RESEARCH [Contents] [Next Article]

Security Researchers Aim to Foil Vandals

Tom Perrine, Andrew Gross, and Tsutomu Shimomura, SDSC

Two or three years ago, the worst things that most desktop computer users worried about were virus attacks from trading disks with other users. But as people and businesses across the country connect to the Internet, a flurry of magazine and newspaper stories about computer break-ins have painted an alarming picture, and many users are asking, "Is my computer at risk?" In two concerted efforts to foil computer vandals, SDSC researchers are working to make cyberspace a safer place.

"If you use a commercial service to log onto the Internet or surf the World Wide Web, your personal system is safe from computer vandals," said Tom Perrine, program administrator for the new Pacific Institute of Computer Security (PICS) at SDSC. "But any computer system that's directly connected to the Internet--yours, your employer's, your school's, or your Internet Service Provider's--can be attacked by outsiders. If the system administrator hasn't taken precautions, vandals may be able to break in and steal, alter, or delete information."

The result of a $425,000 grant from the Institute for Defense Analyses in late 1995 (see the Oct.-Dec. 1995 Gather/Scatter), PICS will develop tools and countermeasures to prevent computer intrusions, analyze attacks as they happen, and audit security measures. As these tools are refined, they will be distributed free of charge to the managers of networked computer installations.


In a related effort, SDSC has helped found the San Diego Regional Info Watch. The first regional "neighborhood watch" group in cyberspace, the Info Watch is a cooperative endeavor of SDSC; the Naval Command, Control and Ocean Surveillance Center; the University of California, San Diego; several local high-tech corporations; and the City of San Diego.

The national Computer Emergency Response Team (CERT), based at Carnegie Mellon University, disseminates technical information about security breaches. The Info Watch group does this for the region and promotes personal contacts between system administrators, spreads warnings of intrusion attempts, and maintains a database of names and emergency phone numbers. (Urgent break-in alerts are sent by telephone, since it isn't a good idea to inform an administrator by e-mail that intruders are reading information in the system.)

"Computers can be made much more secure if administrators fix known bugs in the operating system and warn users to be careful with their passwords," Perrine said. "Unfortunately, many administrators aren't aware of the problems and need to be educated. Some organizations don't spend much time or effort on precautions because security isn't a 'profit center.' They don't realize the cost of lax security until it's too late."

More than 9.4 million Internet host computers were registered as of January 1996, according to Network Wizards, producers of the twice-yearly Internet Domain Survey; each of these gives Net access to at least one user. PICS experts estimate that commercial services such as America On-Line and organizations with security firewalls give indirect Net access to approximately 20 million more users. (Claims by commercial services are notoriously imprecise.) The number of Internet hosts is constantly rising (Figure 1).

Figure 1: Growth of the Internet

The number of registered host computers on the Internet had grown to nearly 10 million by January 1996; most of these were added within the last year. Estimates of the number of individual users, including those on machines indirectly tied to the Internet, are approximately three times higher.

Of these tens of millions of users, fewer than 10,000 are both malicious and skillful enough to be dangerous, estimated SDSC's Andrew Gross, lead researcher on the PICS program. Some computer hijackers on the information superhighway don't intend to do lasting harm. They're just joyriders, who want to gain entry just for the thrill. Only a few want to steal credit card numbers and commercial software, destroy or alter records, or access sensitive information, Gross said. But this tiny minority can cause widespread damage because, unlike car thieves, they can strike dozens or even thousands of times, anywhere in the nation, and many of their victims never realize they've been attacked.

Most large commercial, educational, and government computer sites on the Internet--SDSC included--are probed once or twice a day by would-be intruders, according to Perrine. Most of these attempts don't get very far. However, as the on-line population grows, experienced vandals are sharing information with "wannabes" and giving them recipes for taking advantage of security holes.


"The most sophisticated intrusion methods either exploit subtle flaws in the work software infrastructure that can't be corrected easily or else take advantage of operating system bugs as soon as they're discovered, before system administrators have a chance to fix them," Gross said.

PICS tools will let administrators monitor and log activity on their systems. As a side benefit, they will help diagnose system setup problems and detect malfunctioning hardware. For the hopefully rare cases in which vandals do penetrate the computer's defenses, PICS also will distribute "post-mortem" forensic utilities to determine after the fact how an intruder broke in, what computing resources or data were affected, and how to recover from the incident.

"The tools we're developing will install a set of advanced security procedures painlessly," Gross said. "These programs have to be easy to install and use, otherwise some people just won't accept them." Gross has set up an "isolation ward" testbed, a system that includes several types of host computers and networks, on which PICS will develop its network analysis and post-mortem tools. Since the researchers will try to penetrate and corrupt this testbed deliberately, it is not connected to other networked computers at SDSC.

Meanwhile, SDSC security expert and PICS team member Tsutomu Shimomura maintains another computer system that serves as a lure to would-be vandals; it contains expendable files that appear to be useful programs, recipes, and system specifications. Shimomura has become a popular hacker target since he helped capture computer vandal Kevin Mitnick (see the Jan.-Mar. 1995 Gather/ Scatter). Although this system has a fair amount of security in place, Shimomura deliberately left it vulnerable to some standard attack methods, and it already has been penetrated. One set of intruders apparently used simple-minded recipes to break in, copy documents, and delete files. What the vandals didn't know was that their actions were being monitored and logged as a test of the PICS intrusion detection software (Figure 2).

Figure 2: What's a Frong?

This electronic exchange was captured by SDSC's Tsutomu Shimomura on machines he set up to monitor unsuspecting hackers. The racial slurs peppered throughout have been obscured. Beyond their lack of social graces, the hackers showed their lack of prowess by never realizing they had fallen for Shimomura's "bait"--hook, line, and sinker. Shimomura's bait machines, isolated from SDSC's main network, will help test software to recognize intrusions.

"What's interesting about these people is that they were the first intruders who were so unskilled and dependent on their recipes that they didn't even realize it was a bait machine," Shimomura said. "It used to be that only a few technically proficient people had the resources to be vandals, but widespread distribution of security-cracking recipes has changed that. We need to give system administrators better tools than the burglars have." --MG


San Diego Regional Info Watch:

Shimomura's Web page:

Network Wizards: