The Digital Frontier
Billy the Kid and Doc Holiday may be dead and buried, but the modern day versions are alive and well, hacking and cracking through cyberspace
By Major James P. Edmiston
So you think that cyberspace is an orderly environment and that all you have to do to "get on the net" is buy a computer, get a modem, log on and away you go. Well, "think again, pilgrim." The Internet as we know it now more resembles the wild, wild, west of the 1800s. With new-age pioneers panning for gold on the Internet, modern day claim jumpers and rustlers are there too. Lurking on the Web are electronic muggers, hackers and crackers who manipulate a keyboard as deftly as Billy the Kid or Doc Holiday ever handled a six-shooter.
The Pony Express trail blazing its way across every facet of our society is fraught with technological perils just as real and dangerous as the ones faced by our settler ancestors.
WARNING: Give your credit card number on-line only during a "secure transaction." Keep your social security number, address, and even your true name to yourself when traveling on the digital frontier, lest some unscrupulous cybercrook assumes your identity and makes your life miserable.
Personal privacy is harder to maintain and is fading like a memory in this new digital age. Employers read their employees e-mail messages and "shoulder surfers" abscond with long-distance calling-card numbers. Insurance companies electronically screen medical records for disqualifying information and credit card and magazine companies sell individual consumer "profiles" to other organizations. Other examples of intrusions into our private lives are too numerous to list.
Entering the world of the Internet is as mind-expanding as climbing Mount Everest or jumping from an airplane. While you may not have physically experienced these activities, you can virtually recreate them on the "net." The amount of information and multi-media links available on the Internet is simply astonishing. For most people, a handful of TV channels, newspapers and magazines offers all the access to information they want. Today, almost all magazines, all newspapers and even some TV and radio stations world-wide are accessible via the Internet. This technological Pony Express can follow an information trail to almost anywhere on earth in seconds, without recognizing geographical or political boundaries. However, in the quest to find the information we seek, there are plenty of blind alleys, detours and distasteful information we must weed through to get what we want.
The Internet has the capability to be a force for good. Unfortunately, information technology has easily outrun established technical and statutory controls and regulations. As the Internet exploded from a military research and development tool to a global communications resource, U.S. laws became mere local ordinances. In European countries, for instance, computer intrusion is not necessarily a crime.
In the early days, only researchers had access to the Net, and they shared a common set of goals and ethics. The Internet was designed as an open, resource sharing confederation of computers and as it grew, the character of its user population began to change. Information speeding from one location on the Internet to another is divided into data packets and embodies this collegial attitude: data is forwarded along the network from one computer system to another until it reaches its final destination. A packet may take a dozen hops or more and any of the intermediary computers can read its contents. In fact, many Internet packets start their journeys on a local-area-network or LAN, where privacy is even less protected.
Recently, one of our Air Force pilots was shot down over Bosnia and evaded capture for over a week. A fellow pilot who participated in his rescue sent an e-mail to a friend in the U.S. describing the downing and subsequent rescue of Cpt. Scott OGrady. This e-mail message described the operation in far greater detail than information the Pentagon released. His supposedly "private" e-mail via a nationally known Internet Service Provider was intercepted by someone along the physical network and resent as a "broadcast." Everyone who had access to the Internet could read the message.
Many manufacturers of computer equipment inadvertently reinforce this "openness" by shipping their products pre-configured so each machine automatically shares resources with all its peers. It does not take much imagination to see what can happen when such a trusting environment opens its digital doors to the Internet. Suddenly, "world" really means the entire world, and "any computer on the network" means any computer on any network. Files meant to be accessible to colleagues down the hall or in another department can be accessed from Germany or Guam. What was once a private lane is now an overloaded highway open to as much traffic as it can bear.
A particular computer workstation manufacturer which sells its workstations with cameras and microphones presets them with "world-readable" status. Another manufacturer (and this applies to most) sells its computers with certain default maintenance passwords, so they can remotely troubleshoot the computer from the company headquarters, rather than sending a technician to your site. These security "holes" are well known to hackers who exploit them to gain access to a targeted computer system. Unless systems administrators acknowledge the existence of these holes, their computer systems are vulnerable to penetration, attack, or even disruption of service. Once a hacker or intruder gains "root access," they can masquerade as any legitimate user and read, alter or delete any file. They can also install programs to help them invade other computers systems to whom they are linked and then modify the system logs to erase their "electronic footprints" as they leave the system. If they want to return to a system, they install a "Trojan horse" program which allows them unrestricted access without the systems administrators knowledge.
While hackers and electronic muggers ply their wares over the Internet, the government (federal, state and local) compounds the problem. From the day you are born and get a birth certificate, the government collects data about you. There are documents for a drivers license, social security card, passport, buying a car, and registering to vote. The court maintains records of individuals getting a speeding ticket or otherwise violating the law. There are records established to start a business, file for bankruptcy, inherit property and obtain a divorce.
Anyone with a computer and a modem can search many of those records from any desktop in America. All this data is public, and in this day of computerization, filed somewhere in a database where someone can get at it. Also compounding the electronic privacy issue is the recent request of the FBI to the telephone companies to set aside the capability for law enforcement officials to perform as many as 60,000 simultaneous wiretaps and other traces nationwide.
These data files are not always kept under digital lock and key. A cyberthief used information contained in a electronic credit report of a woman in Upland, California. The thief obtained a drivers license in the womans name, charged $31,000 on her credit cards and opened a bank account in her name, writing bad checks. The impostor even tried to rent an apartment in her name. This happened in 1994 and the individual is still trying to clear her name with various credit bureaus.
Another scam occurred at a car dealership in New Jersey, where employees used personal information supplied by prospective customers to obtain over 2,500 credit files from several credit bureaus. They racked up over $800,000 in fraudulent credit card charges before they were caught.
The hideous crime of stalking has gone high-tech. On Oct. 14, 1996, a Texas District Court Judge issued the first temporary restraining order to an on-line "cyberstalker." His order stated that from Sept. 29 until the courts hearing in October, the defendant harassed employees of a Dallas Internet Service Provider, its Chief Executive Officer, and his wife. The judges opinion said the defendant repeatedly posted messages to Usenet newsgroups and sent e-mail to the Chief Executive Officer alleging the Internet Service Provider was engaging in criminal activity. According to the opinion, the defendant threatened the Chief Executive Officer, his family and the Internet Service Provider employees with bodily harm. The judge served the restraining order by posting it on the Internet and delivering it to the defendant via e-mail.
Most digital communications are liable to interception. Anyone who has a computer, a modem and $20 a month in Internet connection fees can have a direct link to the net and launch attacks on others or be attacked themselves. Hackers or other interlopers developed methods to obtain legitimate users passwords, so they can "legally" enter a system and then try to pry information of interest from the main memory. These "sniffer" programs "reside" just outside a users, companys or schools Internet access point. They record a users log-in sequences and other passwords used to enter or transfer (telenet) from one site to another.
Electronic marketers have the ability to "follow" you around the Internet. For example, Netscape Communications "cookie" technology lets Web publishers tag browsers and follow them around the Web. They dont necessarily know who you are specifically, but they know that browser "X" is doing certain things or going to certain sites on-line. As Web measurement technology becomes more sophisticated, a balance needs to be struck between a marketers desire to learn about a target markets demographic and psychographic profile, and the individuals expectation of traveling unobserved in cyberspace.
Several government commissions have been formed to study this "third wave" phenomenon of computer intrusions. The Defense Department published a study in late 1994 detailing the known threats to network security. The Senate Select Subcommittee on Investigations held public hearings concerning the vulnerabilities of the countrys networks, both civilian and military. A National Intelligence Estimate has been prepared for the President, because the United States and other countries are becoming highly advanced information-based societies which are extremely susceptible to electronic disruption.
Modern theorists state that Information Warfare, the military term for using electronic methodologies in warfare, is as important to modern warfare economic or militaryas the creation of the Roman Legions were to warfare 2,000 years ago. If a commander cannot trust the information received, whether communications or information from battlefield sensors, the commander cannot effectively control the flow and direction of battle.
In December 1996, delegates from the United States and 159 other countries decided to bring a little law and order to this new frontier by agreeing on two new treaties to fight the electronic piracy of books, software, music and other works over the worlds computer networks. Officials from all the countries lauded these accords as a crucial step to creating a global marketplace on the Internet, which up until now has primarily supported information exchanges, not commerce. The first treaty makes a global standard of the kinds of electronic copyright protections which creators of books, movies, and other literary and artistic works already enjoy in the United States.
The second treaty closes a loophole in current international law in which there was no explicit agreement covering the duplication of sound recordings off the air or from computer networks. The new treaties define the realm of the possible in the marketplace of cyberspace, advancing the notion that "intellectual property" has physical and monetary value in the age of new digital technologies.
As the focus of some security experts shifts from the protection of physical facilities and equipment to logical data protection and network security, how do we protect the data we entrust to computers? Everything from confidential medical records, credit records to business plans to money itself. Look at the increasingly popular ability to conduct electronic banking and the actual business of transferring billions of dollars or other currencies via the Internet between banks, the federal reserve and sovereign nations.
The answer to this critical problem may be through the use of cryptography, or the "scrambling" of plain text words or figures into unintelligible gibberish, which the receiver deciphers. However, a comprehensive policy (both physical and virtual) needs to be formulated which provides the architecture for building a solid security structure. This policy needs to be endorsed by the corporate or command structure and should address all areas of security from encryption, passwords and user access hierarchies to firewall implementation.
Security experts agree the use of strong encryption algorithms offers the best way to protect secret data from hackers who may steal computers, intercept e-mail or slip through organizational firewalls. Todays algorithms, which need not remain secret, pose a mathematical problem which is difficult to solve without the correct "key." To cryptographers, "difficult" means computing with either thousands of computer systems linked together or a massive "brute" computing capability used to decipher a single message and getting a "clear" answer in hours, days, weeks, months or years.
The longer the encryption algorithm, the more difficult it is to "break" or decipher. Encryption algorithms can be divided into two types: conventional algorithms and public-key algorithms. Conventional algorithms are symmetrical and rely on the same key for encryption and decryption. Public-key algorithms, on the other hand, are asymmetrical, using different keys, a public key and a secret key for encryption and decryption. Public-key algorithms allow the sender to share files, such as e-mail correspondence, with other users. The sender uses the public key to encrypt the message; to decrypt the message, the recipient uses the "secret key" which only the receiver knows.
Certain government agencies are very concerned with the commercial development of encryption algorithms. Just as sheriffs from neighboring towns in the old west had to meld a patchwork of local laws and ordinances in order to work together, the same is true today with state and federal legislators. The once esoteric subject of cryptography, previously the domain of the spy masters, is now spotlighted as a "new" security technique. In this new Information Age, encryption capability and policy can mean the difference between security and vulnerability or even life and death.
But what is the correct policy? Therein lies the storm of political and legal controversy. The United States government bars the export of powerful encoding software even though the same codes are freely available overseas. Certain law enforcement and national security agencies contend that unless they have access to a "key escrow" or blanket decryption capability, their ability to protect and defend the U.S. will be jeopardized. The government restricts the export of strong encryption products, notably ones which use a 128-bit key. Several vendors software versions conform to the old, 40-bit export limit for symmetric encryption. Recently the government relaxed the standards, but still prevents the exportation of a 128-bit scheme (the longer the encryption key, the more difficult it is to break and the stronger the protection).
Vendors complain they are losing foreign sales which are going to foreign software companies. They also claim law enforcement and intelligence agencies trample the privacy rights of citizens by having the ability to "read" their mail, no matter how innocent. While criminals, drug dealers and spies are legitimate targets of this monitoring capability, several public interest groups are warning of the "big brother is watching" syndrome espoused by George Orwell in his book, 1984.
While Wyatt Earp made it safe for the townspeople to walk the streets of Tombstone, modern Netizens have the same aim: to make the Internet and the digital revolution it represents safe for all. Special interest groups concerned with specific medical illnesses have web sites and chat rooms. The infirm, the deaf and others communicate from the privacy of their homes without discrimination or handicaps. The Internet is a true reflection of society, fraught with the same problems and issues of the "real" world.
Just as the wild, wild west was eventually tamed and brought under control, the Internet is also evolving and changing with the times. As the old timers on the Web lament both the rise of electronic crime and the waning of long-established norms of open collaboration, new-age "settlers" are establishing law and order on the digital frontier.
This is the second of three articles which deal with the Internet and the Information Age. The first dealt with the physical "domain" of the Internet and cyberspace and the third will deal with Information Warfare and what our military is doing to gain "information superiority."
Maj. James P. Edmiston is a special projects officer attached to Headquarters, INSCOM.
Last Updated: May 20, 1997