[ISN] Looking Both Ways on the Info Superhighway

From: mea culpa (jerichoat_private)
Date: Mon Nov 30 1998 - 19:06:24 PST

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.SUN.3.96.981130165527.14453Dat_private>


Looking Both Ways on the Info Superhighway

The streets of the information highway are not safe. Computer hacking, and
its lesser but similarly intrusive activity of sniffing, the electronic
version of snooping from which many hacks spawn, affects everybody at some
level in this wired era. 

Indeed, according to M. E. Kabay, director of education for the
International Computer Security Association (ICSE), "So few crimes are
detected and reported. Most companies that are broken into will never
report it to anybody. The last thing they want is bad publicity." 

The truth of that statement can be substantiated by the search for any
quantitative analysis of hacking or computer crimes on commerce and
industry in general. No hard facts or figures exist about hacking because
of the nature of the crime. 

"Don't trust any statistics with decimal points," Kabay said. "It's
impossible to have that degree of precision" because of the lack of
reporting on the crime. 

But if one was to look at the number of Web sites that have been hacked
into as any indication of the problem, there should be, and indeed is, a
good deal for concern. 

The list of companies that have had their Web sites hacked is a long one.
It includes organizations as big as the US Department of Commerce, NASA,
the Department of Justice, the United States Air Force and the Los Angeles
Police Department. In the media and entertainment industry, The New York
Times, the Fox TV network and a host of Web sites devoted to major motion
pictures like The Truman Show and Titanic have had their sites taken over
by hackers.  Even the CIA's Web page was the victim of a hack as was the
widely used search engine Yahoo!, which had its contents and links removed
and replaced with messages from the hackers, a common occurrence when
pages are hacked. 

The effects of computer hacking range from an annoyance to major thefts of
proprietary or otherwise secret information. 

Last July, Time Warner Cable's Chatsworth, Calif., system in the Los
Angeles area was breached by a group of hackers who ominously referred to
themselves as the "Legions of the Underground." 

The hackers claimed that they gained access to the system's nexus channel
modulator, LAN and SPARC stations, fiber networks, com satellite, channel
switching and numerous Web servers. Lending credence to the hackers'
claims, the computer security Website AntiOnline was sent a screen shot
that the hackers claimed was sensitive to Time Warner system controls. The
screen shot, which is still available for viewing on AntiOnline's site, is
claimed to be the Chatsworth, Calif., system's Iris Video Commander Plus.
The hackers, in a published interview with the AntiOnline, said that they
had directional control of one of the system's satellites and access to
the channel modulator. 

However, Time Warner Cable's VP of corporate communications, Michael
Luftman, said, "There was no impact because never at any time did they try
to do anything to the system itself." He declined to saying anything
further because of what he said was the serious security risk associated
with the matter. 

According to AntiOnline, the hack was perpetrated by remotely dialing
directly into the Time Warner systems through a maintenance port, using a
scanner or "wardialer," a device that dials a range of telephone numbers
and records which numbers are attached to modems. 

In the AntiOnline interview with the hackers, one of the perpetrators,
going by the name of optiklenz, was quoted as saying, "I say this time and
time again: if it were somebody else who didn't know what they were doing,
or didn't have any ethics whatsoever, then Time Warner would be in a lot
more trouble." 

Those are words that would keep any system administrator awake at night.
But Internet security isn't a topic that is new to Time Warner. Its Road
Runner high speed Internet access service, a joint venture with MediaOne
Group Inc., has to contend with the issue on a minute-by-minute basis. 

According to Kevin McElearney, Road Runner's VP-network support services,
the service had an unauthorized user enter a regional game server once. 

"There have been small isolated cases of intrusion," McElearney said, "But
honestly, there's not an ISP on the market that can say it hasn't been

The company also has to be concerned with protecting the 125,000
subscribers that are connected to its high-speed network. And so does
@Home, Inc., which like Road Runner is a partnership of MSOs, which
include Tele-Communications Inc., Comcast Corp. and Cox Communications
Inc., among others. 

When cable operators first began offering Internet access on a wide basis
they found that a form of hacking called packet sniffing, or sniffing, was
possible because of the architecture of the system.  Sniffing is used
either to peep into someone else's computer information for the purpose of
simple inquisitiveness or, more maliciously, to capture valuable passwords
and user IDs, or any bits of information that can lead to greater and
greater access to other more sensitive data. 

An understanding of how to steal computer information requires knowledge
of how computers transfer data to each other over a network. In normal
computer communications, data travels in clusters of information, the
technical name for which is packets.  Ted Woo, director of standards at
the Society of Cable Television Engineers, describes packets as "a cluster
of cells or multiple bits of information transferred from the headend to
the cable modem at home and for upstream from the home back to the headend
and then to the other users." 

Just like mail sent at the local post office, these packets travel with
address information, called headers. However, there are ways to get a
computer to ignore address information and capture everything that happens
to pass by, a real problem for cable networks since everybody is attached
to each other. 

As the ICSE's Kabay puts it, "If you're on a (telephone network)  ISP and
somebody else on the system dials up, there's no cross talk. On cable, all
the packets travel past every other computer linked on that cable. If
you've enabled sharing or you have software running on your machine that
deliberately ignores the header info, it can capture all packets and
there's the potential for sniffing." 

Loopholes in the software itself can lead to sniffing. For instance, the
Windows 95 program has a feature called print and file sharing that was
integrated into the program to allow a company or family of people to
access each other's files and print them. 

Jeff Walker, director of business development and product marketing for
cable modem maker Motorola, said, "We've heard situations where people
send messages to their neighbor's printer saying, 'We can read your
files.' " 

But technology is a two-sided sword: just as it enables improprieties, it
can be used to prevent them. 

"(Sniffing) won't happen if the tech staff at the ISP implements effective
encryption so you can't read the inside of the packets,"  Kabay said. 

Indeed, according to Vranesevich, cable providers have changed the way
data is routed in many of their systems. However, he also warns, "It's
still a problem with some cable networks." 

Motorola's Walker said the company's cyber surfer modems, which are used
in some of Road Runner's systems, have built-in security features that
thwart sniffing efforts, including the use of 56-bit encryption and new
decryption keys which are sent to users every 24 hours so that packets
aren't easily read. To combat the Windows 95 file sharing feature, which
is an Internet wide concern not just isolated to the cable world, Motorola
changed the way its modems interact with the headend. 

Walker said that when a user turns on Windows 95 file sharing, printer and
file information is broadcast on the network, allowing even unwanted users
from accessing that information. 

"Because we don't rebroadcast, we don't suffer from that problem.  It has
to do with how the headend is re-implemented. We terminate any broadcast
at the headend," Walker said. 

Yet despite the best efforts by vendors and service providers, there will
always be groups of computer users who are determined to crack their way
into systems, even if it's just for the challenge of it. 

As Woo put it, "No matter how secure it is, it's made by humans.  Given
time and incentive, it will be broken into. But the longer it takes, the
more secure it is." 

So will we ever be safe from unwanted access into our electronic
communications systems? Probably not, according to most who understand the
medium. But there are ways around it, although they might be inconvenient. 

"Of course, don't send any information that you don't want hackers to get
at all. If you don't say anything how can people repeat you?" Woo

But of course, that would defeat the entire purpose of the Internet,
especially to those that hope to profit from it, which is the crux of the

As Yankee Group analyst Bruce Leichman put it, hacking stands in the way
of commerce opportunities. "The idea of putting a credit card online is
still a stumbling block," he said. 

Indeed, before electronic commerce is to take off in a big-time way,
consumers are going to have to feel a lot more secure than they do
currently. And while industry continues to work toward that end, hackers
broadcast their messages on hijacked Web pages. The hacked Yahoo! page
contained the message, "We own everyone, and everything. No one is safe.
No computer is safe." 

Just a word to the wise: Look both ways before crossing the information

1876 Alexander Graham Bell invents the telephone. 

1878 - First official report of teenagers kicked off telephone system for
making prank phone calls. 

1971 - A guy named John Draper discovers that a toy whistle from a cereal
box exactly reproduces the tone needed to open a free telephone line.
Draper dubs himself Captain Crunch. 

1977 - Two computer hobbyists, Steve Wozniak and Steve Jobs, fresh from
making blue boxes that hack into phone company computers, produce the
Apple computer. 

1981 - IBM introduces its version of the personal computer. 

1983 - The movie War Games, starring Matthew Broderick, is released. 

1984 - Congress passes the Comprehensive Crime Control Act giving the
Secret Service jurisdiction over credit card and computer fraud. 

1984 - Founding of 2600: The Hacker Quarterly. 

1986 - Congress passes Computer Fraud and Abuse Act and Electronic
Communications Privacy Act. 

1988 - Robert Morris crashes 6,000 computers on the Internet with a virus
program and is fined $10,000. Consequently, the federal Computer Emergency
Response team is formed. 

1990 - The Secret Service coordinates "Operation Sundevil" raids in
numerous cities throughout the U.S. 

1993 - Masters of Deception members are arrested by the Secret Service.
All plead guilty to computer crimes and conspiracy. 

1994 - Soviet hacker Vladimir Levin masterminds a Russian hacker gang and
steals $10 million from Citibank. He is arrested in 1995 in London. 

1995 - Kevin Mitnik arrested on chargers of stealing 20,000 valid credit
card numbers. He pleads guilty the following year. 

1995 - The movie Hackers is released. 

1998 - Pentagon computers hacked. Israeli teen Ehud Tenebaum, AKA "The
Analyzer" claims he mentored two California teenagers on how to do it. 

1998 - NASA facilities around the country were shut down by a denial of
service attack, in which the attacker shuts down machines and networks but
does not try to access internal data. 

1998 - Members of L0pht, a hacker group, tell a Senate subcommittee they
can shut down the Internet in one-half hour. 

1998 - A study of 520 companies, government agencies and universities by
the Computer Security Institute showed that network security breaches rose
by one third between 1996 and 1997. Overall, 64% of respondents to the
survey reported security breaches in 1997. Losses grew from $100 million
in 1996 to nearly $137 million in 1997. About 25% of companies said they
were attacked by outsiders, while 44% said they were attacked by their own

(November 30, 1998) 

More Cable World

Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:55 PDT