Advertisement

Data of Tap

Scrutiny

It was late in a June evening last year when a high school student in Milwaukee, Wisconsin, dialed a seven-digit number and logged onto the GTE Telenet Communications Network. The teenager began roaming through the New York area of the national system that ties more than 1200 computers together into a setup open to about 150,000 paying customers. Accessing systems almost at random, the student gave the name set of standard answers to demands for password identification from the large computers on the network--hello, test, sysop--ht might type, as his screens filled with logos from systems thousands of miles away. Finally he hit the jackpot, Instead of a flat "password invalid" message the screen filled with additional information: how to open files, change the names of things, even rewrite the operating language of the computer to cause the system to shut down.

The student was elated; here was a big computer that was his to play with as he saw fit. So he told two friends, and they told two friends and over the next several weeks they broke into the $750,000 computer of the Sloan-Kettering Cancer Center a total of 80 times--rummaging through private patient data and treatment records, reading private memos between doctors and, on at least two occasions, causing the system that monitors and plans patient treatment to close down entirely. They also added personal touches to the machine. Spurred by the movie Wargames that had just opened at theatres across the Midwest, they programmed the Sloan-Kettering computer to respond to the password "Joshua," just like in the film. On a different computer, they caused the system to respond to the password with another War Games line: "Would you like a nice game of chess, Dr. Falken?"

The still unidentified teenage computer whiz was caught before too much harm could be done to Sloan-Kettering, but the scenario shows with dramatic immediacy the vital importance of securing computing systems. It is easy to see the ever increasing role that computers play in our society. They control the fate of "the earth through the Defense Department's vast force of nuclear armaments and early warning systems. From the immediate process of buying a ticket or confirming a reservation to the more general duties of navigation and air-traffic control they determine the fate of every passenger on every plane that takes off on any day. Computers run our banks and, through them, the national economy; they make sure that there are cabbages enough on the shelves of our supermarkets. Cars enough in the showrooms Christmas trees at Christmas; they help design the buildings that we live in and the bridges that we drive on.

The room for error in these computer-heavy areas is vanishing small. In the case of a nuclear attack, the President must decide to retaliate minutes after initial warnings of a Soviet strike are received. When practice data was interpreted as real by the North American Air Defense computers in 1980, for example fewer than five minutes separated the finger from the button. Airline navigation is a similarly dramatic example; bad data in a flight plan program is the suspected cause of a 1979 Air New Zealand crash that killed 257 passengers, the pilots, flying in poor weather were told by a navigation computer that they were over water when in fact they were head; g straight for a mountain-side. Investigators have hypothesized that similar problems confused the pilots of Korean Airlines flight 007 that was shot down by Soviet fighters after it strayed off course on a flight from Alaska to Seoul.

The dramatic cases are not the only relevant ones. If a bank loses it database of accounts and names it will fail. If a company loses accurate track of its inventory and accounts receivable data is goes out of business. Terrorists can do severe damage to the nation by destroying several vital computers simultaneously. The Italian Department of Motor Vehicles, for example, still isn't sure who holds a drivers license as legal identification in Italy because its central database files were blown up anti government bombers in the late 1970s. A company near San Francisco lost $100,000 last year when a vengeful employee stole its data tiles, retreated into the Northern California hills and threatened to destroy the data unless the ransom was paid. For the enormous high tech community in Boston both internal and external security looms as one of their most several problems.

As a nation we are getting very, very dependent on computers and telecom telecommunications says Cameron Carey president of the Computer Security Placement Service in Northborough Mass a headhunter company that finds executives for computer security firms. "Money markets and bank turn over their whole holdings every day: billions and billions of dollars. You can't write orders without a computer. You can't ask about inventories. If there's a disaster, some organizations are going to go out of business. The bottom line is that as companies automate more and more the tolerance for outtage decreases, the dependency increases.

The companies, ironically, are more vulnerable now than they were ten years ago.

says Robert Santis, President of EDP Security, a computer security consulting firm.

Hewlett-Packard, the diversified electronics manufacturer, is a prime example of a computer dependent firm. "We use five to ten times more computers today than we did ten years age. More than 70% of our business is now computer-dependent," says Corporate Public Relations writer Betty Gerard. "It's an international network that depends on our computers," she adds. The Palo Alto, Califonia-based company is so concerned about maintaining its computer operations in the case of fire, flood or earthquake that it spends hundreds of millions of dollars annually to operate a duplicate computing center in Loveland. Colorado, according to security official Bill Ashton.

While technological advances are increasing the necessity for uninterrupted computing services, they are at the same time making that guarantee more difficult to assure. A moment's reflection on the Sloan-Kettering case described above shows why; whereas ten years ago access to computers was limited in most cases to users who could get into a terminal room, today anyone with an inexpensive personal (or "micro") computer and a modem (a device that allows computers to communicate over telephone lines) can access the majority of computers in the United States. [Its computer security] becoming more and more critical because we're getting our computers all hooked together through local and national networks; its also getting harder and harder because of the increasing number of micros. "Ashton says. Communications and microcomputers are probably the hottest topics [in computer security] right now, says Russell Kay, director of Computer Security Institute (CSI), a 3000-member trade organization for the computer security field. "Micros are proliferating at an incredibly rapid rate," Kay adds.

At first there seems to be an obvious solution--why not "seal" computers from any outside access, as the Defense Department does with the most sensitive of its nuclear early warning systems? The idea is uniformly rejected by both computer users and security professionals who argue that so-called dedicated systems lose the flexibility and ease of communication that are precisely the most attractive qualities of computers. "It's not so simple as it was a few years ago. You can't just lock up a computer anymore," says Hewlett-Packard's Gerard. An internal letter on computer security distributed at the computer company in 1977 stressed just this kind of "lock and walk" security. However, Gerard says that "with terminals on more than 70% of the desks . . . you're really trying to protect the information now," rather than the access.

Of course, some users do require dedicated systems and in such cases security can approach a scene from a James Bond novel. A television reporter, conducted recently into the inner sanctum of an international bank's computer center described the trip as follows: "We went up a special elevator to a floor where the walls were covered with lead panelling three feet thick. As we got out of the elevator and started walking down an empty corridor my friend said to me 'we're being watched.' I looked up and saw three television cameras following us. We went through a door past a guard and into the room where the computer was. My friend pointed up to what looked like sprinklers in the ceiling. 'See those,' he said, 'if you enter an incorrect command you have 30 seconds to say you made a mistake or poison gas starts coming out of those nozzles.' He pointed to small doors along the wall. 'A minute after the gas starts coming out men with machine guns come out shooting from behind those doors,' he said." All for an unacknowledged error.

But for most computers "when you think about what you've got to protection can come in bewildering variety. Computer security begins with the operating' system, the master program that controls access to the computer itself. It is here that hardware companies become involved since operating systems are in general designed by the manufacturer. "If you don't have a good security design in your operating system security within the applications can't be well maintained," says Ashton. Nonetheless, security per se is not generally acknowledged to be the responsibility of the manufacturer. "It's not General Motors' responsibility to enforce the speeding law . . . but one can make cars more crash-resistant," says CSI's Kay.

With a relatively secure operating system, therefore, the next step, protection of passwords, is up to the user. Much of the security here, although exhaustively reviewed and debated by experts, is just common sense: "good" passwords (i.e. imaginative words that prowlers will have a difficult time guessing), frequent password changes, and constant monitoring of computer users. "The lay thing to implementing the systems," says Jeff Gibson director of Security at Digital Equipment Company. "If people don't change the passwords then if a computer manufacturer is making xyz's and every xyz has a password of 'hello' and someone knows he's talking to an xyz than he can gain entry," he adds. "The biggest single problem is making people aware of the problem," Kay says.

A similar common sense philosophy lies behind the tendency of large computer operation to downplay the location of their computer operations. "You'll never see a computer facility advertising itself. I've seen a lot that have been very low-key warehouse-type buildings and you walk in and see a beautiful ultra-modern computer at Tymeshare, a national timesharing computer network.

Recommended Articles

Advertisement