Terminal Insecurity

The use of home computer terminals to illegally tap into distant computers is a recurring story and an increasingly dangerous crime. In the latest incident seven youths were arrested in New Jersey last week for allegedly manipulating computers to make free telephone calls, obtain information and breach a Defense Department communications system. This is no isolated incident. Computer crimes involving teen-age “hackers” bent on mischief--or worse--have been occurring with unhappy regularity. Can anything be done to stop them?

The answer is yes--and no. There is no computer that is perfectly secure, just as there is no bank vault that is absolutely impervious to attack. “The computer is inherently insecure,” says Donn Parker of SRI International, one of the world’s foremost authorities on computer crime. “There is no way to make it secure.”

But owners of physical vaults can and do make it very difficult for unauthorized people to get in. Owners of electronic vaults--otherwise known as computers--can and should do the same. Unfortunately, most don’t make use of all the security techniques that are currently available.

Passwords are one of the basic methods for ensuring that only people authorized to use a computer actually get to use it. The overwhelming majority of cases of improper computer access involve an unauthorized person obtaining a legitimate password, by luck or by stealth. Once he has a password, the person can impersonate a legitimate user with impunity. So password protection should be one of the most important priorities of a computer owner. “The whole password system is only going to be as strong as the least disciplined password holder,” Parker says.

Even though many computer systems allow a user to change his password as often as he wants, most people never change passwords. A computer system designed with security in mind would require all users to change their passwords periodically, perhaps every month or every three months. In that way, if a password got out it would soon become useless.

In addition, many computer users select their first name or their spouse’s first name or their pet’s name as their password, making it relatively easy for hackers to stumble onto a password simply by guessing names. Well-designed computer systems contain a dictionary of short words and names that they reject as passwords.

When a user signs on to some computer systems, the first thing that he sees on the screen is a message telling him when he was last on. This is an excellent security measure. Suppose someone comes to work in the morning, signs on to the system and reads, “Good morning. You were last on yesterday at 5 p.m.” The person thinks, “That’s right. That’s when I signed off and went home.” But if the message says, “You were last on at 3 a.m. this morning,” the person calls the authorities.

Additional security can be provided by so-called hand-shaking devices between remote terminals and a main computer. Before a remote terminal can be used, a chip in the main computer uses encryption methods to “shake hands” with a chip in the terminal, thereby establishing that the terminal is authorized to communicate with the computer.

Other security techniques are being developed. Research is under way to come up with a method of analyzing a person’s typing rhythm to establish that he is whom he claims to be. Efforts are also being made to establish profiles of how each individual regularly uses a computer system--the order in which he uses commands, his characteristic time of usage or his normal activity. Something that deviates from the pattern would generate an exception report that says, “Someone is doing something odd that he normally doesn’t do.”

Many teen-age hackers could be thwarted by some or all of these security techniques. But the level of computer security in use is well below the state of the art. The trouble is that computer security costs money, and it has been like seat beats: Manufacturers don’t want to put it in because it doesn’t help them sell computers. The customers say that they want security, but they don’t want to pay extra for it, and they don’t want it to get in the way of the users. What is needed are security devices that protect you whether you want protection or not.

In the meantime, computer owners have the means at hand to make it very difficult for unauthorized people to penetrate their systems. They should use existing techniques. If they don’t, they should operate on the assumption that their computers will be breached.