This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------13DC33F5169 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.981130165527.14453Dat_private> http://www.mediacentral.com/Magazines/CableWorld/News98/1998113011.htm/539128 Looking Both Ways on the Info Superhighway BY JOSHUA CHO The streets of the information highway are not safe. Computer hacking, and its lesser but similarly intrusive activity of sniffing, the electronic version of snooping from which many hacks spawn, affects everybody at some level in this wired era. Indeed, according to M. E. Kabay, director of education for the International Computer Security Association (ICSE), "So few crimes are detected and reported. Most companies that are broken into will never report it to anybody. The last thing they want is bad publicity." The truth of that statement can be substantiated by the search for any quantitative analysis of hacking or computer crimes on commerce and industry in general. No hard facts or figures exist about hacking because of the nature of the crime. "Don't trust any statistics with decimal points," Kabay said. "It's impossible to have that degree of precision" because of the lack of reporting on the crime. But if one was to look at the number of Web sites that have been hacked into as any indication of the problem, there should be, and indeed is, a good deal for concern. The list of companies that have had their Web sites hacked is a long one. It includes organizations as big as the US Department of Commerce, NASA, the Department of Justice, the United States Air Force and the Los Angeles Police Department. In the media and entertainment industry, The New York Times, the Fox TV network and a host of Web sites devoted to major motion pictures like The Truman Show and Titanic have had their sites taken over by hackers. Even the CIA's Web page was the victim of a hack as was the widely used search engine Yahoo!, which had its contents and links removed and replaced with messages from the hackers, a common occurrence when pages are hacked. The effects of computer hacking range from an annoyance to major thefts of proprietary or otherwise secret information. Last July, Time Warner Cable's Chatsworth, Calif., system in the Los Angeles area was breached by a group of hackers who ominously referred to themselves as the "Legions of the Underground." The hackers claimed that they gained access to the system's nexus channel modulator, LAN and SPARC stations, fiber networks, com satellite, channel switching and numerous Web servers. Lending credence to the hackers' claims, the computer security Website AntiOnline was sent a screen shot that the hackers claimed was sensitive to Time Warner system controls. The screen shot, which is still available for viewing on AntiOnline's site, is claimed to be the Chatsworth, Calif., system's Iris Video Commander Plus. The hackers, in a published interview with the AntiOnline, said that they had directional control of one of the system's satellites and access to the channel modulator. However, Time Warner Cable's VP of corporate communications, Michael Luftman, said, "There was no impact because never at any time did they try to do anything to the system itself." He declined to saying anything further because of what he said was the serious security risk associated with the matter. According to AntiOnline, the hack was perpetrated by remotely dialing directly into the Time Warner systems through a maintenance port, using a scanner or "wardialer," a device that dials a range of telephone numbers and records which numbers are attached to modems. In the AntiOnline interview with the hackers, one of the perpetrators, going by the name of optiklenz, was quoted as saying, "I say this time and time again: if it were somebody else who didn't know what they were doing, or didn't have any ethics whatsoever, then Time Warner would be in a lot more trouble." Those are words that would keep any system administrator awake at night. But Internet security isn't a topic that is new to Time Warner. Its Road Runner high speed Internet access service, a joint venture with MediaOne Group Inc., has to contend with the issue on a minute-by-minute basis. According to Kevin McElearney, Road Runner's VP-network support services, the service had an unauthorized user enter a regional game server once. "There have been small isolated cases of intrusion," McElearney said, "But honestly, there's not an ISP on the market that can say it hasn't been compromised." The company also has to be concerned with protecting the 125,000 subscribers that are connected to its high-speed network. And so does @Home, Inc., which like Road Runner is a partnership of MSOs, which include Tele-Communications Inc., Comcast Corp. and Cox Communications Inc., among others. When cable operators first began offering Internet access on a wide basis they found that a form of hacking called packet sniffing, or sniffing, was possible because of the architecture of the system. Sniffing is used either to peep into someone else's computer information for the purpose of simple inquisitiveness or, more maliciously, to capture valuable passwords and user IDs, or any bits of information that can lead to greater and greater access to other more sensitive data. An understanding of how to steal computer information requires knowledge of how computers transfer data to each other over a network. In normal computer communications, data travels in clusters of information, the technical name for which is packets. Ted Woo, director of standards at the Society of Cable Television Engineers, describes packets as "a cluster of cells or multiple bits of information transferred from the headend to the cable modem at home and for upstream from the home back to the headend and then to the other users." Just like mail sent at the local post office, these packets travel with address information, called headers. However, there are ways to get a computer to ignore address information and capture everything that happens to pass by, a real problem for cable networks since everybody is attached to each other. As the ICSE's Kabay puts it, "If you're on a (telephone network) ISP and somebody else on the system dials up, there's no cross talk. On cable, all the packets travel past every other computer linked on that cable. If you've enabled sharing or you have software running on your machine that deliberately ignores the header info, it can capture all packets and there's the potential for sniffing." Loopholes in the software itself can lead to sniffing. For instance, the Windows 95 program has a feature called print and file sharing that was integrated into the program to allow a company or family of people to access each other's files and print them. Jeff Walker, director of business development and product marketing for cable modem maker Motorola, said, "We've heard situations where people send messages to their neighbor's printer saying, 'We can read your files.' " But technology is a two-sided sword: just as it enables improprieties, it can be used to prevent them. "(Sniffing) won't happen if the tech staff at the ISP implements effective encryption so you can't read the inside of the packets," Kabay said. Indeed, according to Vranesevich, cable providers have changed the way data is routed in many of their systems. However, he also warns, "It's still a problem with some cable networks." Motorola's Walker said the company's cyber surfer modems, which are used in some of Road Runner's systems, have built-in security features that thwart sniffing efforts, including the use of 56-bit encryption and new decryption keys which are sent to users every 24 hours so that packets aren't easily read. To combat the Windows 95 file sharing feature, which is an Internet wide concern not just isolated to the cable world, Motorola changed the way its modems interact with the headend. Walker said that when a user turns on Windows 95 file sharing, printer and file information is broadcast on the network, allowing even unwanted users from accessing that information. "Because we don't rebroadcast, we don't suffer from that problem. It has to do with how the headend is re-implemented. We terminate any broadcast at the headend," Walker said. Yet despite the best efforts by vendors and service providers, there will always be groups of computer users who are determined to crack their way into systems, even if it's just for the challenge of it. As Woo put it, "No matter how secure it is, it's made by humans. Given time and incentive, it will be broken into. But the longer it takes, the more secure it is." So will we ever be safe from unwanted access into our electronic communications systems? Probably not, according to most who understand the medium. But there are ways around it, although they might be inconvenient. "Of course, don't send any information that you don't want hackers to get at all. If you don't say anything how can people repeat you?" Woo philosophized. But of course, that would defeat the entire purpose of the Internet, especially to those that hope to profit from it, which is the crux of the problem. As Yankee Group analyst Bruce Leichman put it, hacking stands in the way of commerce opportunities. "The idea of putting a credit card online is still a stumbling block," he said. Indeed, before electronic commerce is to take off in a big-time way, consumers are going to have to feel a lot more secure than they do currently. And while industry continues to work toward that end, hackers broadcast their messages on hijacked Web pages. The hacked Yahoo! page contained the message, "We own everyone, and everything. No one is safe. No computer is safe." Just a word to the wise: Look both ways before crossing the information superhighway. 1876 Alexander Graham Bell invents the telephone. 1878 - First official report of teenagers kicked off telephone system for making prank phone calls. 1971 - A guy named John Draper discovers that a toy whistle from a cereal box exactly reproduces the tone needed to open a free telephone line. Draper dubs himself Captain Crunch. 1977 - Two computer hobbyists, Steve Wozniak and Steve Jobs, fresh from making blue boxes that hack into phone company computers, produce the Apple computer. 1981 - IBM introduces its version of the personal computer. 1983 - The movie War Games, starring Matthew Broderick, is released. 1984 - Congress passes the Comprehensive Crime Control Act giving the Secret Service jurisdiction over credit card and computer fraud. 1984 - Founding of 2600: The Hacker Quarterly. 1986 - Congress passes Computer Fraud and Abuse Act and Electronic Communications Privacy Act. 1988 - Robert Morris crashes 6,000 computers on the Internet with a virus program and is fined $10,000. Consequently, the federal Computer Emergency Response team is formed. 1990 - The Secret Service coordinates "Operation Sundevil" raids in numerous cities throughout the U.S. 1993 - Masters of Deception members are arrested by the Secret Service. All plead guilty to computer crimes and conspiracy. 1994 - Soviet hacker Vladimir Levin masterminds a Russian hacker gang and steals $10 million from Citibank. He is arrested in 1995 in London. 1995 - Kevin Mitnik arrested on chargers of stealing 20,000 valid credit card numbers. He pleads guilty the following year. 1995 - The movie Hackers is released. 1998 - Pentagon computers hacked. Israeli teen Ehud Tenebaum, AKA "The Analyzer" claims he mentored two California teenagers on how to do it. 1998 - NASA facilities around the country were shut down by a denial of service attack, in which the attacker shuts down machines and networks but does not try to access internal data. 1998 - Members of L0pht, a hacker group, tell a Senate subcommittee they can shut down the Internet in one-half hour. 1998 - A study of 520 companies, government agencies and universities by the Computer Security Institute showed that network security breaches rose by one third between 1996 and 1997. Overall, 64% of respondents to the survey reported security breaches in 1997. Losses grew from $100 million in 1996 to nearly $137 million in 1997. About 25% of companies said they were attacked by outsiders, while 44% said they were attacked by their own employees. (November 30, 1998) More Cable World --------------13DC33F5169-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:55 PDT