Data Network Is Found
Open To New Threat

By John Markoff

Copyright © 1995 The New York Times Company

San Francisco, January 22, 1995

A Federal computer security agency has discovered that unknown intruders havedeveloped a new way to break into computer systems, and the agency plans on Monday to advise users how to guard against the problem.

The new form of attack leaves many of the 20 million government, business, university and home computers on the global Internet vulnerable to eavesdropping and theft. Officials say that unless computer users take the complicated measures they will prescribe, intruders could copy or destroy documents or even operate undetected by posing as an authorized user of the system.

For computer users, the problem is akin to homeowners discovering that burglars have master keys to all the front doors in the neighborhood.

The first known attack using the new technique took place on Dec. 25 against the computer of a well-known computer security expert at the San Diego Supercomputer Center. An unknown individual or group took over his computer for more than a day and electronically stole a large number of security programs he had developed.

Since then several attacks have been reported, and there is no way of knowinghow many others may have occurred. Officials of the Government-financed ComputerEmergency Response Team say that the new assaults are a warning that better security precautions will have to be taken before commerce comes to the Internet, a worldwide web of interconnected computers that exchange electronic messages, documents and computer programs.

It is expected that by the end of this year such businesses as florists, supermarkets, credit card companies and banks will peddle wares to customers viathe Internet and the new intruders could be able to steal credit card numbers, merchandise and money.

The response team, based at Carnegie-Mellon University in Pittsburgh, plans on Monday to post an advisory on the Internet, alerting computer users to the attacks and urging them to take a variety of protective measures involving software and hardware security mechanisms.

"This was a sophisticated attack," said James Settle, a former F.B.I. computer crime expert who is now an executive at the Inet Corporation, a computer security firm. "Essentially everyone is vulnerable."

The Internet works by breaking computer messages into groups of digital packets of data, each of which has an electronic "envelope" that provides "to" and "from" addressing information used by special network computers known as routers that deliver the data.

The new attack makes use of a flaw in the design of the network to fool the router computers into believing that a message is coming from a trusted source. By masquerading as a familiar computer, an attacker can gain access to protected computer resources and seize control of an otherwise well-defended system.

Computer administrators at several organizations that have been broken into by individuals using the technique said they had been contacted by Federal law-enforcement officials as part of an investigation into the break-ins, but Justice Department officials refused to comment.

The lack of tight security on the Internet has remained a well-known risk, even as thousands of companies have been flocking to the global network in the last year hoping do business in cyberspace.

However, many computer security experts point out that the basic Internet software was never designed with this use in mind. It was originally created by academic researchers to exchange computer data conveniently with little thought to the problems that are now emerging in which anonymous individuals, hidden by a web of computer links, can eavesdrop and steal electronically.

Classified Government military computer systems are not thought to be at riskbecause they are not directly connected to the Internet.

And until now, most companies and other organizations with computers directlyconnected to the Internet have assumed they could protect themselves from intruders by creating various types of hardware and software defenses known as "fire walls."

But the new type of attack can in many cases easily penetrate these common defenses, according to officials of the Computer Emergency Response Team.

"Out of all the sites on the Internet, there are only some small fraction that care enough about security," said Tom Longstaff, manager of research and development for the security agency.

The security warning to be issued on Monday will include a list of brands of router computers that can use a computer program to protect against the new attack, which is called IP, or Internet protocol, spoofing. The new defense works by recognizing packets that have been forged and rejecting them. But the advisory will also list brands of routers that have no way of protecting againstthe attack.

Computer security experts said there was no good way of estimating what fraction of the Internet computers have routers or fire wall software capable ofprotecting against the attack.

"This is a really tough problem because it is an attack based on the way things work normally," said Marcus Ranum, a senior scientist at Trusted Information Systems, a computer security firm.

The flaw, which has been known as a theoretical possibility to computer experts for more than a decade, but has never been demonstrated before, is creating alarm among security experts now because of the series of break-ins andattacks in recent weeks.

The weakness, which was previously reported in technical papers by AT&T researchers, was detailed in a talk given by Tsutomu Shimomura, a computer security expert at the San Diego Supercomputer Center, at a California computer security seminar sponsored by researchers at the University of California at Davis two weeks ago.

Mr. Shimomura's computer was taken over by an unknown attacker who then copied documents and programs to computers at the University of Rochester where they were illegally hidden on school computers.

Most computer security experts say that real security on the Internet awaits the widespread adoption of encryption technology for scrambling data and authenticating messages.

Internet veterans also expressed anger at the new style of attack because it would cause many organizations to strengthen their security systems, thus makingthe network less convenient and less useful.

"These guys are striking the basis of trust that makes the network work," Mr.Ranum said, "and I hate that."