type: NYT (Copyright 1995 The New York Times)
priority: Urgent
date: 01-22-95 2108EST
category: Financial
subject: BC NETWORK NEMESIS ART
title: NEW FORM OF ATTACK ON COMPUTERS LINKED TO INTERNET IS UNCOVERED
author:  JOHN MARKOFF
text: 

       SAN FRANCISCO -- A federal computer-security agency has
discovered that unknown intruders have developed a new way to break
into computer systems, and the agency plans Monday to advise users
how to prevent the problem.
       The new form of attack leaves many of the 20 million government,
business, university and home computers on the global Internet
vulnerable to eavesdropping and theft.
       Officials say that unless computer users take the complicated
measures they will prescribe, intruders could copy or destroy
sensitive documents or even operate undetected by posing as an
authorized user of the system.
       For computer users, the problem is akin to homeowners
discovering that burglars have master keys to all the front doors
in the neighborhood.
       The first known attack using the new technique took place on
Christmas day against the computer of a well-known computer
security expert at the San Diego Supercomputer Center. An
individual or group of unknown intruders took over his computer for
more than a day and electronically stole a large number of security
programs he had developed.
       Since then several attacks have been reported, and there is no
way of knowing how many others may have occurred. Officials of the
government-funded Computer Emergency Response Team say that the new
assaults are a warning that better security precautions will have
to be taken before commerce comes to the Internet, a global web of
interconnected computers that exchange electronic messages,
documents and computer programs.
       It is expected that by the end of this year such businesses as
florists, supermarkets, credit card companies and banks will peddle
wares to customers via their personal computers over the Internet
and the new intruders could then be able to steal credit card
numbers, merchandise and money.
       The response team, a federally sponsored agency at Carnegie
Mellon University in Pittsburgh, plans Monday to post an advisory
on the Internet, alerting computer users to the attacks and urging
them to take a variety of protective measures involving software
and hardware security mechanisms.
       ``This was a sophisticated attack,'' said James Settle, a former
FBI computer crime expert who is now an executive at Inet Corp., a
computer security firm. ``Essentially everyone is vulnerable.''
       The Internet works by breaking computer messages in groups of
digital packets of data, each of which has an electronic
``envelope'' that provides ``to'' and ``from'' addressing
information used by special network computers known as routers that
deliver the data.
       The new attack makes uses of a flaw in the design of the network
to fool the router computers into believing that a message is
coming from a trusted source. By masquerading as a familiar
computer, an attacker can gain access to protected computer
resources and seize control of an otherwise well-defended system.
       Computer administrators at several organizations that have been
broken into by individuals using the technique said they had been
contacted by federal law enforcement officials as part of an
investigation into the break-ins, but Justice Department officials
refused to comment.
       The lack of tight security on the Internet has remained a
well-known risk, even as thousands of companies have been flocking
to the global network in the last year hoping to find new ways of
doing business in cyberspace.
       However, many computer security experts point out that the basic
Internet software was never designed with this use in mind. It was
originally created by academic researchers to conveniently exchange
computer data with little thought to the problems that are now
emerging in which anonymous individuals, hidden by a web of
computer links, can eavesdrop and steal electronically.
       Classified government military computer systems are not thought
to be at risk because they are not directly connected to the
Internet.
       And until now, most companies and other organizations with
computers directly connected to the Internet have assumed they
could protect themselves from intruders by creating various types
of hardware and software defenses known as ``fire walls.''
       But the new type of attack can in many cases easily penetrate
these common defenses, according to officials of the Computer
Emergency Response Team.
       ``Out of all the sites on the Internet, there are only some
small fraction that care enough about security,'' said Tom
Longstaff, manager of research and development for the security
agency.
       The security warning to be issued Monday will include a list of
brands of router computers that can use a computer program to
protect against the new attack, which is called IP, or internet
protocol, spoofing.
       The new defense works by recognizing packets that have been
forged and rejecting them. But the advisory will also list brands
of routers that have no way of protecting against the attack.
       Computer security experts said there was no good way of
estimating what fraction of the Internet computers have routers or
fire wall software capable of protecting against the attack.
       ``This is a really tough problem because it is an attack based
on the way things work normally,'' said Marcus Ranum, a senior
scientist at Trusted Information Systems, a computer security firm.
       The flaw, which has been known as a theoretical possibility to
computer experts for more than a decade, but has never been
demonstrated before, is creating alarm among security experts now
because of the series of break-ins and attacks in recent weeks.
       The weakness, which was previously reported in technical papers
by AT&T researchers, was detailed in a talk given by Tsutomu
Shimomura, a computer security expert at the San Diego
Supercomputer Center, at a California computer security seminar
sponsored by researchers at the University of California at Davis
two weeks ago.
       Shimomura's computer was taken over by an unknown attacker who
then copied documents and programs to computers at the University
of Rochester where they were illegally hidden on school computers.
       Most computer security experts say that real security on the
Internet awaits the widespread adoption of encryption technology
for scrambling data and authenticating messages.
       ``The right answer is encryption because when you encrypt your
business data you don't care how many people get a copy,'' said
Eric Schmidt, the chief technical officer of Sun Microsystems. ``My
prediction is that this will be the only real solution to these
problems.''
       Internet veterans also expressed anger at the new style of
attack because it would cause many organizations to strengthen
their security systems, thus making the network less convenient and
less useful.
       ``These guys are striking the basis of trust that makes the
network work,'' said Marcus, ``and I hate that.''