THE CUTTING EDGE : Paranoia Your Password? OK, But Don’t Tell Anyone

Computer consultant Peter Wayner changes his Internet password every week in order to foil hackers, and he hopes to send his electronic mail encrypted so prying eyes see only jabberwocky.

Is the fellow paranoid? Not really. If you use a computer mainly to write relatives and catalogue your compact disc collection, and you never run any software that didn’t come shrink-wrapped off the shelf, security isn’t your big worry.

For most of the rest of the world, however, computer security is a pressingconcern. Mainframes and networks are fat targets for hackers, office PCs are subject to unauthorized use, and viruses can infect home computers through innocent-seeming shareware.

Wayner, for instance, knows that when he sends electronic mail from Baltimore to a client in Montreal, it may pass through 24 computer systems before it arrives, as easy to read the entire way as the message on the back of a postcard. He’d like to send his messages scrambled by an encryption program, but the odds are no one on the receiving end could decode them.

The irony is that, for most computer users, data protection is relatively easy, yet few take the steps needed to establish even rudimentary computer security.

For example, an increasing number of computer programs come with built-indata security measures, including the new Macintosh System 7 operating system, Windows NT and Novell’s Netware.

Popular corporate e-mail programs, such as cc:Mail, and widely used system utilities, such as PCTools, will let anyone encrypt a computer file so thoroughly that only the National Security Agency could crack the code without the key.

“This isn’t important for letters to Mom,” Wayner said, “but I think it isincreasingly essential in business. Corporate espionage is a very real problem, and many of the opponents are well-financed, technically adept and among the best at surveillance in the world.”

This comes as no surprise to the operators of networks that are major targets of industrial espionage. These administrators, some of whom fend off dozens of anonymous probes a day, probably keep the telephone number of the federal Computer Emergency Response Team programmed into their digital cellular phones and have the loose-leaf edition of the Disaster Recovery Yellow Pages on the bedside table, open to the section on “Trauma Counseling.”

Alarmed by the number of reported computer break-ins, they may have already ordered “smart” password cards for their employees. These credit card-size devices are synchronized to the computer and automatically generate new system passwords every few minutes. Even if someone intercepted a password--as happened to tens of thousands of Internet users recently when their secret sign-ons were intercepted by illicit “sniffer” programs--the password is quickly out of date. Boston University is issuing such password cards to its 2,000 system users at a cost for each of about a nickel a day.

Even when people do fret about system security, the necessary precautions seem like just so much more of that extra work computers generate to make life more complicated, rather than simpler.

John Toon, a public affairs manager at the Georgia Institute of Technology, for example, remembers to regularly scan his computer files with anti-virus software, and he has configured his office system so that only an authorized few can upload files or access the most sensitive files.

He knows he should be changing system passwords more often than he does. Frankly, he says, it takes too long because of all the automated log-in scripts that have to be reconfigured.

But these days, a little useful paranoia can go a long way. While not everyone needs an automated security guard, there are some relatively painless precautions that a sensible computer user should consider.

* Passwords: Use a mixture of letters and numbers, and don’t write it down. Don’t use a word that can be found in the dictionary. Use a different password for every different telecommunications account or bulletin board you access. Change it as often as you can stand. Don’t ever share it. This is especially important for small systems equipped with remote-access programs, such as PCAnywhere or Carbon Copy.

* Encryption: Consider using the built-in encryption features of programs like PCTools, Norton Utilities or, on a network, Lotus Notes. Some of these programs will also “shred” files you wish to delete, so they can’t be recovered. Even compressing files with Pkzip or another archiving program offers some basic protection. For more sophisticated users, AT&T;’s SecretAgent offers a range of file security and encryption features elaborate enough to satisfy anyone.

* Screen savers: If you use a personal computer in an office, install a password-protected screen saver so that your system will hide your work and lock itself if you step away from your desk for more than a few minutes. Install a floppy drive lock, so no one can bypass hard drive security to boot your system. Better yet, use a program like Norton Disklock, which prevents unauthorized users from getting access to your computer’s hard drive.

* Backups: Since hard drives sooner or later crash, backing up data is crucial, but it also helps with security. If your computer is stolen, if it goes up in flames, or if important files are corrupted as the result of mischief or malfunction, you can restore them.

* Digital signatures: Electronic mail is easily forged. Tampering with electronic documents takes no special skill and leaves no trace. RSA Data Security Inc. in Redwood City recently announced that it would start giving away on the Internet a program called RIPEM/SIG as a free tool to authenticate information and to verify who sent an electronic expense account, document or sales form by appending an unforgeable electronic signature. To get it, send e-mail to rsaref@rsa.com.

* Computers and faxing: Don’t forget what happens to your computer data when you fax it. AT&T; makes a product called Data Fax, which reduces any computer file, picture, spreadsheet or data base to an encrypted pattern of variegated black and white squares that resembles the static snow on a television screen. The recipient would scan the page into his computer, which would translate the markings back into the presumably intelligible original.

Perhaps the most effective way to protect a computer system from outside interference is to disconnect the phone line and lock the door.

That’s easier said than done for systems connected to the Internet, a network of networks in which each system relies to some extent on the others. Since the National Science Foundation lifted restrictions on commercial use of the Internet two years ago, it has grown to encompass 25,000 interconnected networks in 61 countries, with more than 2.5 million computer systems and millions of users tied together in a fragile web of trust.

“It is a party line all over the world,” said William R. Cheswick, a computer security expert at AT&T;’s Bell Laboratories. “Anyone can get on, and you need some protection.”

It would be hard to find a company more worried about communications security than AT&T.; On the average, someone tries to break into the research network at Bell Laboratories in Murray Hill, N.J., 70 times a day.

Defending the entire system has given Cheswick such a security workout that he has written a comprehensive manual (with colleague Steven M. Bellovin) called “Firewalls and Internet Security: Repelling the Wily Hacker.” It will be published next month by Addison-Wesley Publishing Co.

“You certainly don’t want people on the Internet watching what’s going on in your business,” he said. “I know of companies that have decided not to connect because of that possibility of electronic break-ins.”

The biggest business security problems, however, are not caused by outsiders trying to break in but by insiders poking around where they don’t belong. A 1993 Ernst & Young survey of corporate information officers found that they were far more worried about security breaches caused by their own people than about any wily hacker.

“Companies cooperating on a joint project need to share data and share access to their systems, but they don’t want to give a potential competitor any more access than necessary,” Cheswick said. “We want to have firm assurances that they are stuck in one directory and can’t get out.”