[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NYT on Internet Flaws
The New York Times, October 11, 1995, pp. A1, D3.
[Page One]
Discovery of lnternet Flaws Is Setback for On-Line Trade
By John Markoff
San Francisco, Oct. 10 -- Newly publicized weaknesses in
the basic structure of the Internet indicate that the
worldwide computer network may need a time-consuming
redesign before it can be safely used as a commercial
medium.
The flaws could allow an eavesdropper or criminal to divert
many types of documents or software programs traveling over
the Internet, examine or copy or alter them, and then pass
them on to the intended recipient -- who would have no easy
way of knowing that the files had been waylaid. Not only
could electronic mail be read in transit or credit card
numbers be copied en route, but special security techniques
meant to protect such transactions could be dismantled
without the user's knowledge.
That such security flaws exist is not surprising in a
system designed originally as a scientific experiment. But
the recent rush to the Internet by companies seeking to
exploit its commercial possibilities has obscured the fact
that giving the system a new purpose has unearthed
fundamental problems that could well put off true
commercial viability for years.
"Companies would have you believe this is a trivial
problem," said Eric Brewer, a professor of computer science
at the University of California at Berkeley. "But now there
is a financiat incentive to exploit these flaws and to do
it secretly."
The problems were described in a posting that researchers
at the university made on Monday to several on-line
discussion groups. While the discussion groups are intended
for computer security experts, they are potentially
accessible to millions of Internet users -- including
break-in artists, who are known to monitor such discussion
groups for tips on new ways to crack computer systems.
The researchers who described the Internet weaknesses
include two Berkeley computer science graduate students who
noted a security weakness in a popular Netscape
Communications Corporation software program last month.
Then as now, the students' stated motivation in publicizing
the problems was to underscore vulnerabilities facing all
companies and customers wishing to use the Internet for
commerce.
When the Netscape problems were disclosed last month, the
company said the security flaws would be corrected in the
next version of its software, which users would be able to
download at no charge from Netscape's Internet site. But
the newly publicized flaws in the Internet itself indicate
that even if a user downloaded a copy of the new, improved
Netscape program, a criminal could tamper with the copy
along the way and make it unsafe for use in credit card
transactions.
The problem is not Netscape's alone; it potentially affects
any organization that operates a computer from which files
or software could be downloaded over the Internet. The
weakness can be traced to the technical underpinnings of
the network, which was set up more than a quarter-century
ago not as a medium for conducting business but as a way
for academic and scientific researchers to exchange
information.
The disclosure of the flaws casts doubt on the aspirations
of companies like Netscape, which last summer had one of
the most successful stock offerings in Wall Street history
based on the promise of the impending arrival of a
full-fledged on-line marketplace.
"Companies should take a step back and think about this a
little more," said Ian Goldberg, one of the Berkeley
students. "If it takes a bit longer but comes out more
secure, we will all be better off in the long run."
The way many Internet systems are set up -- especially the
Internet's increasingly popular World Wide Web service in
which software images and even video and audio clips can be
easily downloaded -- information is stored on a computer
called a file server and then transferred to a user's
computer when it is needed.
The newly publicized weakness occurs in a widely used
Internet protocol -- or technical standard -- known as the
Network File System, or NFS. Because NFS does not have any
means for allowing the recipient of a program or document
to verify that it has not been altered during transmission
from the file server to the user, any interception or
tampering would go undetected.
"The Internet protocols have been insecure since day one,"
said Jeffrey I. Schiller, the manager of computer networks
at the Massachusetts Institute of Technology and director
of an industry task force that is trying to design a new
secure version of the Internet.
But the group's timetable is uncertain, and even when it
does have recommendations ready, Mr. Schiller is not
optimistic that the industry will be willing to devote the
time and money to put them into effect.
He said that many technologies already exist for improving
commercial security on the Internet, but many of them
require too much technical sophistication on the part of
computer users. He criticized makers of hardware and
software for not moving more quickly to make easy-to-use
security features a built-in part of the technology used on
the Internet.
"The people who should be the leaders in offering security
have been too busy counting their money to build these
features in to their products," Mr. Schiller said.
Some commercial Internet merchants have tended to play down
the potential for harm from an illegal interception of
credit card information over the Internet. They point out
that consumers routinely make their credit card numbers
available in transactions done by mail or telephone and
that the law puts limits on a consumer's liability in cases
of credit card fraud.
But Mr. Brewer, the Berkeley professor, said that the
crucial difference in the proposed Internet commerce
systems was that for the first time it would be relatively
simple for a criminal to collect hundreds or thousands of
credit card numbers. Then a thief could use each credit
card only one time, making detection much more difficult.
Sensitive to heightened concerns about security, Wells
Fargo, the large California bank, which earlier this year
began permitting customers with personal computers to view
their account information with the Netscape software,
suspended the service in September after the Berkeley
students reported the flaw in Netscape.
After Netscape followed with an improved version of its
software, Wells Fargo officials found it secure enough that
they planned to resume the service later this week. The
bank will, however, require customers to use the corrected
version of the Netscape program.
Even then. Wells Fargo customers will be able only to view
account balances and other information, but not transfer
money or conduct other transactions of the type that might
leave them vulnerable to the Internet NFS weakness.
"We still hope to be able to offer transactional
capabilities next year, but this has slowed us down a
little bit," said Lorna Doubet, a Wells Fargo spokeswoman.
"Many of our customers feel that security is absolutely
essential and we have to be cautious in this regard."
Executives at Netscape said yesterday that they were aware
of the security issues surrounding NFS and would make
changes in the next release of their software expected
before the end of the year to permit a recipient of a
downloaded program to check it for signs of tampering.
And hoping to take advantage of the fault-finding talents
of the Berkeley researchers and other like-minded software
experts, the company announced a contest today called
Netscape Bugs Bounty, in which Netscape will award prizes
to users who find bugs or security loopholes in its
software.
Some Internet experts said they expected that many security
weaknesses like the one the Berkeley group had demonstrated
would be found, because the Internet was simply not
designed to insure secure commerce.
"Imagine a walled town or a house," said Noel Chiappa, a
member of the Internet Engineering Task Force, a
standards-setting group. "It doesn't matter if 99 windows
are tight as can be -- if the 100th is wide open, the bad
guys will bypass your security. "
[End]