SPECIAL REPORT: Network security Also see: Guard dog supreme Israel's safety net for the 'Net Dangers without, Dangers within Network security in the age of e-commerce By Peter Golden According to an FBI affidavit, on March 28, 1997, Carlos Felipe Salgado, Jr., hacked a server of a San Diego, CA, Internet service provider (ISP) and added to his impressive collection of Web-jacked credit cards. Through an Internet relay chat (IRC), Salgado started bragging to one of the ISP's customers about his hack and offered to sell him 60,000 valid credit card numbers. The customer got in touch with the ISP owner, who called the FBI, and federal agents arranged a sting, having the customer contact Salgado and ask him if he was still interested in selling the card numbers. Salgado was indeed interested, and on May 4, he sent an encrypted e-mail message to the customer, saying, "There may be a delay in our business . . . This morning I was reading a business magazine article about online transactions on the Internet and a particular niche in services. A couple of companies were mentioned that generated SEVERAL MILLION dollars in CC [credit card] transactions a week! I decided to go exploring and got into their sites . . ." Like any competent, postmodern thief, Salgado gave his customer a sweet, cheap electronic taste, selling him 710 credit card numbers for $710. The numbers were sent as an attachment to an encrypted e-mail message and payment was made through a Western Union transfer. After another small sale, Salgado arranged to meet his buyer at San Francisco International Airport a few weeks later on the morning of May 21, and sell him approximately 100,000 credit card numbers for $260,000. Salgado and his customer showed up right on time. So did the FBI. They arrested Salgado and confiscated a CD-ROM full of stolen numbers encrypted with a code based on a page from a Mario Puzo novel, The Last Don. Carlos Salgado is part of the disturbing national trend reflected in the 1998 "Computer Crime and Security Survey." The survey was conducted by the San Francisco, CA-based Computer Security Institute (CSI), an association of information security professionals, and the San Francisco office of the FBI's Computer Crime Squad. Based on responses from 520 security practitioners in U.S. corporations, government agencies, financial institutions and universities, the survey found that 64% of the respondents reported computer security breaches in 1998, a 16% increase from 1997 and a 22% increase from 1996, the first year the survey was conducted. Although 72% of those surveyed admitted they suffered financial losses from security breaches, only 46% were able to quantify their losses, which added up to nearly $137 million, a 36% increase from the 1997 CSI survey. "Computer crime will continue to move dramatically upward," says CSI Director Patrice Rapalus. "Most organizations have inadequate staff and training to deal with the problem, and security is seen as just a huge expense." CSI found that companies only employ approximately one computer-security administrator for every 1,000 users of the computer system, and the budget for computer security ranges from just 1% to 3% of the total IT budget. "Furthermore," adds Rapalus, "companies are often afraid to report an incident because they feel it diminishes their credibility and can lower their stock price." As an example, Rapalus cites the Citibank Corp. incident in 1994 when Russian hackers led by Vladimir Levin cracked Citibank's computer system and transferred more than $10 million from customers' accounts. Citibank eventually recovered all but about $400,000, and Levin was later arrested by Interpol at Heathrow Airport in London. "But afterward," adds Rapalus, "rumors circulated that competitors were using the crime as a way to steal Citibank clients." Dangers within Although the danger from outside hackers is significant and has increased by 17% over the last two years, as Internet use has exploded, the CSI Survey discovered that the most serious financial losses occur through unauthorized access to company networks by insiders (18 respondents reported $50.6 million in losses), theft of proprietary information (20 respondents reported $33.5 million in losses), telecommunications fraud (32 respondents reported $17.3 million in losses) and financial fraud (29 respondents reported $11.2million in losses). Here, too, companies are reluctant to report the incidents. As William Malik, a vice president and research director for the Gartner Group in Stamford, CT, recently told the New York Times: "Most firms would rather go public with the news that their chief executive officer was an alcoholic than the news that there was an insider security problem." As grim as the current situation is becoming, CSI's Rapalus sees even more reason for concern in the future. "What is most alarming about Internet crimes is that the ones we know about are usually committed by amateurs," says Rapalus. "We have no idea what the real professionals are up to. They're not the kind of criminals who like to graffiti the walls." That threat will become more virulent as e-commerce grows. The Forrester Group, Cambridge, MA, predicts that the value of goods and services traded over the Internet will skyrocket to $327 billion by 2002. It's not far-fetched to presume that a proliferation of Web-jackers will trail, like virtual hyenas, the increasing feast of e-commerce. Salgado was no genius and the tools he used were readily available hacking programs. Suppose that, instead of taking the pedestrian route of fencing the credit cards, he had contacted an unscrupulous computer manufacturer who hoped to damage his competitors by paying Salgado to use the credit cards during the Christmas buying season to place 100,000 orders over the Web with other computer makers. A simple program could submit the orders, and the victims would not only have trouble meeting their legitimate and illegitimate orders--thereby alienating their real customers--they would waste millions of dollars in labor, materials, shipping costs and systems that wouldn't make it back to the factory. Salgado certainly had room on the credit cards to do some state-of-the-art sabotage: The total credit limit approached $1 billion. A cultural myopia may prevent many of us from confronting our illusion of safety. As Joe Kovara, CTO of CyberSafe Corp. in Issaquah, WA, a network-security provider to the Fortune 1,000, observes: "People understand that a robber can walk into a bank, empty the vault and carry out the money in a suitcase. Well, they also need to understand that the Internet is the biggest suitcase in the world." Net loss In the United States, the Internet is associated with the rights of free speech and privacy that are deemed sacred. Thus, government efforts to limit content on Web sites or to identify surfers is met with a cavalcade of crusading lawyers waving the Constitution. "We could use some high-profile convictions of hackers and stiff sentences to deter Internet crime," says Special Agent Peter Trahon, who supervises the San Francisco office of the FBI's Computer Crime Squad. "Crime follows money and there are millions of dollars floating around cyberspace. Unfortunately, our laws haven't caught up with the technology. Our legislators need to get involved, and our [prosecutors and judges] need to know enough about the technological aspects of a case to appreciate the seriousness of the issues. Hacking is frequently treated as no more serious a crime than trespassing. Look what happened with those two teenagers [in Cloverdale, CA]." The teenagers, known on the 'Net as "Makaveli" and "TooShort," executed one of the more appalling hacks. Along with their coach, 18 year-old Israeli hacker Ehud Tenenbaum, Makaveli and TooShort broke into U.S. military, government and university computers, and Federal prosecutors claimed that the teenagers could have disrupted military communications around the world. According to AntiOnline.com, a Web site publication, Makaveli later explained his motivation by saying: "It's power, dude." The Cloverdale teens pleaded guilty to committing acts of juvenile delinquency, and, while both could have been kept in custody until the age of 21, neither was sent to a state facility. Tenenbaum was put under house arrest and his computer was confiscated, but he also managed to become a celebrity, appearing in an advertisement for an Israeli computer company and being offered book and movie deals. In the 19th century, Americans had the endless sky and grassy plains of the West. Now, in the looming shadow of Y2K, we have the infinite frontier of cyberspace and, for the moment, we mean to preserve it as a bastion of liberty. Some nations, though, are less enthralled with limitless horizons. China is one. It has a culture that generally does not share our devotion to freedom, and where Web-jacking is seen in a harsher light. The Chinese government began policing the Internet to head off pro-democratic radicals. However, as online users mushroomed from 620,000 in 1997 to an estimated 5 million by next year, Beijing focused on the $60 billion in assets they saw exposed on the Internet. The government's response to a recent Web-jacking was clearly meant to send a message to those who mistake cybercrime for a career opportunity. In December 1998, Reuters reported that two Chinese hackers caught breaking into a bank's computer system and stealing nearly $100,000 were sentenced to death. This sentence may well represent a more realistic appraisal of the potential damage Webjackers can cause than the slap on the wrists that are customary in U.S. courtrooms. In addition, companies have more to worry about than financial losses. Protecting their data would appear to be even more crucial to their long-term health. According to the U.S. Bureau of Labor, 93% of companies that suffer a significant data loss are out of business within five years. Why, with this much at stake, do so many CEOs in the United States ignore the imperative of adequately securing their networks? The answer, according to one security professional, lies partly in the fact that the ideal of freedom in the United States has been transformed into a grand illusion by our vast geographical borders. Dangers without "European companies are more sophisticated about security than their U.S. counterparts," says Lior Arussy, head of channel marketing for Hewlett-Packard Co.'s Internet Security Operation (ISCO) in Palo Alto. "That's because Europeans have a history of living next door to their enemies." Arussy is an Israeli by birth, so he is well-acquainted with the pervasive sense of being surrounded by hostility. In his travels for HP he spends a fair amount of time explaining to corporations that network security is no longer solely the province of the IT manager. CEOs must become involved, he says, because the stakes are too high and for many companies their survival is inextricably linked to their networks. Yet Arrusy often finds that American CEOs remain steadfast in their resistance to the idea that their systems are actually threatened by adversaries. "An executive sitting in Seattle has nothing to fear from an executive in California," says Arussy. "So I explain to CEOs that they have to think of network security as a form of physical security, like locking the door and turning on the alarm. Yet many of them have trouble seeing this concept in the virtual world even though intellectually they understand that on the Internet everyone is your neighbor. Even when American CEOs do see the problem, they frequently respond that security is too expensive, and they are better off taking their chances. If they do get hacked they figure it will come out even on the balance sheet." Although this sounds like the tack taken by an ostrich, Paul Strassman, chairman and CEO of the Software Testing Assurance Corp. in New Canaan, CT, and a former Deputy Assistant Secretary of Defense for Command, Control, Communications and Intelligence, feels that companies currently have few real choices to address their security concerns. "We are not serious about security," says Strassman, who also serves as an adjunct professor at the School of Information Warfare at the National Defense University (NDU) at Fort Lesley J. McNair in Washington, D.C. "Have you ever heard of an insurance company certifying a network? Have you ever seen a vendor warranty on security software? You have to get a building certified before you can pour cement, why not the same with networks?" From a theoretical perspective, Strassmann has a point, but his position leaves no room for the practical dilemmas facing businesses, a situation that Dr. Jeffrey Jaffe confronts on a daily basis. Jaffe is general manager of SecureWay at IBM Corp., Armonk, NY, and he manages IBM's networking infrastructure products. He was also appointed to the Advisory Committee of the President's Commission on Critical Infrastructure Protection, which was founded to examine cyberthreats to key national networks. "When I speak to a client," says Jaffe, "he or she will often say: 'Gee, Jeff, we understand that e-commerce would be good for us, but we don't want to take the risk.' "My response to them is, 'There is no such thing as absolute security, but if you want to be paranoid, your customers will leave you behind.' The truth is that from a corporate perspective, it's more dangerous to a company's survival over the long haul not to get into e-commerce." IBM offers a wide-range of security products and services to its customers, but Jaffe regularly finds that the place to begin is not with a company's computers, but with the common sense of its overall security policies. "It's not unusual to discover that an IT department hasn't bothered to disable the default user-IDs," says Jaffe. "Or to walk through a company and see everyone's [network] password written down on a yellow sticky note and stuck to their monitors. We live in a trusting society, so if a person comes in and seems to belong in the place, no one says anything to him. If the intruder is asked for his security badge, he can just say he forgot it and he's frequently not pressed to show any form of ID. Stopping these intrusions doesn't require software." The fact is that security concerns always need to be met with common sense as well as technology. For example, it has been said that the value of a notebook computer to a thief depends on what company he steals it from and the kind of information it contains. So HP and IBM, in an effort to protect information on notebooks, sell a Smart Card security solution, a PC-card that helps prevent unauthorized access to the notebook's hard drive. However, if the owner of the notebook does not make certain that the system is active and forgets to keep his eye on his laptop, it doesn't matter how much his company has invested in security, their data will be stolen. Not an option "There is no one answer to corporate security," says Steve Baker, president and CEO of Chrysalis-ITS of Ontario, Canada, which provides encryption subsystems for the network security industry. "The first step is for a CEO to understand that security is not an option; it is a cost of doing business, and one should not consider installing a network and getting involved in e-commerce unless they're willing to spend the money to protect their company. The next step is to build a combination of systems: a firewall, intrusion-detection tools, a virtual private network and encryption." Encryption is an often-cited answer to security problems, but, again, technology has to be used alongside strict employee procedures and policies. For instance, a company could use CyberSafe's TrustBroker™ Security Suite, which provides a secure single sign-on for large enterprise networks, taking the user's identity and sending it across the network, so users can log on once and securely access virtually all applications without re-entering passwords. However, this solution won't work if an employee has some evil intent or other employees keep pasting their passwords to their monitors. For now, the best security available is common sense and a patchwork quilt of products that, no matter how costly, will still contain tiny holes that hackers can slink through, and it will probably be a while before these gaps are filled. As Mike Vergara, product manager of core crypto products at RSA Data Security Inc., in San Mateo, CA, a major vendor of encryption and authentication technologies, observes: "Give the Net three to five years to become more dominant, and at that point, if you have a major security breach, everyone, from CEOs to grandmothers in Iowa, is going to care. Then, as a country, all of us will take network security seriously." Peter Golden has been a contributor to Newsweek and the Detroit Free Press. Email him at pagolden@earthlink.net.

Copyright | Feedback | Search