Access: Curse and Blessing for Computer Networks : Illegal Entry Is Growing, Forcing New Precautions

The feature that has made computer systems nearly everyone’s partner in the workplace--easy accessibility--has also created a security nightmare that is global in scope, according to experts.

The breach of security that was revealed this week at the Jet Propulsion Laboratory is only the latest in a long string of violations of computer systems serving organizations ranging from financial institutions to military establishments.

“It’s getting worse all the time,” said Hal Tipton, head of computer security at Rockwell International Corp. and president of the nationwide Information Systems Security Assn.

“Ten years ago when our computer systems were fairly centrally located, we could protect it physically, and it wasn’t so much of a problem,” Tipton said. “Nowadays, with the interconnectivity goals and expansion of personal computers, we don’t really have our computing power in one place where we can keep an eye on it. It’s spread all over.”

New Technologies

Computer engineers are developing new technologies in hopes of increasing security, including electronic devices that will tip off the computer if the person who is trying to sign on is a fraud, but any such programs significantly limit the usefulness of the system.

The problem is growing at an enormous rate, Tipton said, because of the advent of “networking,” which allows people around the world to work on the same problems simultaneously and share their information. This electronic connection has made the personal computer ubiquitous throughout the industrialized world, and it has greatly enhanced the flow of vital information in virtually every field.

But that has not come without a price. Many computer networks are connected to other networks, and someone who has access to one can--with enough time and patience--usually figure out how to gain access to other elements throughout the system, experts said.

Clifford Stoll, a systems manager at the Lawrence Berkeley Laboratory, who cracked one of the most celebrated cases of computer “hacking” in history, said the man who broke into the Berkeley system last year was “by no means a brilliant wizard, as might be popularly imagined.” The hacker, who turned out to be a 24-year-old student in West Germany who had broken into computer systems around the world, was simply competent, knowledgeable and very industrious, Stoll said.

‘Twists Doorknobs’

“Basically, here’s somebody who walks down the street and twists doorknobs on people’s houses to see if he can get in,” Stoll said in a telephone interview. “If it’s unlocked, he goes in and looks around. If it’s locked, he goes around and tries the back door. If he can’t get in, he goes on to the next house.

“In my neighborhood, it’s likely he would get caught. But on networks, it’s unlikely because no one is watching.”

Stoll caught his hacker because he saw strange footprints in the system, and instead of shutting him out, he set a trap. When the scheme finally unraveled, it was learned that the young hacker had tried more than 450 “doorknobs” and about 30 worked, giving him access to systems that serve a number of U.S. military installations.

West German authorities confiscated the suspect’s computer, but he has not been charged with a crime yet because evidence was not considered sufficient. That underscores another problem: Hacking is against the law in this country, as it is in many others, but the crime is extremely difficult to prove, Tipton said.

Relatively few people are formally charged with hacking, although the FBI may confiscate equipment if there is evidence that a computer has been used for such things as acquiring the numbers on someone else’s credit cards, he added.

No lasting damage was done in the case of the Lawrence Berkeley Laboratory, Stoll said, because most of the information in the system consists of educational materials that are available to the public anyway. But people like Stoll worry that the ease with which hackers break into such systems, which is usually facilitated by sloppiness on the part of legitimate users, will force more and more institutions to make access to their systems too restrictive.

A sister facility, the Lawrence Livermore Laboratory, is involved in a great deal of classified research, and Stoll noted that if he wants to work on the Livermore system, he cannot do so from his office in Berkeley by using telephone links that are so common in today’s computer world. Instead, he would have to physically go to Livermore, where security personnel could verify that he is, indeed, who he says he is.

“A computer that is not connected to a network has much less value,” Stoll said. “It can only think. It cannot communicate.”

Concerns over security are polarizing users, Stoll said, in some cases reducing the usefulness of computers by being too protective and in other cases virtually assuring a breach of security because no one is paying any attention.

“People in the classified area worry too much about it, and people in the civilian area worry too little,” he said. “They (civilians) think nobody would be interested. But somebody might very well be. A vandal might be interested in wrecking something. Somebody just might want to play a nasty joke.”

Computer “break-ins” happen regularly, Tipton said, but it is difficult to know just how often because “a lot of them don’t make the news.”

“If you have a break-in, you try to counter it without telling everybody else how somebody is getting into your system,” he said. “You try to keep it quiet.”

Words or Symbols

Experts say the most common form of hacking results from carelessness about the choice and use of passwords--words or symbols that tell the computer that the person who is trying to sign on has been authorized to use the system.

Apparently in fear of forgetting their password, many users choose words they know they will not forget, and that frequently means their first name or the name of a family member. In some cases, a hit or miss approach might give a hacker access to the system, and once inside, other elements of the system can be breached more easily.

Stoll suggested that someone who wants to use a common name as a password could improve security quickly by adding a number in the middle of the name or making up a word that is easily remembered but known to no one else.

As the people at Lawrence Berkeley Laboratory learned the hard way, it should not be a word that is in the dictionary. Stoll explained why in an article in the May issue of the Communications of the Assn. for Computing Machinery.

Passwords must be listed somewhere in the system for the computer to recognize them and yield access to legitimate users. Aware that any such list in the computer might be acquired by hackers, some organizations encode the passwords so that they can be recognized by the computer, but remain indecipherable to anyone else. Several security programs are commercially available for such purposes.

Same Code

Stoll said the West Germany hacker found the encrypted password list in a “compromised” computer system and recorded it into his personal computer in Germany. He recognized the security system that was being used and had his entire computerized dictionary translated into the same code. Then, by ordering his computer to search for words as they appeared on the encrypted list, he could determine which words had been encrypted and would work as passwords.

“Within a week, he reconnected to the same computers, logging into new accounts with correct passwords,” Stoll wrote in the May article.

The ease with which some people are breaking into systems is forcing some security-conscious organizations to come up with new technological hurdles for the hackers.

“Unfortunately, many users are too lazy to protect their passwords or they make them too simple,” Tipton said. “So we’re looking for better ways of controlling access.”

Passwords, he said, may become “sort of a feature of the past.”

Rockwell, for example, has issued an electronic “card that looks like a credit card, but it provides a person with a new password every minute,” he said.

The user encodes the card with his personal password, and the card then tells the user which password to use for that minute. Thus a hacker would have to know the user’s personal password, plus have access to the card.

Even that, however, has its limitations.

“The card costs about $40, and we don’t want to give it to 40,000 people,” Tipton said, so the use of the computer is limited to about 4,000 people.

Other technologies are also under development, including a system that would use a light beam to scan the blood vessels in the eye of the user to see if the applicant is who he is supposed to be.

All of these features, however, reduce the usefulness of the network by limiting the number of people who can use it. That, in turn, shrinks the scope of the data base.

In the end, a lot of people who might benefit enormously through convenient access to worlds of information may pay a high price for the hackers who continue to chip away at the systems, experts contend.

Tipton noted that engineers at Rockwell would like to have access to some data bases that are also used by educational institutions. But if Rockwell links its system to such networks, “that would provide the students who are interested in hacking a chance to connect with ours,” Tipton said.

So at the moment, concern over security has built a barrier between engineers at Rockwell and students at universities around the country, thus eroding electronic communications that could benefit both groups.