that looked suspicious. But after a
slew of software failed to clean out his machine, he turned to extracting
the pests manually.
Security experts advise consumers to make sure they install and use
firewall and up-to-date antivirus programs, combined with regular sweeps
with a spyware-removal program. Increasingly, Internet-service providers
are offering their embattled customers security tools. Many people are also
switching to Apple Computer Inc.'s Macintosh machines and the Firefox Web
browser, which have rarely been the target of malicious code.
AIRBORNE ASSAULT
In the future, security attacks will come out of thin air. Smartphones and
some personal digital assistants boast always-on wireless connections and
run more-sophisticated software than standard cellphones, making them
susceptible to viruses, worms and data theft just like PCs.
The hackers' current pathway of choice: Bluetooth. This radio technology
allows short-range wireless communication for sending messages, exchanging
electronic business cards and using wireless headsets. But hackers can
exploit flaws in Bluetooth to steal information from digital gadgets or
spread viruses.
For now, mobile viruses have done little more than drain their victims'
phone batteries and send off text messages using their account. But bigger
threats may be coming. The invasions so far were merely "science projects"
for hackers wanting to see if they could attack mobile devices, says Victor
Kouznetsov, senior vice president of mobile solutions for McAfee. "They
discovered it's not that hard."
Mr. Pironti of Unisys says people should use built-in Bluetooth security
features that let only authorized headsets and PCs talk to their phones.
They should also change default passwords for wireless headsets. Meanwhile,
security-software companies are rushing to offer antivirus protection for
mobile devices. Japanese carrier NTT DoCoMo Inc. sells phones with built-in
antivirus software from McAfee. A number of large carriers offer similar
protection from F-Secure Corp. of Finland.
But the best defense will come from wireless carriers blocking attacks
within their networks, before they can reach people's phones, says Gartner
Inc. analyst John Pescatore. Cellphone users should start asking their
providers what protection they offer or intend to provide, he says.
F-Secure, for one, says its network-level technology has been deployed by
nine wireless operators that altogether serve 32 million subscribers.
YOUR KIDS
What's the quickest way to get your computer infested with spyware, bots
and Trojans? Let your kids use it.
Kids often use music and video file-sharing programs like Kazaa, LimeWire
and BitTorrent, where they can unwittingly download adware and spyware.
They also pick up nasty programs at "code and cheat" sites, which help them
get higher rankings in online games. And curiosity will take them to plenty
of other risky places, including porn sites.
Some security experts advise parents to have a separate computer for the
kids. John Esposito of Ridgewood, N.J., keeps financial records on his own
laptop, so they won't be endangered if nine-year-old Zoe or 13-year-old
Zach inadvertently lets in a hacker program.
In addition to protecting their PC with the usual array of security
software, parents can use parental-control tools to restrict access to
inappropriate sites. Parry Aftab, executive director of WiredSafety Group,
a New York-based advocate for online safety, recommends kid-safe search
engines, such as Yahoo Inc.'s Yahooligans and Ask Jeeves Inc.'s Ask Jeeves
Kids. These sites won't steer kids to sites meant for adults, including
porn sites that try to lure visitors with misspellings of popular keywords.
Parents should also talk to their children about online dangers and set
ground rules for computer use. Parents may even want to use some spyware
tools of their own to monitor what kids do online. Ms. Aftab recommends
monitoring software from SpectorSoft Corp. because it's able to capture
instant messaging in multiple formats.
--Mr. Bank is a staff reporter in the Wall Street Journal's San Francisco
bureau, and Ms. Richmond is a reporter for Dow Jones Newswires in Jersey
City, N.J.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list