Data of Tap
It was late in a June evening last year when a high school student in Milwaukee, Wisconsin, dialed a seven-digit number and logged onto the GTE Telenet Communications Network. The teenager began roaming through the New York area of the national system that ties more than 1200 computers together into a setup open to about 150,000 paying customers. Accessing systems almost at random, the student gave the name set of standard answers to demands for password identification from the large computers on the network--hello, test, sysop--ht might type, as his screens filled with logos from systems thousands of miles away. Finally he hit the jackpot, Instead of a flat "password invalid" message the screen filled with additional information: how to open files, change the names of things, even rewrite the operating language of the computer to cause the system to shut down.
The student was elated; here was a big computer that was his to play with as he saw fit. So he told two friends, and they told two friends and over the next several weeks they broke into the $750,000 computer of the Sloan-Kettering Cancer Center a total of 80 times--rummaging through private patient data and treatment records, reading private memos between doctors and, on at least two occasions, causing the system that monitors and plans patient treatment to close down entirely. They also added personal touches to the machine. Spurred by the movie Wargames that had just opened at theatres across the Midwest, they programmed the Sloan-Kettering computer to respond to the password "Joshua," just like in the film. On a different computer, they caused the system to respond to the password with another War Games line: "Would you like a nice game of chess, Dr. Falken?"
The still unidentified teenage computer whiz was caught before too much harm could be done to Sloan-Kettering, but the scenario shows with dramatic immediacy the vital importance of securing computing systems. It is easy to see the ever increasing role that computers play in our society. They control the fate of "the earth through the Defense Department's vast force of nuclear armaments and early warning systems. From the immediate process of buying a ticket or confirming a reservation to the more general duties of navigation and air-traffic control they determine the fate of every passenger on every plane that takes off on any day. Computers run our banks and, through them, the national economy; they make sure that there are cabbages enough on the shelves of our supermarkets. Cars enough in the showrooms Christmas trees at Christmas; they help design the buildings that we live in and the bridges that we drive on.
The room for error in these computer-heavy areas is vanishing small. In the case of a nuclear attack, the President must decide to retaliate minutes after initial warnings of a Soviet strike are received. When practice data was interpreted as real by the North American Air Defense computers in 1980, for example fewer than five minutes separated the finger from the button. Airline navigation is a similarly dramatic example; bad data in a flight plan program is the suspected cause of a 1979 Air New Zealand crash that killed 257 passengers, the pilots, flying in poor weather were told by a navigation computer that they were over water when in fact they were head; g straight for a mountain-side. Investigators have hypothesized that similar problems confused the pilots of Korean Airlines flight 007 that was shot down by Soviet fighters after it strayed off course on a flight from Alaska to Seoul.
The dramatic cases are not the only relevant ones. If a bank loses it database of accounts and names it will fail. If a company loses accurate track of its inventory and accounts receivable data is goes out of business. Terrorists can do severe damage to the nation by destroying several vital computers simultaneously. The Italian Department of Motor Vehicles, for example, still isn't sure who holds a drivers license as legal identification in Italy because its central database files were blown up anti government bombers in the late 1970s. A company near San Francisco lost $100,000 last year when a vengeful employee stole its data tiles, retreated into the Northern California hills and threatened to destroy the data unless the ransom was paid. For the enormous high tech community in Boston both internal and external security looms as one of their most several problems.
As a nation we are getting very, very dependent on computers and telecom telecommunications says Cameron Carey president of the Computer Security Placement Service in Northborough Mass a headhunter company that finds executives for computer security firms. "Money markets and bank turn over their whole holdings every day: billions and billions of dollars. You can't write orders without a computer. You can't ask about inventories. If there's a disaster, some organizations are going to go out of business. The bottom line is that as companies automate more and more the tolerance for outtage decreases, the dependency increases.
The companies, ironically, are more vulnerable now than they were ten years ago.
says Robert Santis, President of EDP Security, a computer security consulting firm.
Hewlett-Packard, the diversified electronics manufacturer, is a prime example of a computer dependent firm. "We use five to ten times more computers today than we did ten years age. More than 70% of our business is now computer-dependent," says Corporate Public Relations writer Betty Gerard. "It's an international network that depends on our computers," she adds. The Palo Alto, Califonia-based company is so concerned about maintaining its computer operations in the case of fire, flood or earthquake that it spends hundreds of millions of dollars annually to operate a duplicate computing center in Loveland. Colorado, according to security official Bill Ashton.
While technological advances are increasing the necessity for uninterrupted computing services, they are at the same time making that guarantee more difficult to assure. A moment's reflection on the Sloan-Kettering case described above shows why; whereas ten years ago access to computers was limited in most cases to users who could get into a terminal room, today anyone with an inexpensive personal (or "micro") computer and a modem (a device that allows computers to communicate over telephone lines) can access the majority of computers in the United States. [Its computer security] becoming more and more critical because we're getting our computers all hooked together through local and national networks; its also getting harder and harder because of the increasing number of micros. "Ashton says. Communications and microcomputers are probably the hottest topics [in computer security] right now, says Russell Kay, director of Computer Security Institute (CSI), a 3000-member trade organization for the computer security field. "Micros are proliferating at an incredibly rapid rate," Kay adds.
At first there seems to be an obvious solution--why not "seal" computers from any outside access, as the Defense Department does with the most sensitive of its nuclear early warning systems? The idea is uniformly rejected by both computer users and security professionals who argue that so-called dedicated systems lose the flexibility and ease of communication that are precisely the most attractive qualities of computers. "It's not so simple as it was a few years ago. You can't just lock up a computer anymore," says Hewlett-Packard's Gerard. An internal letter on computer security distributed at the computer company in 1977 stressed just this kind of "lock and walk" security. However, Gerard says that "with terminals on more than 70% of the desks . . . you're really trying to protect the information now," rather than the access.
Of course, some users do require dedicated systems and in such cases security can approach a scene from a James Bond novel. A television reporter, conducted recently into the inner sanctum of an international bank's computer center described the trip as follows: "We went up a special elevator to a floor where the walls were covered with lead panelling three feet thick. As we got out of the elevator and started walking down an empty corridor my friend said to me 'we're being watched.' I looked up and saw three television cameras following us. We went through a door past a guard and into the room where the computer was. My friend pointed up to what looked like sprinklers in the ceiling. 'See those,' he said, 'if you enter an incorrect command you have 30 seconds to say you made a mistake or poison gas starts coming out of those nozzles.' He pointed to small doors along the wall. 'A minute after the gas starts coming out men with machine guns come out shooting from behind those doors,' he said." All for an unacknowledged error.
But for most computers "when you think about what you've got to protection can come in bewildering variety. Computer security begins with the operating' system, the master program that controls access to the computer itself. It is here that hardware companies become involved since operating systems are in general designed by the manufacturer. "If you don't have a good security design in your operating system security within the applications can't be well maintained," says Ashton. Nonetheless, security per se is not generally acknowledged to be the responsibility of the manufacturer. "It's not General Motors' responsibility to enforce the speeding law . . . but one can make cars more crash-resistant," says CSI's Kay.
With a relatively secure operating system, therefore, the next step, protection of passwords, is up to the user. Much of the security here, although exhaustively reviewed and debated by experts, is just common sense: "good" passwords (i.e. imaginative words that prowlers will have a difficult time guessing), frequent password changes, and constant monitoring of computer users. "The lay thing to implementing the systems," says Jeff Gibson director of Security at Digital Equipment Company. "If people don't change the passwords then if a computer manufacturer is making xyz's and every xyz has a password of 'hello' and someone knows he's talking to an xyz than he can gain entry," he adds. "The biggest single problem is making people aware of the problem," Kay says.
A similar common sense philosophy lies behind the tendency of large computer operation to downplay the location of their computer operations. "You'll never see a computer facility advertising itself. I've seen a lot that have been very low-key warehouse-type buildings and you walk in and see a beautiful ultra-modern computer at Tymeshare, a national timesharing computer network.
There are, however, more esoteric security measures being developed by computer companies. Callback is a recently-devised procedure where the user telephones the computer, the computer compares their number with a list of approved user numbers and calls the user back if the numbers match. User Verification/Encryption is a system still under development where a microchip in the user's terminal identifies them as authorized and translator encoded data coming from the main computer.
But nothing is perfect. "If people try hard enough and long enough and are cunning enough they can penetrate almost anything," Ganaghan says. Further, even the most effective security system is helpless against an inside attack--the kind of computer crime security consultants say is most frequently practiced. "Insider crime, people stealing data or money using information they've gotten during the course of the day, is definitely our biggest problem," says Jim Greenleaf a computer crime specialist at FBI headquarters in Boston.
Santis speaks of similar problems: as technology increasingly centralizes operating procedures but diversifies access "you're getting a potentially dangerous change in areas like separation of duties," he says. "Whereas before you'd have one guy who'd write the check now they're being done by the same data operator." It is from inside and costs the company $500,000 whereas average white-collar crimes are for $20,000," Santis says.
To prevent this new kind of criminal activity, computer users and manufacturers are pushing for touch new laws against "illegal entry," and "illegal manipulation of data." "To a great extent, if there are laws that have teeth in them, they can discourage a lot of the [criminal] actions we're talking about," says Ganaghan Prime and other Massachusetts high technology companies have been working with the Lioutenant Governor's Office for the past year deafting what many consultants call model computer crime legislation. Under the proposed law unauthorized users of computer systems would be viewed as electronic trespassers and suffer stiff penalties for violating corporate or individual privacy by unwanted intrusion. Penalties for data theft or electronic manipulation of data would also be increased by the bill.
Although the measurer has been highly praised in the computer industry politicians have levied same stern criticisms. "We sat down with a panel of people from the legal area and scientists to try to define the terms of the legislation and found that they couldn't even agree on what was meant by "computer" says Lisa Herwitt, legislative analyst to House Majority Leader W. Paul White (D-Derchester). "There were also questions about the penalties; the type of activities that they were trying to attach penalties to were much different if they were done manually," she added. According to Hewitt, the bill is unlikely to receive a hearing this year but a new version will be presented for debate before the House sometime in 1985.
With or without the new Massachusetts legislation the exploding concern with legal action against computer mischief-makers or downright thieves has caught law-enforcement agencies flat-footed. "I don't think we really have a handle on the problem. We're spending a 1st of time right now getting our agents trained so that they can understand the way the system operates," says Greenleaf. Indeed, he adds, "there's no federal statute as it stands now that allows the FBI to get involved in computer crime . . . Generally speaking, we go in through trespassing or fraud-by-wire statutes." The FBI has from one to ten of its 200 New England agents concentrating on computer crime at any given time, Greenleaf says.
Unlikely though it may seem, it is the Customs Service and the Department of Commerce that are the federal agencies with the largest and most active computer monitoring operations "Computers are a major concern to the Administration at large. Higher technology is considered a matter of extreme importance because it is seen to have military applications, says Dan Landra, a Public Information Director for the Commerce Department. In general, the two agencies are most concerned with preventing resale of sensitive computer equipment to the Soviet Union through "false front" exporting companies that purchase equipment for an authorized destination and then reroute it behind the Iron Curtain.
"Typically a U.S. manufacturer will be approached by an exporter who claims to be shipping the product to West Germany, say. They sell the material to another exporter--perhaps it goes to Sweden instead--and they send it to the Soviet Union," explains Prime's Ganaghan. It was this kind of smuggling ring that made headlines earlier this fall when Swedish and U.S. Customs intercepted a shipment of Digital VAX computers bound originally for West Germany but headed instead to a destination in the Soviet Bloc. VAX computers have potential military applications, according to the Defense Department. As a result of the bust, a part of the Custom Service's counter-intelligence Operation EXODUS, Digital lost its general export license for several months. Without a general license, the company was forced to apply to the Commerce Department for special permission every time it wanted to ship a computer out of the country. "If you're doing a bit of selling that's obviously a cumbersome procedure," says security consultant Kay, Customs officials refused last week to comment on EXODUS, which is still running a number of sensitive under cover investigations.
Although it did not permanently damage Digital's position, the temporary license suspension has prompted manufacturers to take a close look at their own responsibilities. While businesses might previously have looked the other way to turn a quick sale with unauthorized export firms, they now reject those offers out of hand. "We simply don't do business with those companies," says Ganaghan. We just comply with the law and maintain a very low profile says Michael Ferrante, a Corporate Public Relations Specialist with Wang Computers. The nature of corporate Public Relations Specialist with Wang Computers. The nature of corporate compliance is clearly defined by the government: computer companies must first obtain sufficient documentation and verification to know positively who the final recipient of their products will be and second they must not do business with companies on the Defense or Commerce Departments unauthorized list Companies on the unauthorized list have proven untrustworthy in their descriptions of product destinations according to the Commerce Department.
So your operating system is secure your passwords are changed every day and the whole computer system is monitored around the clock by a trained team of security agents. You still aren't safe. Companies that like banks demand absolute security for their data are responsible for the development of a curious new breed of companies known as disaster recovery specialists. With names like Phoenix Systems Comdisco Disaster Recovery Systems and The Iron Mountain Group these firms operate heavily guarded bunkers and caves across the country where magnetic tape can be stored safe from fire, flood or theft. For fees that run to more than $10,000 each month these and similar companies have "hot sites" where computers compatible with your own hum day and night--standing by in the case of an emergency. For smaller fees "shells" empty rooms fitted with telephone and electrical connections, can host a replacement computer that you procure and provide a temporary base of operations while you refit your headquarters.
Some companies go even farther. The Hewlett-Packard site in Loveland is one example, the underground vault constructed in Rhode Island by a consortium of banks to store electronic data during a nuclear war is a another, and the subterranean vault run for AT&T by Vital Records, Inc, in Raritan N.J. is a third. Isn't that comforting; even after a nuclear war, you'll still get your telephone bill.