Cracks in the Net

by Joshua Quittner

February 27, 1995

America's most wanted hacker has been arrested, but the Internet is more vulnerable than ever

Kevin Mitnick, 31, stood in the federal courtroom, his hands cuffed - unable, for the first time in more than two years, to feel the silky click of computer keys. He glanced over at Tsutomu Shimomura, the computer-security expert whose extraordinarily well-guarded personal computer Mitnick had allegedly broken into on Christmas Day. Shimomura, playing Pat Garrett to Mitnick's Billy the Kid, had taken his revenge by tracking the wily hacker across cyberspace - through the Internet, through local and long-distance phone companies and at least two cellular-phone carriers - until he finally traced him to his hideout in an apartment complex in Raleigh, North Carolina. And so there they stood last week, hunter and hunted, face to face for the first time. "Hello, Tsutomu," Mitnick said, with husky, spaghetti-western cool. "I respect your skills." If the feeling was mutual, Shimomura, 30, didn't say so. Indeed, he said nothing at all.

Across the country, computer-network security experts, though, were talking a lot last week, calling the entire Mitnick affair a watershed moment - not for what it proves about the hacker but for what it says about the systems he hacked. At a time when American businesses are frantic to set up shop on the computer networks, those networks - and the telecommunications systems that carry their traffic - are turning out to be terminally insecure. One of the things Mitnick is believed to have stolen from Shimomura's computer is a set of utility programs - the electronic equivalent of a locksmith's toolbox - that would make, in the hands of a determined hacker, a potent set of burglar's tools. Given the speed with which such programs can be duplicated and transmitted, it must now be assumed that they have been distributed widely throughout the computer underground.

Even before Kevin Mitnick got his hands on these burglar's tools, says William Cheswick, a network-security specialist at AT&T Bell Labs, the average computer on the Internet was singularly vulnerable to attack. Security at most sites, says Cheswick, is so lax that passwords and other protective devices are almost a waste of time. "The Internet is like a vault with a screen door on the back," says Cheswick. "I don't need jackhammers and atom bombs to get in when I can walk in through the door."

Among the most common ways to attack the Internet:

Password Sniffers:: These tiny programs are hidden on a network and instructed to record logons and passwords, which are then stored in a secret file. By the end of a week, this file can contain hundreds of user names and their associated passwords. Last year an advisory from Carnegie Mellon University's Computer Emergency Response Team warned that, as a result of a rash of sniffing attacks, tens of thousands of passwords had been stolen and were presumed to be compromised.
Spoofing:: This is a technique for getting access to a remote computer by forging the Internet address of a trusted or "friendly" machine. It's much easier to exploit security holes from inside a system than from outside; the trick is to gain "root" status, the top-level access that the computer's administrator enjoys. With root status, a hacker could install a password sniffer or bogus software, like a "back door" - a secret return path into the machine. Mitnick was able to break into Shimomura's Fort Knox-like computer using a spoof.
The Hole in the Web:: The latest vulnerability to come to light is a flaw in the World Wide Web - the fast-growing zone within the Internet where thousands of businesses are setting up shop. According to an advisory issued on the Internet last week by a programmer in Germany, there is a "hole" in the software that runs most Websites. This entry point allows an intruder to do anything the owners of the site can do. According to Cheswick, most of the Websites were using software that puts them at risk.

Underscoring the pitfalls for businesses, investigators say that one of Mitnick's computer files contained 20,000 credit-card numbers of subscribers to Netcom, an Internet-access provider based in San Jose, California. According to Emmanuel Goldstein, publisher of 2600: The Hacker Quarterly, his readers have known for months that Netcom's credit files were stored out in the open, easily accessible from the Internet. Why weren't those files off-line, or at least encrypted? Netcom officials won't comment.

So what will make the Internet safe from hackers? Avoiding obvious security flaws like Netcom's would be a start. Another would be to adopt more sophisticated password systems, like the calculator-size "dongle" that researchers at Bell Labs carry around to generate new passwords for each Internet session. The ultimate solution, experts say, would be to encrypt all communications between computers. But that could eat up valuable computer-processing time, make the networks less friendly and add minutes to every online task. And who, besides Kevin Mitnick, has any time to spare these days?