Computer Experts Grapple With Vulnerable Systems

In 1845, only a year after Samuel F. B. Morse hooked up the first telegraph and tapped out his triumphant message--”What hath God wrought!”--another, more obscure figure clearly saw what Morse had wrought.

Not even Rep. Francis O. J. Smith of Maine, one of Morse’s business partners, could have foreseen that a young Cornell University graduate student might someday spread a digital virus that would wreak havoc on a nationwide network of research computers linked by thousands of miles of coaxial cable, fiber-optic telephone lines and microwave relay circuits.

But even in 1845, he seemed to understand the Promethean dilemma posed by every new technology since fire: With benefits come risks.

In the case of the telegraph, employees along the transmission route--and wiretappers--could steal messages. Smith carved his modest niche in history by publishing the first code for encrypting telegraph messages, a pioneering antidote to the drawbacks of turning information into lightning-fast pulses of electricity.

Now, 143 years later, a small but growing computer security industry is treading in the footsteps of Rep. Smith. It is grappling--altogether too slowly, many experts believe--with enormously complex variants of the same threats of intrusion and theft that animated early skeptics of the telegraph.

In a world increasingly dependent on the secure flow of electronic data--more than $2 trillion a day now moves around the world through U.S.-based, computerized inter-bank transfer systems--computer security specialists are turning to exotic means of protecting commercial information that originally were conceived for intelligence agencies and strategic defense.

Not surprisingly, protecting computers and telecommunications against electronic intrusion is proving to be mainly a job for computers. Emerging technologies include computerized cipher systems for banks and private industry and coded “digital signatures” to replace the familiar executive scrawl at the bottom of letters and interoffice memos.

Some banks and federal agencies now use “smart cards” with embedded microchips to identify authorized users. A few firms are already marketing ingenious substitutes for the sleepy security guard who may or may not check to see whether the holder of a security pass is also its owner.

Among these devices are computer scanners that confirm the identity of computer users by examining their fingerprints or hand shape. Some literally look an employee in the eye to verify his or her identity: As the employee peers into an eyepiece, a weak infrared beam scans blood vessels on the retina while a computer compares the pattern to one stored in its memory. Retinal patterns are unique even among identical twins and, unlike fingerprints, never clog with dirt and grease.

High on the list of security experts’ current worries are computer viruses like the one injected earlier this month into the Pentagon’s ARPAnet system linking 300 university research centers, corporations and government agencies. Federal agents are investigating Cornell graduate student Robert T. Morris Jr., the 23-year-old son of a leading expert on computer security.

No damage was done to data in the thousands of computers the virus jammed over a two-day period, and most analysts seem satisfied that what happened was not a malicious attack on the American research community’s most important computer network but an ego-expanding prank that ran wildly out of control.

But the prank that made Morris a hero in the eyes of countless hackers also galvanized the fears of millions of others who wonder if their computer checking accounts, medical and credit files--to say nothing of government secrets and nuclear weapons--are any more secure.

On this question, a variety of computer experts suggest, there is good news and bad news.

The good news, some analysts insist, is that the network Morris traumatized earlier this month was unusually vulnerable to mischief by virtue of the very qualities that have made it so useful to researchers since the Pentagon’s Advanced Research Project Agency set it up in 1969. ARPA was and remains the government’s leading supporter of basic and applied computer research.

Designed to let scientists in myriad fields share research results quickly and easily, ARPAnet offers a number of conveniences exploited by the virus, such as remote control of distant computers and a primitive password security system. Some computer researchers maintain that Morris’ feat was no more difficult--and no more relevant to the electronic security of banks and hospitals--than sneaking into a public library.

“ARPAnet is like a public library, not a bank,” says Keith Bostic, a UC Berkeley programmer who has dissected Morris’ virus and found several major programming flaws. “To put any kind of classified information into this net is a federal crime. People just don’t do it.

“You don’t expect your country library to keep books in a vault, “ Bostic observes. “ARPAnet wants you to be able to bop information around freely from machine to machine. Banks don’t.”

The bad news, according to the National Academy of Sciences and the congressional Office of Technology Assessment, is that networks modeled on ARPAnet are the wave of the future in private industry. And the arcane science of computer security is struggling to catch up.

The growing sophistication of networking technology promises to link banks, financial markets, newspapers, hospitals and countless businesses and industries in a vast national electronic web far more intricate--and potentially far more vulnerable to disaster--than today.

“A lot of people assume nothing can happen to us because we’re not connected to ARPAnet,” says Peter G. Neumann, a pioneering authority on computer security at SRI International in Menlo Park, Calif.

“But they are vulnerable,” Neumann warns. “We have this (ARPAnet) technology, which is wonderful for the research community but it’s wide open (to penetration) and it’s creeping into other applications where security is more critical.

“You sure don’t want some high school student dialing into a hospital and changing patient information. But are they immune? I wouldn’t bet on it.”

Computers already control interbank and government fund transfers of enormous scale--the Federal Reserve Bank’s encrypted FedWire alone handles transactions worth $700 billion a day--while other computer telecommunication networks akin to the nation’s interstate highway system run airlines and electric power grids, link industries to thousands of subcontractors and form the heart and brain of the telephone system.

The nation’s growing dependence on commercial computer networks has spurred a variety of government agencies and independent authorities in the last two years to warn of rising vulnerability, not so much to computer hackers as to more sophisticated adversaries, such as foreign intelligence agencies.

“There is every indication that this dependence will increase with continued advances and new applications,” Congress’ OTA warned in 1987. “Although today’s systems are . . . vulnerable to misuse, commercial demand for improved security has been slow to materialize.”

Task Becomes Harder

The federal agency assigned to help private industry develop computer security technology warned in a bulletin on the subject only two months ago that the increasing complexity of the nation’s interconnected commercial computer networks was making the task of analyzing the vulnerability of the networks both harder and more urgent.

“The use of telecommunications networks to connect users and computers increases the potential for disaster if elements in such networks are disabled,” the National Institute of Standards and Technology, formerly the National Bureau of Standards, said in September.

The government’s premier source of science and technology advice warned earlier this year that proliferating computer networks were raising “new concerns about . . . the invasion of privacy, dissemination and uncritical acceptance of unreliable, undesired and damaging information and the prospect of theft on a truly grand scale.”

The insecure ARPAnet, the report observed, was a leading “model” for a growing national system of commercial computer networks, both those that link terminals inside a single company and those that connect businesses to their clients and suppliers in an increasingly paperless business world. Many of these local and “long-haul” networks, experts say, are highly susceptible to industrial espionage through wiretapping.

“Eavesdropping (is) easy to accomplish and difficult to detect,” B. J. Herbison, a security analyst with the Digital Equipment Corp., told the 11th National Computer Security Conference in Baltimore last month.

Although Morris’ virus caused no damage beyond the uncounted hours spent purging it from some 6,000 computers across the country, the episode “brought home how real the problem of computer security is,” Columbia University’s Joseph F. Traub said.

“The whole financial well-being of our society depends increasingly on information. The electronic infrastructure of our country is just as important as its physical holdings. When you think of how much we devote to the physical security of personal, commercial and financial assets, you begin to see the need for information security.”

For businesses, the main line of defense is a mathematical encryption scheme developed in the 1970s by IBM, the government’s highly secretive National Security Agency and the National Institute of Standards and Technology.

Called DES, it is one of the few unclassified encryption schemes, and is now most widely used by the banking industry. According to Miles Smid, standards institute’s manager of security technology, the Federal Reserve Bank’s transactions with 70,000 banking institutions are coded with DES. Its users range from a major toy company, which encrypts its design information, to the Florida state lottery system.

DES-based codes can be used not only to protect the confidentiality of transactions but also to authenticate them, verifying that no intruder--or insider--has altered the numbers. Although DES technology is a decade old, it is only beginning to percolate down to smaller banks, some of which are starting to use it to shield the personal identity numbers of the automatic teller cards they issue.

“I’d agree that there is still a lot of vulnerability (in private industry), but there are also lots of solutions available,” Smid says. “It takes a long time to get them implemented, partly because people tend to think of security not as a cost of doing business but a burden they have to bear, an extra cost they have to pay.”

Coding is only one of several emerging technologies for computer security. Others are aimed at controlling physical access to office terminals that might be able to read or manipulate encrypted data.

Passwords typed on the computer keyboard are the oldest approach, and, as Morris demonstrated, the least secure. Programmers who have dissected his virus found that it was equipped to guess such commonly used passwords as first names, birth dates and the word “hello.”

As an alternative to passwords, computer security researchers at the standards institute are developing “smart cards.” To log on to a terminal, a user slips the card in a slot for the security computer to read, while holding a finger against an optical scanner that compares the fingerprint to that of the card’s authorized owner.

Another evolving approach to computer crime detection is audit trail analysis--tracking the movement of information through a computer system and monitoring who is using it, how it is being used and whether the users are authorized.

The problem, as four researchers from the National Security Agency and SRI International noted in a paper prepared for last month’s computer security conference, is that in any audit trail system that generates enough information to track down an intruder, “the security officer is inundated with page upon page of audit data until buried under a paper mountain.”

Meanwhile, they noted, “the sophisticated penetrator will spread out his activity over a number of days or weeks (to) subtly exploit the dark corners of a system.”

The NSA’s imaginative answer to computer espionage is a still-experimental counterintelligence computer system called MIDAS.

Employed at the NSA’s own National Computer Security Center, MIDAS monitors the 1,200 users of the center’s Honeywell Multics computer known as Dockmaster. Programmed to recognize each user’s work habits and typing patterns, MIDAS searches for suspicious deviations from norms that might signal an attempted break-in or internal misuse.

MIDAS has successfully detected “crude simulated attacks” and also many seemingly genuine anomalies, “some of a suspicious nature,” which are still under investigation, the researchers reported.

While MIDAS is being perfected, the NSA researchers suggested that one way of sharpening its ability to detect intruders “would be by interviewing hackers and those who have caught hackers.”

Coming only two weeks before Robert Morris launched the virus that stopped thousands of computers in their tracks, the suggestion carried unintended irony. The chief scientist of the NSA computer center that developed MIDAS is Morris’ father, Robert T. Morris Sr.