Science Notes 2001: Thinking Like the Enemy

Keys clatter in the otherwise silent room as Joe Download makes his purchase. Away from the garish banner ads of the Web storefront, J.D. painstakingly types information into the online order form. 9876. Space. 5432 Space.1234. Space. 5678. With a click of the mouse, J.D.’s credit card number leaps into the void, encrypted and labeled with the recipient’s address. Upon reaching its destination, the merchant’s computer decodes and stores the information packet. Transaction completed.

If J.D. feels any queasiness about entrusting his financial identity to the Web, he isn’t alone. Nine out of ten Americans said in a survey released in October that they are at least somewhat concerned about credit card security on the Internet. But that doesn’t stop them from buying: Americans spent around $48 billion in online purchases in 2000. From 1998 to 2000, the number of Americans who bought goods online mushroomed from 20 million to over 40 million—about 15 percent of the U.S. population.

The FBI began compiling statistics on Internet fraud in May 2000. In the first six months, the FBI estimates the money lost to fraud—an average of $255 per incident—was about a tenth of a percent of the amount that changed hands. And contrary to people’s fears, credit card fraud doesn’t top the list of online fraud schemes. Two thirds of reported Internet fraud results from phony entries on Internet auctions and goods that are never delivered—credit card abuse weighs in at only five percent.

Fraud itself may be low, but anecdotal evidence of the theft of credit card numbers seems to be increasing. After the first mass heist of credit card numbers from CDUnivese in January 2000, break-ins have surfaced sporadically in the news and the FBI estimates that over 40 business in 20 states have had credit card information compromised.

Small businesses are especially vulnerable, suggests the Internet business and marketing firm Gartner Group. Some businesses lack the resources to hire highly-trained security experts to protect their systems. The Gartner group predicts that by 2003, half of small to midsized merchants will have been the victims of successful cybercrime. Even more chillingly, they predict that 60 percent will not even be aware the theft occurred.

Like small businesses, the ordinary Internet user lacks an arsenal of security software and trained personnel to protect his or her system. At the same time, individuals may worry about small risks—such as sending encrypted information over the Net—rather than paying attention to more compromising behavior—like downloading files to their home computer or opening e-mail attachments.

“There’s a difference between what people are concerned about and what’s important,” says Niels Ferguson, an encryption consultant based in Amsterdam who has been working in the field for the last ten years. Sending encrypted information isn’t really a problem, he says. If a would-be thief intercepts the data, all he or she gets is a meaningless jumble of symbols. The more likely site for theft is not en route, but in a mass heist off the merchant’s databases, or off the average person’s home computer.

Security experts draw information from many sources to spot risky situations and behavior. Researchers in university laboratories pick apart computer vulnerabilities with formal logic. Computer enthusiasts known as hackers use their in-depth knowledge of computers to prod commercial software and explore the rough and tumble world of the Net. Based on this information, the ordinary user can get a feel for what attackers hunt for and exploit, and what actions may be be more risky than others.

Target Practice on the Internet

How do criminals pick out targets in the vast world of the Internet, populated with its host of muttering machines? The magnitude of such a search seems mind-boggling.

Imagine peering out of an airplane window to look down on a city at night. The yellow spots of street-lamps illuminate main arteries and streets; lines of lights tracing the interconnecting roads and avenues. Lights flickering on and off in homes, and fuzzy white car headlights travel through the network of streets. Now imagine that you can seize the edges of this city and stretch it out. The roads lengthen, the houses multiply as streets and homes expand to cover the country, touching coast to coast. Then stretch the net even farther, until the digital houses and back alleys crisscross the entire world.

No people are visible from the plane—you don’t see the person driving his car home from work, the people in their houses, or the burglar breaking into an abandoned home. You also don’t see any human traffic wardens—and none direct traffic on the Internet, either. Instead, a team of high-powered computers, called routers, whisk information to its destination much as a puck travels across a ice hockey field. The players don’t send the puck skidding into the goal on the first stroke. Instead the puck darts from one side to the other as the players - the routers - navigate the object around crowded regions and past obstacles. Like the players, routers communicate with each other, warning of traffic jams and downed computers in their portion of the network. Even more amazing, the message is broken into many packets for the journey through the Net; the “puck” is only reassembled inside the enemy’s goal.

Computer criminals—often called crackers—lurk on the edges of this automated world of whizzing packages of splintered information. Rather than haunt the Internet roadways, crackers target the homes. Each computer has a unique address, and crackers make use of software programs that scan systematically through many possible addresses. If the software surveys an address and discovers a computer, it may catalog the home’s defenses, checking to see if common software flaws have left windows unlocked or doors ajar.

Most computers aren’t set up to detect these tentative searchers. But among computer security enthusiasts, stories of computers being probed are common in the chatter of bulletin boards, and passed about—with wry smiles—among experts.

Matt Bishop, a computer science professor at University of California, Davis, relates his own brush-in with quick-moving criminals. Bishop needed to transfer a number of large files from his home computer to the computer at work. To prepare for the transfer, he roped off a section of his computer’s memory for the files. Just to make the process simpler, Bishop relaxed the security so that he’d be able to copy the files without needing his password. When he arrived at home later that evening, he discovered an intruder had swallowed half of the memory he’d set aside.

Bishop thinks the cracker was trying to squirrel away pirated software. “It was quick,” he adds. Criminals moved uncannily fast in another anecdote. In the first hour that Bishop’s friend activated his permanent connection to the Internet he was scanned seven times. And some of the scans came from as far away as Korea and Bulgaria, Bishop notes. “My friend was pretty impressed. If you connect to the Net, you’re wide open. People are going to start poking at you. There’s no question about it.” The initial poking can lead to break-ins if the intruder figures out a way to crack the system.

Compiling statistics on Internet break-ins is exceedingly difficult, since the invasions are not easy to detect. No locks are jimmied, no windows broken in these digital trespasses. Sometimes, the aftermath of a burglary may be as subtle as a few lines of code changed in an otherwise still-functioning bit of software. In other cases, intruders won’t fiddle with information already on the machine, but merely mask their actual location by using the hijacked computer as a jumping off point for another attack.

Simple & Straightforward Computer Security Precautions

As Joe Download coasts the Net after making his first purchase of the day, he isn’t thinking about attackers. Pulling up an colorful web page with bunch of freeware games, J.D. moves his mouse to download what promises to be an explosion-and-fireball-heavy diversion.

A small box pops up in the lower corner of J.D.’s screen. QUESTION ASSUMPTIONS! it reads. J.D. jumps. “You mean, like am I really seeing this?”he mumbles. Yes, you’re seeing this, the box blinks. Question your assumptions!

“What the—”

Can’t hear you, Bud. TYPE!

“Who—” J.D. begins to type in an open document.

Not important, interrupts the box. Think about what you’re doing. Is it safe to download that file?

“Uh...” J.D. scowls.

Is this a reputable server? Are the people who run this site trustworthy?

“Um...” J.D. starts looking around. “The domain name’s www.hackushere.com.”

Hm. Your virus detection software isn’t on, observes the box.

“Takes a while to download stuff from work when it’s on,” J.D. writes.

No excuse. You could have easily picked up a Trojan Horse in that game you were just reaching for. Or the one you downloaded yesterday.

“Trojan horse? It’s a star-fighting game, not Greek war strategies,” types J.D..

Trojan horses are buried in the source code of other programs, explains the box. When you install the game on your hard drive, you also enable the hidden program.

“What’s it do?”

Oh, any number of things. It could run a program that deletes or alters files. It could bring down your computer. It could monitor your keystrokes. Or it can open back doors in your security—allowing a remote user to take control.

“I don’t have much security on this computer,” J.D. types.

I noticed.

J.D. makes a face at the screen. “Still, why would anyone bother breaking into my computer? How could they even find it? Aren’t there millions of PC’s out there?” he types.

You have a DSL connection, the box says. People with modems are moving targets—they’re only open to attacks when they’re connected to the Net. You, however, are on the Internet as long as your computer is on. Your address rarely changes. You’re a sitting duck for scanning software.

J.D. sighs. “Scanning software?”

Every computer on the Net has a unique identification: its IP address. Some scanning programs sift through possible addresses, checking to see if there’s a computer at that location. Once an attacker zeros in on a computer, the software pokes at the computer ports to the outside world, checking to see if there’s an opening. Without a firewall, you’re wide open.

“I really don’t think I need to worry about my computer being broken into,” J.D. writes. “I don’t have any sensitive data. And I back things up.”

Be that as it may, the box blinks. An intruder could use your computer as a launching pad for attacks on other systems if you leave it open. But your computer isn’t your only security concern. Do you know if there was a firewall at the company you just bought from?

“What are you talking about?”

You just made a purchase, remember?

“Oh yeah. Well, of course they have a firewall. All businesses do.”

Think again. It’s always good practice to check a company’s security policy when buying online. Retailers often have a page describing their security.

“They had a secure connection. My information was encrypted. What’s the big deal?” J.D.’s fingers hit the keyboard.

How is the information stored at the company? Even if it arrives safely, your credit card data may be stuck on a computer attached to the Internet. Some companies, like Amazon, store sensitive information on a computer physically disconnected from the Internet. Others set up firewalls to protect computers storing the information. Of course, firewalls aren’t invincible.

“OK. Go ahead and tell me how firewalls work,” J.D. growls.

Firewalls examine the origin of each information packet that arrives at the ports, or gateways, to the system. Packets can deliver requests to talk to the system, an e-mail message, or any other sort of data. Each packet label begins with the address it originated from and ends with its destination address. The firewall checks this header and only lets packets in that come from “trusted” sources—that is, addresses on a specific list it keeps.

“And so you get around it by ...” J.D. prompts.

“Modems are one back door. An attacker might be able to bypass the firewall if he calls a modem inside the company he’s attacking. Computers that host the company’s web pages are another possible entrance. The firewall has to let traffic from all over the world onto that computer. An attacker can also fool the firewall itself. If the attacker can figure out what addresses are trusted by the targeted computer, he (or she, I suppose) can rewrite the packet header, so that it looks like the packet came from the trusted source. IP addresses weren’t set up with security in mind. People are working to change to make addresses less easy to fake, but change will come slowly since so many computers out there use the old system. People tend to cling to things for as long as they work. After all, when did you last update your browser?”

“It’s been a while. You’re going to tell me to update because security’s probably gotten better.” J.D.’s fingers pound out the words.

You got it, bud. The box flickers.

“How did you know what I said at the beginning when I wasn’t typing?” That’s the one thing J.D. still doesn’t understand.

Oh, the box pauses. That was a bit of social engineering. I was pretty sure I could guess what you were thinking. That brings up another point—people are always the weak link in the chain of security. Don’t write your password down. Don’t store it on your computer. Don’t tell it to anyone no matter who they claim to be. Even in this day and age, many cracks are pulled off because someone leaked information they shouldn’t have.

“Humph,” J.D. snorts. People always harp about password security. That, and never opening unknown e-mail attachments. “Anything else?” A sarcastic grin spreads over his face as he types. He clicks on his anti-virus program. The application opens, and begins scanning through files on his computer.

Not really, the box flashes. J.D.’s virus program has found a Trojan Horse in the game he downloaded the day before. With a savage grin, he tells the program to clean it up. Just be sure to run your—

The box disappears. J.D. smiles. “So long, Bud,” he says.

Hackers in the Lab

Bishop heads the Computer Security Laboratory at UC Davis. One of his research projects is “vulnerability analysis,” the systematic examination of vulnerable points in computer systems. The analysis helps researchers pick apart security flaws and develop systems that protect sensitive information, like credit card numbers.

Security holes are plentiful, says Bishop. A hole is a part of the computer network—like the front door on a house—that intruders can manipulate for their own ends. Many problems stem from cruddy software, he says, in programs that were written quickly without paying attention to security. Criminals don’t need to haul in exotic weapons to assault the house; they can take advantage of the tools put in place by software designers. If no one puts a deadbolt on their front door, criminals can use the door to wander into houses and make off with valuables. The unlocked doors in computer security are often simple applications, such as a program that opens text files, that don’t have deadbolts to prevent them from being abused.

Here’s one example of how an intruder could take advantage of the not-so-hot security of a simple file-reading program to grab something he doesn’t have permission to read. Let’s say a temp worker at an online merchant uses an insecure program (like Telnet) which doesn’t encrypt his password as he dials into the company network from home. Our thief intercepts the password and hops onto the merchant’s system masquerading as the employee.

The would-be thief can’t read every file on the network, because the company has set up the computers so that certain files—such as ones containing customers’credit card information—may only be opened by bosses and managers.

The thief finds himself in a library of locked boxes. A single key will open every box in the room, but the key is guarded by the librarian (the network system), and the librarian will only hand out the key if the employee has permission to open the box. So the thief grabs a box that any member of the company may open and brings it to the librarian. The librarian checks the intruder’s phony I.D., examines the box, and hustles off to get the key because he sees that the box doesn’t have any restrictions on who may open it. While the librarian is out of the room, the thief puts the first box back and grabs the credit card box. The librarian returns, hands the thief the key, and the thief opens the box containing the credit card information. This is a security hole—the intruder has outwitted the system’s security by taking advantage of a combination of conditions.

When Bishop thinks about closing this security hole, he examines the conditions, or “characteristics”, that made the exploit possible. First, it must be true that one key will open any box. (In other words, the application program that reads files is capable of opening any file—it just needs permission to do so.) Second, the thief needs a bit of time between showing the librarian the first box and opening the second box. (Heavily used networks sometimes slow down so much that the thief might have a couple of minutes to perform this step.)

The thief can’t carry out the caper if either condition is false. Only one characteristic has to be changed to plug the hole. In this example, it’s easier to fiddle with the key than stop the thief from taking advantage of network slowdown.

The method of breaking down holes into conditions becomes even more powerful as the number of conditions increases. If you know the ingredients that created the situation, you only have to change one—out of many—to prevent a thief from exploiting the hole.

With this philosophy in mind, Bishop and his students have launched into an effort to catalog all the conditions that lead to vulnerable points in security. Bishop suspects—although he hasn’t proved this—that the number of characteristics is smaller than the number of capers thieves can pull off. So far, the number of conditions that contribute to holes does seem to be limited. The set of characteristics Bishop and his students have defined hasn’t grown recently, even as they continue to analyze new types of break-ins.

Still, the hunt for new holes and conditions continues. Prospecting for vulnerable points in a system requires creativity and flexible thinking—as well as a knack for combining conditions in novel ways. The best way to achieve this mindset, says Bishop, is to approach the system from the viewpoint of an attacker.

“In order to know how to defend, you need to know how to attack,” he says. “A good attacker will ask, ‘What’s the defender’s model? How is he thinking about the system?’and then go around a different way,” Bishop says.

Defenders often lull themselves into a false sense of security and stop thinking about their system creatively, Bishop says. In the example above with the online merchant, the system defenders might have thought the most vulnerable points in their security were the managers’passwords. Rather than keeping an eye out for other threats, the defenders concentrated on protecting the passwords of people who had access to sensitive information. They didn’t realize that someone with fewer permissions could trick the system into coughing up the credit card numbers.

Bishop’s students practice attacking pre-configured computers, poking and prodding to uncover the carefully planted holes. Even in a structured situation, the students’attacks can be unpredictable—even unexpected, and Bishop relates with amusement how one team of students outfoxed the computer system and exploited a hole the instructors had overlooked. “We were very impressed,” he says with a grin.

To encourage his students to think outside the box, Bishop reminds them that security isn’t limited to the digital world. Bishop sometimes assigns Machiavelli’s The Prince as class reading. Machiavelli recognized the elements of security 500 years ago: trust as few people as possible, contain damages, and surprise your adversary. Seeing security at work in other contexts could inspire students to come at the problem from a new angle.

It can also rattle assumptions about what’s important. “Question assumptions,” Bishop says. “If you figure out what assumptions you’re making, you’ll know who and what you are trusting. And at that point, you’ll know an awful lot more about your system.”

Hackers in the wild

Outside academic labs, hackers work out their own courses in “vulnerability analysis.” The instructors are the pro’s—they pack their lectures into computer code, and descriptions of their exploits. Libraries of attack tools proliferate --and are easily found with a simple keyword search. In the Internet laboratory, hackers test security ideas by putting systems around the world under constant attack.

The line between legal and illegal trespass is blurred. Hackers that poke other people’s systems aren’t necessarily thieves or criminals—but they are treading on treacherous legal ground.

For hackers, motivation divides hacker activities from crackers exploits. Malicious criminal activity comprises the domain of crackers—information theft, website defacement, data corruption, denial-of-service attacks. Hackers don’t destroy or steal information—but they may point out weak points in system security or uncover compromising bugs in commercial software.

A burning curiosity drives non-malicious hacking, says Carolyn Meinel, a computer security consulted in New Mexico who says she’s been a hacker ever since the she took her first computer course in the early 70s. Meinel is author of several books on computer hacking, (including the primer The Happy Hacker: a guide to [mostly] harmless hacking and the more technical Uberhacker). Hackers want to answer countless variations of the question, “What happens if ...” Meinel insists that hackers are not synonymous with criminals. The Internet’s networks are a treasure trove of brain teasers and spy games, and the addictive thrill of exploration.

The information garnered from these forays can sometimes keep the larger community safe. If a hacker uncovers a software hole and contacts the company, the company can correct the vulnerability before a cracker wreaks havoc. Hackers also serve as volunteer software watchdogs, berating software manufactures when a security issue has been ignored or handled sloppily, Meinel says.

The Internet has several posting and boasting grounds for hacker-accumulated information. The largest of these, Bugtraq (www.Bugtraq.com) is a virtual emporium of security hole information—its halls are filled with the continuous technical murmur of hacker shop-talk. The website’s keeper, Elias Levy, posts guidelines requesting that hackers who find holes contact the companies first, and give them a week to respond before placing the information on Bugtraq. If the company ignores the hacker, however, the policy of Bugtraq—and the hacker community at large—suggests it is better to publicize security flaws than sweep them under the carpet.

“If it weren’t for hackers, companies would get away with this all the time,” Meinel says.

Hacker explorations on the Internet put the hacker in the attacker’s shoes. HyangSook Cho, a programmer who works for Hackerslab, a security firm in Korea, insists that security consultants and administrators need to have all the skills of a cracker.

“Have you ever read The Art of War—the oldest military treatise in the world written by Sun Tzu?” he wrote in an e-mail. “It says: ‘Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chance of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.’”

But it’s a short jump from hiring someone with a the skills of a cracker to hiring an actual cracker. A lot of security consultants come into the field with a shady background, Meinel says. “Many companies feel they have to hire the criminals in order to see how they operate,” she says. “But some want to take promising programmers and train them instead of getting the people who learned in the back alleys.”

Jeong Nam Lee founded Hackerslab because he was disappointed that young people’s desire to hack led to computer crimes, Cho says. “He wanted to lead them away from the underground, and have them work out in the open and be beneficial to society.”

How do you train an attacker and make them work out in the open at the same time? Not surprisingly, hordes of Internet users aren’t rushing to volunteer their computers for experimentation. Much as Bishop turns his students loose on pre-configured computers, Hackerslab runs one of its computers specifically for hackers to practice cracking.

A hacker starts off on the least secure level, and then works his or her way through fourteen levels. Reaching the fourteenth level requires a good mix of up-to-date hacking and programming skills combined with creative thinking, says Cho.

People outside the company sometimes worry about promoting the hacking lab, Cho says. “They wonder if a site for hacking is like giving compulsive robbers a store to rob; isn’t it a way of encouraging illegal behavior?” But the knowledge hackers learn could be invaluable, he says, if the hackers are later employed in national or bank security.

Wargames also engage hackers in above-board exploits. In these highly technical versions of capture the flag, some companies post rewards—sometimes substantial sums of money—challenging hackers to break into computers and retrieve heavily guarded pieces of information.

A hacker-turned-consultant can use his knowledge to fend off different classes of attackers. The availability of code on the Internet breeds pests called “Script kiddies” or “code monkeys”—hackers without programming skills or any hard-core knowledge of computer security. A consultant familiar with the scripts can defend against these brainless—although damaging—attacks.

A nation of ostriches

The hacker community may provide information on security holes. Companies may write the patches, slap band aids onto software, beef up vulnerable systems, and devise more effective security policies. At some point, however, security slams into an unexpected obstacle: the ordinary user.

“Basically, security is inconvenient,” Ferguson says. There aren’t any remaining technological challenges to making systems more secure, he says. “We have the cryptography, and we have all the technology we need. There’s been nothing really new since the late 80’s. We tell people they need encryption, but that slows down computers by 20 percent—and they don’t want it.”

The biggest problem computer security faces, Ferguson says, is that the ordinary Internet user trusts that a system will work without vigilant security. Users should take precautions, detect intrusions and respond to break-ins.

Instead, individuals and companies allow software to become obsolete, neglecting to acquire up-to-date versions or security patches. People find it difficult to memorize hard-to-crack passwords—passwords without any dictionary words and full of symbols and variable capitalization—and the weak passwords they choose instead compromise security. And because it’s a hassle to follow the protocols, individuals disable security routines—such as keeping virus detection software on at all times, or evaluating sources before dowloading files.

It’s a lot like people moving to the city, Ferguson says. “When people move out of small villages to the big city, they are annoyed because they need to lock their doors. It really inconveniences you every time you go out.” In other areas of life, however, we accept the inconvenience without complaint.

“Suppose you buy something—something big—like a washing machine,” he says. “You take off time from work to sit at home, waiting, so that when they deliver it you can let them in to put it in the basement.Nobody would suggest—nobody!—that you hand over a copy of your keys to the company and allow strangers into your house to put in the washing machine.”

“But that’s what people do all the time on the Internet. You just download this program or that program, giving a complete stranger unlimited access to your digital house,” he says.

For some companies, the level of risk seems too low to justify investing a lot in security, Ferguson says. Companies tend to jump on quick and faulty fixes. Firewalls are one security tool that companies view as a panacea. A firewall monitors the flow of information in and out of a network, and prevents unfamiliar users from getting into the company’s network—most of the time. But companies don’t always have the know-how or the resources to configure the firewall correctly, Ferguson says. “People might be breaking in all the time and stealing data, but the company can say, ‘We bought the firewall but it didn’t hold.’The ostrich mentality is everywhere in the field.”

The image of a nation of ostriches connected to the Internet isn’t particularly heartening. But until individuals decide that it is worth the inconvenience of reading up on an Internet retailer’s security policy before buying online, memorizing an obscure password, and approaching the Internet with caution, not much will change.

Although individuals may take precautions sporadically, credit card companies are implementing a suite of tools to systematically detect and prevent fraud. Complex software tracks the buying habits of individual consumers, and raises a red flag when someone begins using his or credit card in an uncharacteristic fashion. VISA is developing “electronic wallets”—a combination of electronic ID and credit card buying power—to address the problem of verifying Internet identity, says Casey Watson, director of international communications at VISA. To keep ahead of fraud, the company continues to work out new security measures. “It’s a naturally evolving security curve, from chips on the cards themselves to smart neural networks. We work with law enforcement to stop the bad guys, and the system naturally evolves in response.”

The Internet wasn’t designed with security in mind—it was created to exchange information. “In a fast-paced world, we want new applications yesterday,” Ferguson says. “When you build a new system and leave out security, it works amazingly well.”

But the crooks will catch up—and start finding the holes. “When cars were first built, they didn’t have keys,” Ferguson says. “You just started them by pushing a button. With credit cards it was the same—you didn’t need to use a signature. Then the fraud increased and they had to change the system. The Internet won’t be any different.”

BIOs

WRITER Katie Greene

B.S., individual major in interdisciplinary science, Harvey Mudd College;
M.S., physical oceanography, University of Washington
Internship: Popular Science, New York

ILLUSTRATOR Leana Rosetti

B.S., environmental biology, Yale University
Internship: pending

link to writer and artist contact information page

ContentsPage | Back to Top | Contact Info. | Science Notes Home