Behind the News

Analysis of Industry Events

The Dark Side of the Internet

Lurking out there in the future of computing is disaster. And it could happen to you, some industry players warn.

That's a message being heard more and more as the realization sets in that internetworking and global connectivity have grown so fast that many systems are now precariously vulnerable. Despite efforts being made to establish firewalls, cryptography and security protocols, accessibility has happened too fast to protect all the world's servers, all the world's routers and all the world's data. A prankster with a modem and a few lines of insidious code, or someone with more sinister intentions, may use his ingenuity to barricade your network, steal your data and create havoc with your information systems.

At the annual SCO Forum conference in Santa Cruz, CA, last August, leading technologists from two major vendors--Rob Gingell of Sun Microsystems and Glenn Ricart of Novell--predicted a computing disaster that will make the front page of USA Today by the year 2000, perhaps due to a security breach. "There are lots of ways of doing it, and there are lots of security problems on the Internet," says Ricart, chief technology officer of Novell in Orem, UT. "It wouldn't be particularly difficult to cause a large disruption."

Gingell, Sun Fellow and vice president based in Mountain View, CA, worries about two types of calamities: that a business will be disrupted or compromised so seriously that it's forced out of business, or that its databases will get dangerously out of sync. "You could see a business making a decision based on incomplete data that might, in a competitive situation, result in them losing an important competitive race," he says.

Almost as if on cue, hackers struck in the month following SCO Forum, shutting down Public Access Networks (Panix), the best-known Internet service provider in Manhattan. Over a period of several weeks, 15 similar incidents, of the type known as denial-of-service, were reported to the Software Engineering Institute's Computer Emergency Response Team (CERT) at Carnegie-Mellon University in Pittsburgh. For policy reasons, CERT would not reveal the targets of the other attacks. The worst news from CERT was that there was no complete solution to the problem.

Mortal Syns

According to CERT, this kind of denial-of-service sabotage, called a Syn attack, stems from code published in two underground magazines--2600 and Phrack--that are widely read by neophyte hackers. Essentially, the attack works by flooding a server with messages that come from a randomly generated false address. In the protocol used for e-mail, World Wide Web and other Internet-based connections, the client's first message to the server--the Syn message--must be followed by an acknowledging response from the server to the client--a Syn-Ack message. The client then sends back an Ack message, establishing the connection. But if the client address is phony, no Ack message can be sent, leaving a half-open connection. The server waits for a connection to be completed but can hold only a limited number of these half-open connections in its data structure. After awhile, a half-open connection times out, but when the Internet server is attacked with more than a hundred phony requests per second, as happened in the recent incidents, the data structure overflows, and the server can't accept any new requests as long as the attack continues.

The Syn attack apparently is a new twist on Internet Protocol (IP) spoofing, which has been going on for years. "Spoofing has always posed a threat," says William Orvis, a member of the Computer Incident Advisory Capability (CIAC) team under the U.S. Department of Energy at Lawrence Livermore National Laboratory in Livermore, CA.

In another variation, the hacker floods one machine so that it's too busy to talk, then sends a message to the real target machine, appearing to be from the flooded machine, which is a trusted neighbor. Because the neighbor can't reply, the hacker can get into the target machine and cause damage. "Most people can prevent these kinds of attacks by using a firewall," Orvis says, "but if you don't have a firewall, you can still get spoofed."

The Syn attacks present a thornier problem. For one thing, it's hard to discover the origin of an attack. Also, because the Syn messages appear to come from random sources, a router can't be programmed to disallow data packets from a particular source. Although there is no generally accepted solution, CERT distributed a memo on Sept. 19 to system administrators, Internet service providers and software vendors, describing the configuration of a router based on input source filtering as a partial solution.

Think Globally, Worry Locally

Could the Syn attacks be the precursor to even more serious incidents? There are no dire forecasts of a global computer meltdown, but a localized catastrophe is more than likely. "It could be a going-out-of-business proposition in the case where data is compromised," Gingell says. "For example, if a hospital's data gets out, would anyone be willing to trust them with the data anymore?"

Another disaster-in-waiting could come from within the IT industry, derived from the total effect of the increasing demand for Internet bandwidth--due largely to the use of multimedia--on the Internet backbone. "There's the possibility that there won't be enough capacity, that the routing tables will get too big, that the people cooperating to provide backbone routing service will give up on doing that in a coherent way," Ricart says. "But I believe that at least the bigger players will continue to play more than fair in order to protect the Internet from a meltdown."

Of course, doom-and-gloom scenarios need a balancing perspective. Even these lurking threats won't dissuade people from relying on IT. "Every technology has its dark side," says Regis McKenna, founder and chairman of Gemini McKenna, High Tech Strategies in Palo Alto, CA, and a Silicon Valley marketing strategist long involved with companies such as Apple Computer and Intel. "People will misuse things, whether it's the automobile or the Internet, but that doesn't impact the nature of the medium itself. You could say television created the rebellion against society in the '60s and '70s. What we expect out of these media almost never occurs, and often the opposite occurs."

Practically speaking, what's to be done? Ricart suggests that for individual system and network administrators, the solution is probably to make one's own system more secure than the next fellow's, hoping the other system will be a more attractive target. Another method, used in his college computer lab, was to create a special routine, prominently located, called Crash the System. "People could crash the system at will, thereby taking away all the allure," he says. "Therefore, nobody did it."

--Don Dugdale

Cylink Escalates Encryption Feud

The patent war involving Cylink Corp. and RSA Data Security continues over public key/private key encryption technology. The latest volley of fire came from Cylink of Sunnyvale, CA, which offers free of charge a security developer's kit (SDK) called PassportGold that lets software vendors embed Cylink-enabled security and encryption functions into their products. This maneuver follows a failed attempt in federal court by Cylink to stop RSA Data Security of Redwood City, CA, from selling a similar kit allegedly based on Cylink patents. The two network security suppliers are engaged in a public relations war in addition to the court battles to gain control over public key/private key and certificate authority encryption technology. Cylink lost the court decision in March.

Both RSA and Cylink build upon public key/private key technologies through partnership with Public Key Partners (PKP), a nonprofit consortium that claims rights to most implementations of public key cryptography. Formed in 1990 mostly by universities such as MIT, PKP sets security standards to license encryption of software vendors. However, this partnership dissolved during the patent dispute. Cylink now gives away PassportGold modules and application programming interfaces (APIs). This product allows software developers to enable their application to access national certificate authority electronic commerce and correspondence services planned by the U.S. Postal Service's ECS system, as well as other commercial certificate authority facilities.

In giving its product away, Cylink expects to gain revenue from a series of existing products and new products that enhance the performance of encryption technologies. For instance, Cylink's SecureFrame provides a high-speed data encryption and security system for frame relay-based wide-area network (WAN) environments. SecureFrame dynamically encrypts data while authenticating its source and destination, with speeds up to 2.048 megabits per second (mbps).

Cylink's SDK removes two barriers to the general acceptance of public key technology: the development complexity and the fees often associated with licensing security software. At its heart, data security encompasses several technologies: encryption that makes the data unreadable; a key agreement that lets the two parties establish the cryptographic key required to encrypt the data; and the public key digital signature that ensures that a data stream has not been altered during transmission. Although these are not new technologies, such concepts as electronic commerce (where corporations would rather keep private data that moves over networks) have renewed interest in encryption. The encryption standards include Diffie-Hellman, Data Encryption Standard (DES) and Digital Signature Standards (DSS).

PassportGold provides this technology without fees or royalties. It also provides function libraries developers call from C applications to manage objects, establish a session's cryptographic key, digitally sign a document, encrypt data, hash data for a file or message signature, and generate random numbers. The functions are accessible by the application through a typical API.

Written mostly in C, the SDK uses the same libraries and functions as Cylink developers use internally to build its network products. Assembly language for specific processors is a part of the product as well. Moreover, the SDK contains a test and validation suite, and online documentation (in MS Word for Windows 2.0). Currently, PassportGold supports Solaris 2.4, Windows 3.1 and Windows 95, with Windows NT to be available shortly.

Cisco Teams with Cylink

Cylink's strategy is creating more than a ripple in the network security waters. Network vendor Cisco Systems of San Jose, CA, is selling Cylink technology as an alternative to RSA. Cisco is distributing Cylink's Diffie-Hellman and Digital Signature Algorithms (DSA) security source code, free of charge. Diffie-Hellman and DSA provide the same functions as RSA Data Security's key-exchange and authentication technologies, and do not require a royalty and licensing fee to RSA.

Cisco is looking to push encryption technology among the network community. Cisco understands that a standard is only as good as the number of people who are using it. Mimicking Microsoft's strategy of giving away technology to generate user acceptance, both Cisco and Cylink hope that these giveaways will put standard encryption back on the industry's radar scope.

Cisco is offering the Internet Engineering Task Force's working group draft of the Internet Security Associates Key Management Protocol technology to anyone on a royalty-free basis. This protocol will define security and encryption services for use over the Internet. It will compete directly with RSA's S/WAN software, supporting virtual private networks over the Internet. Cisco is developing its own proprietary protocol using Cylink's encryption technology. The protocol will be part of Cisco's routers and firewalls that are shipping now.

Target: Electronic Commerce

Clearly, products like Cylink's PassportGold are aimed more at the emerging electronic commerce market than the traditional government market for data security products. Critical business applications such as electronic messaging, electronic data interchange (EDI) and legal, financial, contract and personal medical records communications are just a few of the applications that require data security. Trusted national and international commercial transactions also depend upon a certificate authority (CA). This guarantees the absolute integrity of "binding" each unique public key to the proper party. Moreover, CA can provide electronic correspondence services for data/time postmarking, authentication, transaction auditing, delivery notification and nonrepudiation.

Many organizations are balking at doing business over public networks, such as the Internet, due to the perception that they lack sound security. By giving away its product, Cylink hopes to stimulate the use of electronic commerce and thus create a market for encryption technology. In the beginning, most consumers of encryption technology will be organizations looking for an encryption mechanism over private WANs. For example, Cylink is assisting development of the U.S. Postal Service's public key infrastructure development efforts by building X.509 v3 certificate handling and transaction security utilities and CA servers.

The use of encryption over the Internet suffers from slow acceptance by the user community. Since World Wide Web technology is changing so quickly, it's difficult to predict what browsers will be in the desktop and thus what public key encryption software is right for both the Internet and intranets. Secure Hypertext Transfer Protocol (SHTTP) and Secure Sockets Layer (SSL) seem to fit the current user requirements. SHTTP is designed to provide confidentiality, authenticity, integrity and nonrepudiation while supporting multiple key management mechanisms and cryptographic algorithms. SSL maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes.

Cylink offers several fee-based programs that complement application development using the PassportGold SDK. These programs include function and module training, support, consulting and porting services. Most development shops that work with this SDK will require at least some of these services. This need could make the giveaway program a successful loss leader.

The concept of data security standards is to provide applications with plug-and-play security. The RSA/Cylink conflict could mean that software development products using these standards won't work well with others in the near future. Unfortunately, as data security vendors maneuver to gain a bigger portion of the market, software developers--and ultimately users--could be the ones lost in the scuffle.

--David S. Linthicum