Bottom Line

Internet Insecurity

by Joel Snyder

The Internet is not a secure domain, so use some caution and common sense.


Security on the Internet is a joke. Even worse, it's not a good joke. The kind of protection you get on the Internet is what highly paid security consultants call 'security by obscurity,' which is considered one step more secure than publishing your company secrets in The Wall Street Journal. Security by obscurity is what makes people feel safe walking around Los Angeles. After all, there are more than 10 million people in L.A., and only a few dozen of them are the victims of drive-by shootings each year. Similarly, anonymity on the enormous Internet is the best security you've got.

I'm throwing the term security around pretty loosely, which I'm sure annoys some of my cloak-and-dagger colleagues. So be it. The concept of security is so foreign to the design and operation of the Internet that for any security category you could identify, the Internet is sorely lacking.

This doesn't mean you shouldn't use the Internet or run a business over it. If you understand the real risks and dangers, you can live in an insecure virtual world the same way you live in the insecure real world. The first insecure place you'll see on the Internet is your service provider. If you're like most people, your account is on a minicomputer used by hundreds--if not thousands--of people. All of your e-mail--incoming and outgoing--is stored on the provider's system, even if only for a short time. Everything else you do (telnet, Gopher, the World-Wide Web, IRC) passes through the system. When the security of that system is breached, everything you do on the Net is an open book.

If you're lucky, your provider is one of the few who take security seriously or is large enough to have a full-time operations staff who can watch over things. Big companies such as Netcom, CompuServe, Delphi, and Software Tool and Die have the resources to devote to real security. However, if your account is with an el cheapo service provider who is running on a discount Unix box and using college student system managers, you should worry.

Users See It One Way

Picking the right provider isn't enough. The Internet is a collection of interconnected networks, which means there are any number of systems between you and your correspondents and information sources. You have no control over how your information is routed over the Internet. That's a design feature, by the way, not a flaw.

This weakness hit home to me about a year ago. I routinely travel, and I telnet to my home system to read e-mail. One day, I received an e-mail message from a network manager at a major U.S. Internet provider responsible for connecting literally thousands of organizations to the Internet. Her system had been broken into by a malicious cracker several months before, and the cracker had installed a 'sniffer' program to capture traffic as it passed over the network. The sniffer ignored most of what it saw, but it did save the first few hundred characters from each new telnet and FTP session.

The network manager discovered an enormous file on one of her disks filled with tens of thousands of user names and passwords. The provider sent warnings to everyone in the file, letting them know that their passwords had probably been grabbed by someone. My packets had passed over this network one unlucky day while I was on the road, and it didn't matter that my Internet e-mail account was on a system locked up tight as a drum. I had given away the keys to my house without realizing it.

Even if you use a fancy one-time password system such as those available from LeeMah, Security Dynamics, Racal-Guardata, and Digital Pathways, you've only protected your password. Your messages are still barreling down the Internet and can be read by any interested party at any point along the way.

What all this means is that you need to behave as though someone were watching. You probably realize that a private detective could be reading all your regular mail; a friend could be listening to all your phone calls; your neighbors could be watching what you do in your backyard; and a burglar could break down your back door and ransack your house. But none of this will probably happen.

Handle your business on the Internet the same way you handle real life: Protect the things that are valuable and remember that important transactions should be given the right amount of care. The rest is probably not worth worrying about.

Remember that it's not just malicious crackers who will be reading your messages. System managers often have to dig through e-mail or capture all traffic for problem-solving purposes. Your deepest secrets could be released to the world just because someone forgot to erase a tape before giving it away.

Companies See It Differently

Organizations connecting their corporate networks to the Internet have a different set of security problems. Even if you never send important data over the Net and you own the systems that house your data, you can still have a problem. Computers connected to networks have always required additional security. Connecting to the Internet is even more of a problem than just adding dial-in phone lines because the barriers to access are now low. It used to require long-distance telephone calls and lots of manual labor to attack your computers. Beyond a dial-up connection to the Internet, there is no long-distance telephone cost, and it's possible to launch many automated attacks simultaneously. The Internet makes it easy for someone to attempt to break into your computer systems.

The best way to handle this concern is to have a good handle on the security of the systems on your own network. If they're secure, it doesn't matter if a Net cracker pounds on your computers all day.

Once you've secured your own system, you can consider adding facilities such as firewalls between your corporate network and the Internet. Firewalls come in all sorts of flavors, from simple, inexpensive packet filters built into routers to $30,000 monstrosities. If you choose to add a firewall to your network--and that's not a bad idea--don't immediately run out and get the most expensive and most secure system money can buy.

You have to understand the security threat and the cost of installing such systems before you can make a good decision. It's not just the money: If you get the wrong firewall, you'll end up spending a lot of time and energy trying to work around it (securely, of course) to provide services to users on the network (see "Securing the Enterprise" in this issue).

Many of my clients start with an incredible paranoid fear that the crackers of the world are just waiting for a chance to destroy their networks. That's not a very healthy attitude. Gauge the threat to your systems in a realistic and rational way, and respond to that threat with appropriate technology. Understand that you can connect to the Internet safely and you'll have a lot more fun doing it.

Joel Snyder (jms@opus1.com) is a senior partner at Opus One, specializing in telecommunications and information technology.

E-Mail Security Tips

Copyright (c) 1994 by Mecklermedia Corporation. All rights reserved. Material may not be reproduced or distributed in any form without permission.

http://www.iworld.com/