Copyright © 1995
Time Inc. All rights reserved.
February 27, 1995
America's most wanted hacker has been arrested, but the Internet is more vulnerable than ever
Kevin Mitnick, 31, stood in the federal courtroom, his hands cuffed - unable, for the first time in more than two years, to feel the silky click of computer keys. He glanced over at Tsutomu Shimomura, the computer-security expert whose extraordinarily well-guarded personal computer Mitnick had allegedly broken into on Christmas Day. Shimomura, playing Pat Garrett to Mitnick's Billy the Kid, had taken his revenge by tracking the wily hacker across cyberspace - through the Internet, through local and long-distance phone companies and at least two cellular-phone carriers - until he finally traced him to his hideout in an apartment complex in Raleigh, North Carolina. And so there they stood last week, hunter and hunted, face to face for the first time. "Hello, Tsutomu," Mitnick said, with husky, spaghetti-western cool. "I respect your skills." If the feeling was mutual, Shimomura, 30, didn't say so. Indeed, he said nothing at all.
Across the country, computer-network security experts, though, were talking a lot last week, calling the entire Mitnick affair a watershed moment - not for what it proves about the hacker but for what it says about the systems he hacked. At a time when American businesses are frantic to set up shop on the computer networks, those networks - and the telecommunications systems that carry their traffic - are turning out to be terminally insecure. One of the things Mitnick is believed to have stolen from Shimomura's computer is a set of utility programs - the electronic equivalent of a locksmith's toolbox - that would make, in the hands of a determined hacker, a potent set of burglar's tools. Given the speed with which such programs can be duplicated and transmitted, it must now be assumed that they have been distributed widely throughout the computer underground.
Even before Kevin Mitnick got his hands on these burglar's tools, says William Cheswick, a network-security specialist at AT&T Bell Labs, the average computer on the Internet was singularly vulnerable to attack. Security at most sites, says Cheswick, is so lax that passwords and other protective devices are almost a waste of time. "The Internet is like a vault with a screen door on the back," says Cheswick. "I don't need jackhammers and atom bombs to get in when I can walk in through the door."
Among the most common ways to attack the Internet:
Underscoring the pitfalls for businesses, investigators say that one of Mitnick's computer files contained 20,000 credit-card numbers of subscribers to Netcom, an Internet-access provider based in San Jose, California. According to Emmanuel Goldstein, publisher of 2600: The Hacker Quarterly, his readers have known for months that Netcom's credit files were stored out in the open, easily accessible from the Internet. Why weren't those files off-line, or at least encrypted? Netcom officials won't comment.
So what will make the Internet safe from hackers? Avoiding obvious security flaws like Netcom's would be a start. Another would be to adopt more sophisticated password systems, like the calculator-size "dongle" that researchers at Bell Labs carry around to generate new passwords for each Internet session. The ultimate solution, experts say, would be to encrypt all communications between computers. But that could eat up valuable computer-processing time, make the networks less friendly and add minutes to every online task. And who, besides Kevin Mitnick, has any time to spare these days?