The year 1992 was an historical divide for the Internet. In that year, the number of Internet users surged past one million, enough to form a critical mass for public interest. The Clinton administration made promotion of the "information superhighway" a top priority and formed a National Information Infrastructure advisory council. The World Wide Web and the first browsers, Mosaic and Netscape, seized the public fancy. Since then, multitudes of new businesses, and even new professions, have taken shape-with such names as Internet identity designers, browser builders, electronic marketeers, search engineers, network computers, virtual shopping malls, workflow coordinators, and intranets, to name a few. Business people now routinely include Internet e-mail and Web addresses in their cards, stationery, and advertisements.
Yet the Internet is a risky place to conduct business or store assets. Hackers, crackers, snoops, spoofers, spammers, scammers, shammers, jammers, intruders, thieves, purloiners, conspirators, vandals, Trojan horse dealers, virus launchers, and rogue program purveyors run loose, plying regularly their nasty crafts and dirty deeds. Many do so shamelessly, enjoying near perfect anonymity-using forged addresses, untraceable links, and unbreakable codes. Analogies to the Old American West, populated by unruly cowboys and a shoot-first-ask-later mentality, are more appropriate than the coiners of the phrase "electronic frontier" ever imagined. Many law-abiding citizens, who simply want to conduct their business in peace, are demanding that the marshal come to cyberspace.
But the marshal must be more than a courageous, upright, fair, and tough upholder of the law, for most of the criminals employ high-tech methods that the ordinary person has trouble understanding. The criminals post detailed instructions on bulletin boards on how to test systems for vulnerabilities and then attack them, and the experts among them have made sophisticated "burglar's tool kits" available on Web pages. The marshal must be technologically smarter than the criminals. In an initial attempt to help, the Defense Advanced Research Projects Agency (DARPA) formed the CERT (Computer Emergency Response Team) Coordination Center (CC) in 1988 to work with the Internet community to detect and resolve computer security problems and to help prevent future incidents. In 1996 CERT/CC received over 31,000 e-mail incident reports and 2,000 telephone reports, and they investigated nearly 2,600 of them. The most common security attacks in 1996 were of six kinds.
- The Web server operates as a background process on an Internet-connected computer. One of its programs, PHF, contains a weakness that can allow intruders to execute any command on the computer. Intruders use this to download a copy of the password file, which they attempt to crack; having guessed a weak password, they can log on to the victimized computer by masquerading as a legitimate account-holder. Sample scripts for exploiting this weakness were posted widely in the Internet and CERT saw several reports each week from victims.
- Many Internet-connected computers are controlled by Linux, a public-domain clone of the Unix operating system that can be installed on personal computers. Intruders regularly exploited well-known vulnerabilities of Linux to break into these systems as a "root" (superuser) and install packet sniffers (see number five), which collect account names and passwords. Most true Unix systems are not as vulnerable if their administrators have installed all the necessary security patches.
- Denial-of-service is an attack that obstructs the authorized users of a system from gaining access or from carrying out their normal work. One common attack, used frequently against Internet service providers (ISP), was to flood the ISP's machine with forged packets requesting a network connection; the ISP could not complete the task of opening the connection because the putative sender did not exist or would not respond since it had not initiated the request. As soon as the ISP's local limit on the number of open network connections is exceeded, its computer freezes up until its operators manually reboot it.
- Many operating systems have well-known vulnerabilities that can be exploited by intruders. An example is in the program that routes mail betweenlocal and Internet users: the "sendmail" program contains a "debugger" option that allows a remote system administrator to execute system commands without logging in. Many system administrators, however, have not installed all the security patches distributed by the vendor. Would-be intruders can easily find Web pages containing detailed descriptions of these vulnerabilities, and instructions and tool kits to exploit them.
- Packet sniffers are processes that a superuser can install on a computer attached to an Ethernet. Sniffers listen to all traffic on the Ethernet and collect packets containing account names and passwords into a file that can be transferred later to the intruder's site. Packet sniffers are frequently installed as part of a widely available kit that also replaces commonly used system programs with Trojan horse programs. Trojan horse programs hide the intruder's activities in the compromised system by masking files and erasing audit trails.
- The Internet Protocol (IP) sends data in packets that contain return addresses. Using the widely available tools, intruders can cause a compromised computer to generate IP packets with forged return addresses. The recipient system can be fooled into believing that the packets have come from a trusted system, to which it responds by releasing data or executing commands. Special routers called firewalls can filter out spoofed IP packets before they enter a system, but these routers are hard to program correctly.
While the CERT/CC goes about its job quietly, the news media have given a lot of attention to high-tech computer crimes. Here are some examples of big computer-security stories that appeared in the media:
- Viruses, hidden destructive programs that attach themselves to program files and the boot sectors of hard and floppy disks, have been the subject of intense anxiety since the mid-1980s. In 1995, a more serious virus problem came to the public's attention: viruses in Microsoft Word macros, which could be spread in Word documents attached to electronic mail. Business is booming for the companies that sell virus detectors and eradicators; they keep very busy fighting the new strains that malicious underground programmers continue churning out. Virus hoaxes have become as annoying as the real thing. Reports of super viruses, with such names as Good Times and Penpal Greetings, claim that simply reading certain e-mail is enough to be attacked (it isn't). The reports are so alluring that concerned recipients forward them to their friends and distribution lists. Many people have received dozens of copies of these false claims, forwarded by their own credulous friends.
- In 1988, Clifford Stoll published an account of the tracking of a hacker who had invaded computers at Lawrence Berkeley Laboratories; Stoll later expanded his report into a best-selling book, The Cuckoo's Egg. The hacker penetrated both military and commercial sites and attempted to steal classified or proprietary data.
- In 1988, Robert Tappan Morris, then a student at Cornell University, released a program which propagated itself throughout the Internet. It succeeded in invading between 3,000 and 6,000 hosts out of approximately 60,000 hosts on the Internet at the time, shutting many of them down for up to three days. Morris was subsequently convicted under the Computer Crime Act. The Defense Department formed the CERT shortly thereafter to coordinate future responses to such events and to give early warnings of system v