Keys clatter in the otherwise silent room as Joe Download makes his purchase. Away from the garish banner ads of the Web storefront, J.D. painstakingly types information into the online order form. 9876. Space. 5432 Space.1234. Space. 5678. With a click of the mouse, J.D.s credit card number leaps into the void, encrypted and labeled with the recipients address. Upon reaching its destination, the merchants computer decodes and stores the information packet. Transaction completed.
in the Lab
Bishop heads the Computer Security Laboratory at UC Davis. One of his research projects is vulnerability analysis, the systematic examination of vulnerable points in computer systems. The analysis helps researchers pick apart security flaws and develop systems that protect sensitive information, like credit card numbers.
Security holes are plentiful, says Bishop. A hole is a part of the computer networklike the front door on a housethat intruders can manipulate for their own ends. Many problems stem from cruddy software, he says, in programs that were written quickly without paying attention to security. Criminals dont need to haul in exotic weapons to assault the house; they can take advantage of the tools put in place by software designers. If no one puts a deadbolt on their front door, criminals can use the door to wander into houses and make off with valuables. The unlocked doors in computer security are often simple applications, such as a program that opens text files, that dont have deadbolts to prevent them from being abused.
Heres one example of how an intruder could take advantage of the not-so-hot security of a simple file-reading program to grab something he doesnt have permission to read. Lets say a temp worker at an online merchant uses an insecure program (like Telnet) which doesnt encrypt his password as he dials into the company network from home. Our thief intercepts the password and hops onto the merchants system masquerading as the employee.
The would-be thief cant read every file on the network, because the company has set up the computers so that certain filessuch as ones containing customerscredit card informationmay only be opened by bosses and managers.
The thief finds himself in a library of locked boxes. A single key will open every box in the room, but the key is guarded by the librarian (the network system), and the librarian will only hand out the key if the employee has permission to open the box. So the thief grabs a box that any member of the company may open and brings it to the librarian. The librarian checks the intruders phony I.D., examines the box, and hustles off to get the key because he sees that the box doesnt have any restrictions on who may open it. While the librarian is out of the room, the thief puts the first box back and grabs the credit card box. The librarian returns, hands the thief the key, and the thief opens the box containing the credit card information. This is a security holethe intruder has outwitted the systems security by taking advantage of a combination of conditions.
When Bishop thinks about closing this security hole, he examines the conditions, or characteristics, that made the exploit possible. First, it must be true that one key will open any box. (In other words, the application program that reads files is capable of opening any fileit just needs permission to do so.) Second, the thief needs a bit of time between showing the librarian the first box and opening the second box. (Heavily used networks sometimes slow down so much that the thief might have a couple of minutes to perform this step.)
The thief cant carry out the caper if either condition is false. Only one characteristic has to be changed to plug the hole. In this example, its easier to fiddle with the key than stop the thief from taking advantage of network slowdown.
The method of breaking down holes into conditions becomes even more powerful as the number of conditions increases. If you know the ingredients that created the situation, you only have to change oneout of manyto prevent a thief from exploiting the hole.
With this philosophy in mind, Bishop and his students have launched into an effort to catalog all the conditions that lead to vulnerable points in security. Bishop suspectsalthough he hasnt proved thisthat the number of characteristics is smaller than the number of capers thieves can pull off. So far, the number of conditions that contribute to holes does seem to be limited. The set of characteristics Bishop and his students have defined hasnt grown recently, even as they continue to analyze new types of break-ins.
Still, the hunt for new holes and conditions continues. Prospecting for vulnerable points in a system requires creativity and flexible thinkingas well as a knack for combining conditions in novel ways. The best way to achieve this mindset, says Bishop, is to approach the system from the viewpoint of an attacker.
In order to know how to defend, you need to know how to attack, he says. A good attacker will ask, Whats the defenders model? How is he thinking about the system?and then go around a different way, Bishop says.
Defenders often lull themselves into a false sense of security and stop thinking about their system creatively, Bishop says. In the example above with the online merchant, the system defenders might have thought the most vulnerable points in their security were the managerspasswords. Rather than keeping an eye out for other threats, the defenders concentrated on protecting the passwords of people who had access to sensitive information. They didnt realize that someone with fewer permissions could trick the system into coughing up the credit card numbers.
Bishops students practice attacking pre-configured computers, poking and prodding to uncover the carefully planted holes. Even in a structured situation, the studentsattacks can be unpredictableeven unexpected, and Bishop relates with amusement how one team of students outfoxed the computer system and exploited a hole the instructors had overlooked. We were very impressed, he says with a grin.
To encourage his students to think outside the box, Bishop reminds them that security isnt limited to the digital world. Bishop sometimes assigns Machiavellis The Prince as class reading. Machiavelli recognized the elements of security 500 years ago: trust as few people as possible, contain damages, and surprise your adversary. Seeing security at work in other contexts could inspire students to come at the problem from a new angle.
It can also
rattle assumptions about whats important. Question assumptions,
Bishop says. If you figure out what assumptions youre making,
youll know who and what you are trusting. And at that point, youll
know an awful lot more about your system.
Hackers in the wild
Outside academic labs, hackers work out their own courses in vulnerability analysis. The instructors are the prosthey pack their lectures into computer code, and descriptions of their exploits. Libraries of attack tools proliferate --and are easily found with a simple keyword search. In the Internet laboratory, hackers test security ideas by putting systems around the world under constant attack.
The line between legal and illegal trespass is blurred. Hackers that poke other peoples systems arent necessarily thieves or criminalsbut they are treading on treacherous legal ground.
For hackers, motivation divides hacker activities from crackers exploits. Malicious criminal activity comprises the domain of crackersinformation theft, website defacement, data corruption, denial-of-service attacks. Hackers dont destroy or steal informationbut they may point out weak points in system security or uncover compromising bugs in commercial software.
A burning curiosity drives non-malicious hacking, says Carolyn Meinel, a computer security consulted in New Mexico who says shes been a hacker ever since the she took her first computer course in the early 70s. Meinel is author of several books on computer hacking, (including the primer The Happy Hacker: a guide to [mostly] harmless hacking and the more technical Uberhacker). Hackers want to answer countless variations of the question, What happens if ... Meinel insists that hackers are not synonymous with criminals. The Internets networks are a treasure trove of brain teasers and spy games, and the addictive thrill of exploration.
The information garnered from these forays can sometimes keep the larger community safe. If a hacker uncovers a software hole and contacts the company, the company can correct the vulnerability before a cracker wreaks havoc. Hackers also serve as volunteer software watchdogs, berating software manufactures when a security issue has been ignored or handled sloppily, Meinel says.
The Internet has several posting and boasting grounds for hacker-accumulated information. The largest of these, Bugtraq (www.Bugtraq.com) is a virtual emporium of security hole informationits halls are filled with the continuous technical murmur of hacker shop-talk. The websites keeper, Elias Levy, posts guidelines requesting that hackers who find holes contact the companies first, and give them a week to respond before placing the information on Bugtraq. If the company ignores the hacker, however, the policy of Bugtraqand the hacker community at largesuggests it is better to publicize security flaws than sweep them under the carpet.
If it werent for hackers, companies would get away with this all the time, Meinel says.
Hacker explorations on the Internet put the hacker in the attackers shoes. HyangSook Cho, a programmer who works for Hackerslab, a security firm in Korea, insists that security consultants and administrators need to have all the skills of a cracker.
Have you ever read The Art of Warthe oldest military treatise in the world written by Sun Tzu? he wrote in an e-mail. It says: Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chance of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.
But its a short jump from hiring someone with a the skills of a cracker to hiring an actual cracker. A lot of security consultants come into the field with a shady background, Meinel says. Many companies feel they have to hire the criminals in order to see how they operate, she says. But some want to take promising programmers and train them instead of getting the people who learned in the back alleys.
Jeong Nam Lee founded Hackerslab because he was disappointed that young peoples desire to hack led to computer crimes, Cho says. He wanted to lead them away from the underground, and have them work out in the open and be beneficial to society.
How do you train an attacker and make them work out in the open at the same time? Not surprisingly, hordes of Internet users arent rushing to volunteer their computers for experimentation. Much as Bishop turns his students loose on pre-configured computers, Hackerslab runs one of its computers specifically for hackers to practice cracking.
A hacker starts off on the least secure level, and then works his or her way through fourteen levels. Reaching the fourteenth level requires a good mix of up-to-date hacking and programming skills combined with creative thinking, says Cho.
People outside the company sometimes worry about promoting the hacking lab, Cho says. They wonder if a site for hacking is like giving compulsive robbers a store to rob; isnt it a way of encouraging illegal behavior? But the knowledge hackers learn could be invaluable, he says, if the hackers are later employed in national or bank security.
Wargames also engage hackers in above-board exploits. In these highly technical versions of capture the flag, some companies post rewardssometimes substantial sums of moneychallenging hackers to break into computers and retrieve heavily guarded pieces of information.
can use his knowledge to fend off different classes of attackers. The
availability of code on the Internet breeds pests called Script
kiddies or code monkeyshackers without programming
skills or any hard-core knowledge of computer security. A consultant familiar
with the scripts can defend against these brainlessalthough damagingattacks.
A nation of ostriches
The hacker community may provide information on security holes. Companies may write the patches, slap band aids onto software, beef up vulnerable systems, and devise more effective security policies. At some point, however, security slams into an unexpected obstacle: the ordinary user.
Basically, security is inconvenient, Ferguson says. There arent any remaining technological challenges to making systems more secure, he says. We have the cryptography, and we have all the technology we need. Theres been nothing really new since the late 80s. We tell people they need encryption, but that slows down computers by 20 percentand they dont want it.
The biggest problem computer security faces, Ferguson says, is that the ordinary Internet user trusts that a system will work without vigilant security. Users should take precautions, detect intrusions and respond to break-ins.
Instead, individuals and companies allow software to become obsolete, neglecting to acquire up-to-date versions or security patches. People find it difficult to memorize hard-to-crack passwordspasswords without any dictionary words and full of symbols and variable capitalizationand the weak passwords they choose instead compromise security. And because its a hassle to follow the protocols, individuals disable security routinessuch as keeping virus detection software on at all times, or evaluating sources before dowloading files.
Its a lot like people moving to the city, Ferguson says. When people move out of small villages to the big city, they are annoyed because they need to lock their doors. It really inconveniences you every time you go out. In other areas of life, however, we accept the inconvenience without complaint.
Suppose you buy somethingsomething biglike a washing machine, he says. You take off time from work to sit at home, waiting, so that when they deliver it you can let them in to put it in the basement.Nobody would suggestnobody!that you hand over a copy of your keys to the company and allow strangers into your house to put in the washing machine.
But thats what people do all the time on the Internet. You just download this program or that program, giving a complete stranger unlimited access to your digital house, he says.
For some companies, the level of risk seems too low to justify investing a lot in security, Ferguson says. Companies tend to jump on quick and faulty fixes. Firewalls are one security tool that companies view as a panacea. A firewall monitors the flow of information in and out of a network, and prevents unfamiliar users from getting into the companys networkmost of the time. But companies dont always have the know-how or the resources to configure the firewall correctly, Ferguson says. People might be breaking in all the time and stealing data, but the company can say, We bought the firewall but it didnt hold.The ostrich mentality is everywhere in the field.
The image of a nation of ostriches connected to the Internet isnt particularly heartening. But until individuals decide that it is worth the inconvenience of reading up on an Internet retailers security policy before buying online, memorizing an obscure password, and approaching the Internet with caution, not much will change.
Although individuals may take precautions sporadically, credit card companies are implementing a suite of tools to systematically detect and prevent fraud. Complex software tracks the buying habits of individual consumers, and raises a red flag when someone begins using his or credit card in an uncharacteristic fashion. VISA is developing electronic walletsa combination of electronic ID and credit card buying powerto address the problem of verifying Internet identity, says Casey Watson, director of international communications at VISA. To keep ahead of fraud, the company continues to work out new security measures. Its a naturally evolving security curve, from chips on the cards themselves to smart neural networks. We work with law enforcement to stop the bad guys, and the system naturally evolves in response.
The Internet wasnt designed with security in mindit was created to exchange information. In a fast-paced world, we want new applications yesterday, Ferguson says. When you build a new system and leave out security, it works amazingly well.
But the crooks will catch upand start finding the holes. When cars were first built, they didnt have keys, Ferguson says. You just started them by pushing a button. With credit cards it was the sameyou didnt need to use a signature. Then the fraud increased and they had to change the system. The Internet wont be any different.
M.S., physical oceanography, University of Washington
Internship: Popular Science, New York
Text © 2001 Katie
Illustrations © 2001 Leana Rosetti
ContentsPage | Back to Top | Contact Info. | Science Notes Home