Home Home | About Us | Sitemap | Contact  
  • Info For
  • Professionals
  • Students
  • Educators
  • Media
  • Search
    Powered By Google

Traveling in Cyberspace: Computer Security

J. Philip Craiger
Blaine Burnham
1
University of Nebraska at Omaha

1 Dr. Blaine Burnham is director of the Nebraska University of Computer Information Assurance. Dr. Burnham comes to UNO from Georgia Tech University, where he served as the Principal Research Scientist in the College of Computing and as the Director of Georgia Tech Information Security Center. He most recently served as program manager for the National Security Agency (NSA) at Ft. Meade, Maryland. While at NSA Dr. Burnham established, promoted and sustained the Information Security Research Council for the Department of Defense as well as the intelligence community as a whole.

In this column we discuss a subject with which most of us are probably not too concerned, but certainly should be. That subject is computer security. For most, computer security is not something you think about until something has gone terribly awry. As we will discuss there are very real and serious reasons as to why all of us, anyone using the computer to store confidential, sensitive, personal, or otherwise important information, should care about computer security. We will also describe several methods of making sure that your confidential files remain confidential, they remain available to you, and their integrity remains intact.

Below we describe common vulnerabilities that could put your information at risk. The length of this column precludes discussing every vulnerability; however, we have chosen some of the more common ones. For each of these, we provide a nontechnical description of the vulnerability and potential solutions to protect you. We have provided several extra references for users seeking more information on computer security.

Why Computer Security is Important 

We are rapidly moving into an age in which everything of value and relevance will be either found in computers or dependent upon information found in computers. Today, the vast majority of money in the world is not expressed as currency but rather in some digital format, namely, bits and bytes.

Health and privacy information, business and real estate transactions are all now digital or are moving that way. The foundations of our lives and how we live our lives is becoming dependentnot just linkedto computers. This dependence cannot and must not be treated as casual and dismissible relationships of only passing interest. The information/computer technology we use today is far too fragile for the burden we are entrusting it to.

It is incumbent on each of us to understand what is happening, ask tough questions, and demand sensible answers. Without this involvement, our journey into cyberspace will be fraught with extreme danger.

Physical Security

Before we talk about computer security we have to start with its precursor, physical security. After all, all of the computer security in the world doesnt do much good if you copy sensitive documents onto floppy disk and then leave them in a place where unauthorized personnel can access them. Especially in public work places where cubicles are common, it is very easy for anyone to walk by and pocket a handful of floppy disks or CD-ROMs. Even floppy disks can hold intellectual property worth millions or billions of dollars. (How much would a company pay for the engineering schematics for a new computer chip, or a cure for HIV?) The simple solution is that all media containing sensitive information be kept in locked drawers behind locked doors. Or, if you are in a situation in which physical security cannot be guaranteed through lock and key, then it is essential that any sensitive information be encrypted. Encryptionexplained in more detail laterscrambles information to make it unreadable. The only person who can decrypt the information, making it readable, is the person holding the key necessary for decryption.

Dumpster Diving

What do you do with copies of old, confidential, or sensitive documents? Shred them? Probably not. Most people dump old documents, receipts, bank statements, and so forth, in the trashor if they are environmentally consciousput them in the recycle bin. Hackers2 know this and take advantage of it through the time-honored practice of dumpster diving. Dumpster diving involves hackers waiting till the trash is deposited in dumpsters outside a building, and then physically jumping to see what they can find. There are horror stories of hackers finding everything from usernames and passwords written on little sticky notes, all the way to important technical specifications and business communication and technical documents, the latter of which were used to break into computers at major telecommunications companies (Littman, 1997) .

2 In the public press the term hacker has taken on a pejorative meaning, often attributed to malicious idiots who like to break in and vandalize computers and Web pages. In the computer realm, the term hacker was first used for someone who had a love of gaining knowledge, typically through figuring out the technical details of technology such as phones and computers. We are using the term hacker here to mean the black hat hacker, whose primary goal is to conduct illegal computer activities. Contrast this with the white hat hacker, whose primary goal is a deep-seated interest in understanding how computers and technology works.

An illegal practice becoming more common is identity theft. Each year, more than 500,000 Americans fall victim to identity theft, and that number is rising (Newman, 2000). If someone can determine key pieces of information about you, such as your social security number, bank account numbers, credit card numbers, and so forth, they can pretend to be you, get access to your bank account, credit cards, and who knows what else. The best way to thwart identify theft is prevention: Shred all documents containing potentially sensitive information PRIOR to recycling or tossing in the trash.

Deleting a File Really Doesnt...

Did you know that when you delete a file on a hard disk or floppy that the information itself is not deleted. Did you know that a deleted file could be easily undeleted? Which means that if you have recently deleted some sensitive information from a disk, and you give that disk to someone else, they have the capability of retrieving that information and reading it, printing it, saving it, selling it, posting it to the Internet, and using it to their hearts content. The reason is that when you delete a file, you are only deleting a pointer to that information; you are not deleting the actual information itself. Deleting the pointer tells the operating system that it can write over the space occupied by that information. Drawing an analogy to a book, you could ostensibly delete a book chapter from a book by deleting its title and page information from the table of contents. Someone browsing the table of contents wouldnt know that the chapter existed; however, the actual book chapter would still remain intact. (The deleted information is irretrievable if later the operating system saves another file over the space once occupied by the deleted file).

There are several solutions to this problem. One is to never share floppy disks that have stored sensitive information. A second and fairly simple solution is to use a wipe utility for any sensitive information that you delete. A wipe utility not only deletes the pointer to the file, it also writes random sequences of bits (0s and 1s) over the actual content of the deleted file. This procedure essentially wipes all of the information from the disk, making it essentially unreadable. (This is what the military does to wipe sensitive information from magnetic media.) There are numerous free wipe utilities that can be found on the Internet, and in some consumer applications (such as Norton Utilities at www.symantec.com).

Viruses and Worms

Undoubtedly, the most well known attacks on computer security come from computer viruses. Estimates put the number of existing virus at anywhere from 10,000 to 60,000, depending upon how you count them (Schneier, 2000). In simple terms3 a computer virus is a piece of computer code that attaches itself to (i.e., infects) existing computer programs. When the infected programs run, the virus itself is executed. Typically there are two consequences of the virus being executed. First, the virus propagates by attaching itself to other programs. Second, in some circumstances it delivers a payload, which may or may not cause damage to the host computer (described below). Most viruses travel from computer to computer when users share an infected floppy disk or when a user sends an infected file as an e-mail attachment.

3 Im using the term virus very liberally here to include other software-related infections such as computer Trojan horses, logic bombs, and so forth. The reader is referred to the reference section to learn more about these computer infections.

A cousin of the computer virus is the worm. A computer worm, unlike a virus, is not persistent. For example, if a worm is present on your computer it will be memory resident, that is, only found in RAM, not attached to a file on your floppy or hard drive. Shutting off the computer flushes the RAM, meaning no more worm. However, the virus is persistent given that they infect actual files on the floppy or hard drive, neither of which is affected by shutting down the computer.

The destructive capability of a virus is measured in terms of the viruss payload. Think of a payload as the action that will be performed by the virus when it is executed. Some viruses have no harmful payload. These viruses may replicate, infecting floppy disks and hard drives, but do no real harm like deleting or modifying files. The more destructive viruses can obliterate all information on any magnetic media (hard or floppy drives). For example, the Michelangelo virus overwrites part of the users hard disk. The Win95/CH virus wipes out megabytes of information on the hard disk and makes it such that the computer cannot be booted, even from a floppy (Denning, 1999).

Some of the newer forms of virus, called macro viruses, have the potential to infect many, many more computer users in a very short period of time, primarily because they propagate primarily over the Internet using e-mail. A macro is an invisible script, or set of commands or actions, that can be included as part of a regular document, such as a word processing or spreadsheet document. Most macros are created to assist users in completing a task efficiently. However, hackers now use macros to propagate viruses. When a user opens a seemingly innocent document, the macro virus executes, delivering its payload.

The most infamous macro virus is ILOVEYOU. It has been estimated that the ILOVEYOU macro virus infected 10 million computers and caused millions of dollars in damage (Schneier, 2000). The ILOVEYOU macro virus is sent unwittingly via e-mail by an infected computer host, arriving as e-mail with the subject line I Love You and an attachment with the name: Love-Letter-For-You.txt.vbs. The ILOVEYOU virus is a good example of social engineering (described below).4 What person would NOT be intrigued by such a message and want to open the file of someone who purports to love them? Unfortunately, opening the attachment executes the macro virus, resulting in two consequences. First, if the user has the very popular Microsoft Outlook (a personal information manager) on his/her computer, the virus propagates itself by e-mailing itself to everyone in the users Outlook address book. (How many people are in YOUR computer address book?!) Second, the virus corrupts files that end with .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, .mp3 by overwriting them with a copy of itself, essentially destroying this information (Vamosi, 2000).

4 The .vbs on the end of the e-mail attachment means its a Visual Basic scripting file, namely, a macro, which can execute commands on your computer. Interestingly, the second bit of social engineering is the use of the .txt in the name of the file. A .txt extension is used to indicate a text file, which gives many users a false sense of security, because text files cannot execute, and are therefore harmless. However, the file is actually a Visual Basic script, which CAN be executed.

Fortunately, with some care, you can greatly reduce your chances of becoming infected. First, get good antiviral software. For example, Norton Antivirus (www.symantec.com) and McAfee Antivirus ( ww.mcafee.com) are two well-known and very good antiviral applications. Once you install the software, make sure you enable the autoprotect function. Autoprotect is a function that starts when your computer is booted, and runs until you shut it down, working like an inoculation. While running it will attempt to detect any virus that may try to infect your system. You should also make sure you scan your system for viruses at least once a week (a process which can be automated to run while you are away from your computer). A virus scannerthe heart of antiviral softwareworks by looking for various virus signatures on your computer. If it finds a virus signature it will attempt to quarantine the virus, making sure that it cannot infect any other programs.

It is critical that you update your virus signatures because more and more viruses are being written every day. If the antiviral software doesnt have the most up-to-date signatures, it may completely miss a virus. (Most antiviral programs allow you to update virus signatures over the Internet.) Finally, we would suggest that you never, ever open any e-mail attachment from someone you dont know. It is very easy to hide viruses in e-mail attachments, and opening an infected attachment executes its payload.

Social Engineering

Kevin Mitnik, the most infamous hacker in history, said that 98% of his computer break-ins were facilitated through social engineering. Social engineering attacks the weakest link of the security chain, the human user. Social engineering involves getting information from people by nontechnical means, typically by lying, manipulating, or pretending to be someone to be trusted. How effective is social engineering?

In 1994, a French hacker named Anthony Zboralski called the FBI office in Washington, pretending to be an FBI representative working at the U.S. embassy in Paris. He persuaded the person at the other end of the phone to explain how to connect to the FBIs phone-conferencing system. Then he ran up a $250,000 phone bill in 7 months. (Schneier, 1996, p. 266)

If the FBI is vulnerable to social engineering, chances are you are too. Hackers use social engineering to obtain critical information because it is much easier than gaining the same information through technical means, such as exploiting a vulnerability in computer software, which could take a lot of time, energy, and resources (Winkler, 1997). Why do something the hard way when you can manipulate someone into just giving you the information in a fraction of the time?

Heres an illustration of how a hacker would accomplish a piece of social engineering. Say Harry Hacker wants access to Company Xs computer network. Since he doesnt have valid access he decides to carry out some social engineering on a Company X employee, Ted Smith. Harry Hacker would call Ted Smith on the phone, and pretend to be from Company Xs tech support department. The scenario would go something like this.

Hacker: Hello, Ted? Hi, Im Fielding Mellish, Im a new technician in tech support. Were having some trouble with the e-mail in your department. We have had lots of complaints that e-mail is not getting through, so Im checking and fixing everyones account. I need to get into your account to make sure that the problem gets fixed, and you can get all of your e-mail. I just need your username and password...

Ted: Gee, Im not supposed to do that. Who did you say you were again?

Hacker: Look Ted, I dont mean to be nasty, but Ive got 50 other employees accounts I have to fix by the end of the day, and I cant do THEIRS until I get YOURS fixed. If you dont want me to fix your account, fine. But Ill let your boss AND your coworkers know that you were the cause of the holdup!

Ted: O.K., Im sorry, I didnt realize it was that serious. My username is tsmith, and my password is Nancy. (His daughters name).

Hacker: Thanks very much, Ted, Ill let the VP know how cooperative you were. I should have your account fixed in 5 minutes. Thanks again Bye.  

A minute of work and the hacker has all the information needed to insinuate himself into the network. Once the hacker has access to a users account, he (or she) can exploit known vulnerabilities in the software to gain access to the Holy Grail of accessroot. Root access simply means the user has the same access privileges as the network administrator; that is, the person in charge of the network. That level of access allows a user to modify, move, or even delete crucial files. Simply put, they can play god with the network, costing individuals, organizations, or governments millions, and conceivably, billions of dollars.

Social engineering works because it is natural for people to want to be helpful. And of course, when they arent, the hackers can use intimidation, as demonstrated in the scenario above. The key to remember is that no technician or network administrator need ask for your password over the phone or over e-mail. If someone with whom you are unfamiliar asks for such information, decline and call your network administrator, immediately. After all, network administrators are already the god of the network, and they have the ability to get and/or change your password. There are plenty of other ruses that hackers can use, so also beware of the following: (a) if someone you dont know asks you to change your password to a specific word, dont do it; and (b) dont send your password over e-mail or any other electronic means unless the transmission is encrypted (scrambled).

General Problems with Passwords

Usernames and passwords are used to identify and authenticate users. Authentication means to determine whether the person purporting to be the user is actually who they say they are. Many computer accounts require some degree of confidentially, and therefore, authentication through usernames and passwords is ubiquitous.5 Unfortunately, many user accounts are vulnerable to password guessing. This vulnerability is really not the fault of the user, but rather an innate human limitation of remembering a bunch of meaningless and forever changing information. Who can remember passwords for your work computer, your home computer, your Web-based mail, your ISP, your Amazon.com and My Yahoo! accounts, all of your credit card PIN numbers, and more?

5 If you think that keeping your password confidential is not important because you dont store any sensitive information on your computer, then imagine a hacker breaking into your computer and then doing any of the following: (a) sending nasty notes to your boss, or the president of the United States; (b) downloading pornographic files to your computer (or e-mailing them to your boss from your account!); (c) attempting to break into military computers from your computer; and so forth. The list could go on and on. The bottom line is, there are innumerable important reasons to keep your password confidential.

Because there is so much to remember, the typical user will do one of two things. First, make his or her password(s) very simple and/or personal, and therefore more memorable. Because they are simple and personal they are easily guessable with a little background work by the hacker. For example, there are plenty of stories of users that use password as their password, or their own name, their spouses or childs name, or such simple combinations as abc, 1234, and so forth. Very easy to remember means very easy to guess. A good hacker will do plenty of intelligence work prior to an attack and will in all likelihood know important personal information on the user (spouse, childrens, and pets name, etc.). All they have to do is spend 5 or 10 minutes running through all of these alternatives before they hit the jackpot.

Even if you do create a password that is not easily guessable, it still might be vulnerable to a hacker through something called a dictionary attack (Schwartau, 1996). Heres an illustration of a dictionary attack. On most computer systems your user name and password are encrypted and then stored on the computer in an authentication (password) file so that if a hacker breaks into the computer they cannot read this sensitive information.6 To illustrate an encryption scheme, here is one of the first encryption algorithms, attributed to Julius Caesar.

6 Unless the hacker can decrypt the informationthat is, translate it back into its original format.

Original alphabet: abcdefghijklmnopqrstuvwxyz

Encrypted alphabet: defghijklmnopqrstuvwxyzabc

The Caesar cipher simply takes the original letter and substitutes the third letter following.7 For example, a becomes d, b becomes e, and so on. Once we get to the end of the alphabet, x wraps back around to the beginning of the alphabet as a, y is b, and z is c.

7 This is a super simple example of an encryption scheme for illustrative purposes only. Todays most advanced encryption schemes are highly technical, mathematically based, and unbreakable.

To illustrate the dictionary attack, say we have the following username and password for an account.

Username: mikecoovert

Password: buckeye

Using the Caesar cipher described above, the encrypted username and password would be:

Username: plnhfrryhuw

Password: exfnhbh

The authentication file would contain the combination plnhfrryhuw exfnhbh, the encrypted username and password for Mike Coovert. However, if a hacker can break into the network and gain access to this authentication file, he or she can use a dictionary attack to discern the passwords. A dictionary attack uses password-cracking software to compare the encrypted passwords with a dictionary of encrypted words. When the software finds a match, the password has been cracked. To illustrate, the hacker would compare exfnhbh (the password from the authentication file) to all the encrypted dictionary words, such as:

buck exfn

buckeroo exfnhurr

buckeye exfnhbh

(GOT IT! The password is buckeye)

With a fast computer, it would take only a few minutes to crack the encrypted password. (Statistically, in the long run it would only have to look at half the entries before a match is found).

The best way to defeat dictionary attacks is to use passwords that are NOT in the dictionary. For example, the only way the password wooga could be cracked is through either exhaustive searchthat is, trying every conceivable combination of letters until that combination is foundor through social engineering. Clearly, the use of nondictionary words make the hackers job much more difficult, and we strongly suggest that you use this technique to thwart password cracking. Also make sure that your password is fairly long, seven characters or more, and contains punctuation, numbers, and a combination of upper and lower case letters (7wOOga!). Doing so exponentially increases the difficulty of password cracking.

Committing Your Passwords to Paper...

Many users write their passwords on, say, a sticky note, placing the note on the computer, or a desk drawer for easy reference. This practice is more common than you might think. There are very educated folks with whom I work who do this. Hackers know that users do this. All a hacker has to do is to walk by an office or cubicle and quickly glance around to see if there are any passwords for harvesting. Actually, this practice of using external memory aids such as sticky notes is not such a bad idea as long as the memory aids remain confidential and within the control of the user. Thus, it is perfectly acceptable to put the sticky note in your purse or wallet, or in a locked file cabinet (or anywhere else that physical security can be provided).

Biometrics

One promising way of user authentication that would bypass the archaic username and password combination is biometrics. Biometrics refers to measures of physical and/or biological characteristics of users as a means of identifying and authenticating a user. Biometrics is promising for a few reasons. First, there are many characteristics that can be used for authentication that are unique to each individual. Second, users dont have to remember anything (No more passwords!). Third, users always have the means of authentication with them. The most common biometric is the fingerprint. Other biometric characteristics include voice and face recognition. One of the more promising metrics is iris patterns, which have over 260 unique identifiers, compared to 35 for the fingerprint (Denning, 1999). Unfortunately, currently the cost of biometric hardware and software precludes their use in common everyday tasks; however, as biometrics become a more popular means of authentication, and the U.S. Army Biometric Program continues its research, the costs will invariably come down in price.

Connecting from Home

More and more computer users have dedicated Internet connections at home. Dedicated, or always-on connections mean that the computer always has a live connection to the Internet. For example, DSL (digital subscriber lines) and cable modems provide fast, always-on connections. Contrast this with the more common 56K modems where the user has to dial in to the ISP (Internet service provider) each time he or she wishes to access the Internet. The problem with these always-on connections is that they are much more vulnerable to being attacked by a hacker.

Without getting too technical, hackers can employ special software that performs various automated scans and attacks on dedicated Internet connections. These connections give hackers more time to be able to determine the computers Internet address (IP address), the operating system it is running, and many more tidbits that can be used for an attack. In fact, it was reported that the recent hacker attack at Microsoft was accomplished through some clever social engineering and then breaking into Microsoft through the Microsoft employees always-on connection at home (Howell, 2000).

There are several solutions to this problem. First, you can turn off your connection when you are not using it, although this doesnt solve the problem completely because you are vulnerable when you are connected and working online. Second, you can install a personal firewall on your computer. A firewall is software that acts as a boundary between your computer and the Internet. A firewall keeps intruders out by acting as a perimeter defense, similar to a castle wall (Schneier, 2000). If someone tries to hack into your computer, the firewall, when installed and set properly, will allow legitimate communications through, while disallowing suspicious activities. We strongly suggest that if you do connect to the Internet from home, that you install a firewall, most of which are fairly inexpensive (less than $100) or free (e.g., http://www.zonelabs.com).

Cryptography

If you keep a lot of important information on your computer, you should consider cryptography as a solution to ensuring confidentiality and integrity of that information (Pfleeger, 1997; Schneier, 1996). Encryption protects information by scrambling it using a secret key. Unscrambling the encrypted message, a process called decryption, requires a key. Some messages that are sent across networks and the Internet are encrypted transparently, that is, so that it is not obvious to users. A good example of this is in e-commerce applications, which automatically encrypt information you send.

Cryptography is one of the key means providing information security for governments and organizations. In fact, up until last year the U.S. Government felt that encryption was so vital to the security of our nation that they classified strong encryption methods as a munition and limited its export to any foreign countries.

There are numerous cryptography schemes that are currently in use and widely available. One of the more popular is called PGP, for Pretty Good Privacy, available from MIT (Zimmerman, 1999; http://web.mit.edu/network/ pgp.html ). The Windows version of PGP comes with a very attractive user interface making it fairly easy to use. It also works with Microsoft Outlook so that the user can encrypt outgoing and decrypt incoming mail messages.

Final Thoughts

Backup your data, and do it frequently. I learned this lesson a LONG time ago. If you ever have any problems with a virus overwriting part of your hard drive, its a simple matter of restoring your backups. There is plenty of software that makes this a painless task. Plus, with Zip drives (holding 100 to 250 MB) and CD-R (allowing users to read and write to CDs, 670 MB worth!) coming down dramatically in price, it makes very good sense to back up your data (at the least) and even your entire hard drive.

We hope this column makes you think about the computer security vulnerabilities you might face, and made you more aware of the potential disasters that you might avert. The reference section includes various computer and information security readings which range from the not technical to the very technical.

A Personal Note

I (Philip) have enjoyed writing this column for the last 6 years. Id like to thank my friend Michael Coovert (the previous TIP editor) and Allan Church, the current editor, for all of the help they have provided to me. Id also like to thank my former and frequent co-author, Jason Weiss, for all of his help. (Jason recently received his PhD, married a lovely lady, got a dog, moved to Pittsburgh, and in general, got on with the real world. He is truly missed). Finally, Id like to thank all the readers who have given me encouragement throughout the years. To all my readers, best of luck in your computing endeavors, and happy surfing.

References

Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42, 4146.

Bigelow, R. P. (1995). Legal issues in computer security. In A.E. Hutt, S. Bosworth, & D. B. Hoyt (Eds.), Computer security handbook. New York: John Wiley & Sons.

Carroll, J. M. (1995). Information security risk management. In A. E. Hutt, S. Bosworth, & D. B. Hoyt (Eds.), Computer security handbook. New York: John Wiley & Sons.

Denning, D. (1999). Information warfare and security. New York: Addison Welsey.

Howell, D. (October 30, 2000). Microsoft Hack a Hard Lesson for Many Firms. Investors Business Daily, p. A6.

Hutt, A. E. (1995). Managements role in computer security. In A. E. Hutt, S. Bosworth, & D. B. Hoyt (Eds.), Computer security handbook. New York: John Wiley & Sons.

Littman, J., (1997). The Watchman: The twisted life and crimes of serial hacker Kevin Poulsen. Boston: Little & Brown.

Pfleeger, C. P. (1997). Security in computing. Upper Saddle River, N.J.: Prentice Hall.

Schneier, B. (1996). Applied cryptography. New York: John Wiley & Sons.

Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: John Wiley & Sons.

Schwartau, W. (1996). Information warfare. New York: Interpact Press.

Vamosi, R. (2000). How to beat the ILOVEYOU worm. [Online] Available at http://www.zdnet.com/zdhelp/stories/main/0,5594,2562032-1,00.html  

Winkler, I. (1997). Corporate espionage. New York: Prima Publishing.

Zakin, N. K. (1995). Policies, standards, and procedures. In A.E. Hutt, S. Bosworth, & D. B. Hoyt (Eds.), Computer Security Handbook. New York: John Wiley & Sons.


April 2001 Table of Contents | TIP Home | SIOP Home