It Download  
CSUF HOME |CONTACTS AND DIRECTORIES | SEARCH

Contents:

Security and the Network

1999-2000 IT Achievements

IT Tips

Who's New?

 



Cal State Fullerton logo

Fall 2000                                                                                                               Issue 1

What's Next?

Security and the Network

Cyber Crime on the Rise

by Michael C. Parker
Chief Information/Technology Officer

Network Insecurity

The Internet, with all the world’s networks, is probably the most complex system ever created. The technological problem with complex systems is that they have emergent properties---properties and effects that cannot be anticipated by the inventors. Network computing and the Internet have produced unintended effects as well, with cyber crime heading the list of negative effects. This article examines current and emerging forms of cyber crime and addresses means by which the Titan Network and its users can reduce our “network insecurity.” 

The spawning of crime using technology is not surprising. In many important ways cyber crime is not different from regular crime against institutions: theft, extortion, vandalism, fraud, and espionage. Security systems have been instituted to protect organizations from crime for centuries. Cyber criminals simply have a new tool--automation. Automation provides speed for iterative processes: it can do routine tasks millions of times per second. Networking adds another tool to crime: action at a distance. One can control a computer in the next room or the next country at about the same speed and criminals can act at a safe distance from their victims. The unanticipated or emergent properties of cyber crime come about because of the new ways that technology makes crime possible.

Breaking In

Access to a computer involves trust and permission. We want our computer to insure confidentiality of data and messages, insure the integrity of the data (that it has not been messed with), and insure that it is available for authorized users and no one else. On average, 86% of the passwords in use can be cracked with available software. Passwords can be broken by attacks using brute force (trying to match every possible working at high speed). Similarly, files may be coded for privacy, and brute force may be used to determine the cryptographic key—a message that is transformed according to rules into apparent random letters, can be translated if the key to transform the plain text is figured out. On a network, passwords are compared to an encrypted list and, if matched, allow the user to access not only the computer, but to connect with others. RACF for mainframes ensures password security by requiring monthly changes, and separate passwords for accessing different services—budgets, student data, etc. Naive users may paste their passwords on Post Its, let people look over their shoulders, or leave their station unattended. 

Active attacks may modify files—change an e-mail message, change budget information. Often active attacks do not require password break in. They are hidden software that one unwittingly lets into a computer. The extensive use of e-mail makes them propagate well, perhaps infecting millions of machines per hour.

Viruses are strings of computer code that attaches itself to another computer program. Once attached, a virus installs itself in memory and replicates using the computers’ resources and is unwittingly sent to other computers. The most common type of viruses are macros or scripts, originally designed as mini-programs to tell a word processor or spreadsheet to automatically do something. Viruses use the same technology to manipulate a computer and to replicate themselves on other connected computers. Recently, polymorphic viruses have been created which change their form so that anti-virus software cannot identify and remove them. It has been mathematically proven that new viruses can be devised that any existing level of anti-virus software can’t stop.

Trojan horses are programs that secretly install themselves and watch the computers activities--waiting for something to occur—watching the keyboard buffer waiting for a credit card number and then sending that number to someone. Back Orifice (a play on Microsoft’s Back Office software, allows a remote user to take control of a computer, look up information or run programs or collect passwords and user names. Worms are completely separate programs that can be programmed to do damage to a computer and to transfer themselves to other computers. One type can be sent as an attachment to an e-mail message that looks up all the addresses on a computer and e-mails itself to the rest.

Privacy and Surveillance

The privacy of personal data and web usage can be compromised through illegal actions and surveillance. Organizations with customer databases can legally look for customers with similar characteristics and especially target them for advertising. Blockbuster keeps track of every video rented by each customer. Organizations can also purchase other customer databases and do data mining on the aggregate looking for hidden correlations between any public DMV information on cars or accidents and income, birth order, credit history, proclivity to international travel or whatever. DoubleClick is trying to market a database that keeps track of everyone’s web-surfing activity. This can become criminal activity when databases are acquired without permission. Rogue government officials could illegally monitor private behavior; thieves could target appropriate victims for scams. They could also get enough information to impersonate someone and open accounts in the victim’s name. Since people do not own the data about them collected by organizations, privacy violations may be legal in many cases. Data harvesting is legal. Surveillance may be legal in some cases. 

Van Eck Phreaking is a means of surveillance that allows one to figure out what a computer is doing by decoding the radiation it gives off. Tapping without wires -- or even explicit transmitters--Van Eck monitors use low-level unintended radiation from computers to detect what the machine is doing, particularly what is showing on the screen. Traffic analysis is a way that computers can monitor the number of messages to whom and when and figure out a lot without knowing the content. Just as the Nazis monitored French phone bills to arrest friends of those already arrested, networks allow for a similar technique. Without knowing the content of messages, patterns in to whom and when messages are sent can reveal much information. (During the hours before the Iraqi invasion, pizza deliveries to the pentagon increased one hundred fold but did not increase at CIA headquarters.) The intelligence community intercepts billions of e-mail and phone messages per day looking for illicit activity. 

Vandalism

Publicity attacks to systems result when someone wants to make meaning for him or herself through a destructive act that defaces Web sites or demonstrates security loopholes and embarrass an organization. The object is to get famous among hackers, or if caught to have a bit of wider fame.

Destructive attacks on networks occur millions of times of day. Momentary fame, or criminal reputation might motive attackers, as might employee revenge. Often hackers want to demonstrate their prowess by breaking into a system and thus showing shortcomings of an organization. They might deface web pages or engage in “denial of service” attacks—a hacker’s server floods a web site or network with so many messages or uploads so many files that it brings the system down (upload bombing). 

Distributed denial of service attacks now occur. A hacker accesses many unsecured computers—most of the ones on cable modems or DSL (digital subscriber line) computers that are always on line if turned on, then has each of these machines send thousands of messages to a server and brings a system down. One could plan to short sell a company that sells product on–line. Destroy their service and then sell the stock when it drops as you bet it would.

Theft

Stealing credit card numbers and using them is a major industry. Bank hackers may set up programs to deduct small amounts of funds from millions of accounts, shortchanging customers. This would be prohibitively expensive without computers. Scamming or con games are made easier if crooks know a lot about a person-- they can customize con games to fit targets or identify appropriate targets.

Identity theft is enabled by technology. By collecting enough data on a person from databases, it is sometimes possible to apply for bogus credit cards passports etc. Search engines locate pages for users that meet certain criteria--look for web pages using the word movies, watches, etc. But they can be fooled. Other web pages can embed these words invisibly into their pages (meta tags or white type on a white screen) such that the search engine thinks that the bogus web page is the better match. This steers the user to a different vendor. Search engines often can’t tell the difference. 

Organization identify is threatened by various efforts to execute brand theft. Since organizational identity is tied so closely with reputation, customer loyalty and trust, and with brand names, hackers may attempt to mimic their web pages and use web addresses very close to big brands in order to scam customers. They might also try to destroy an organization’s reputation with bogus Internet information, systematic rumors, etc. Page Jacking occurs by mimic real vendor or personal pages exactly—with the only difference as in that their address is a common misspelling of the original URL (universal resource locator) address. The hapless speller goes to the fake sight and spends his money for nothing. One can create fake messages from or about companies and send them through e-mail spreading false rumors.

Titan Network Security Solutions

In the spring of 1998, the Priorities and Resources Committee of the Academic Senate and the President’s Administrative Board, recommended approval of a project to upgrade the network. President Gordon subsequently approved this project and detailed plans were developed during the 1998-99 academic year and are being completed in the year 2000. Increasing dependency of the library for Internet access exposes the campus to unauthorized access. Firewalls and authentication software must be upgraded annually to provide security for students, faculty and administration of the campus. Capabilities of the 4CNet router (The 4CNet inter-campus network provides CSU system-wide and Internet access via two of the largest Internet providers) will be used to restrict a number of common Internet attacks. In addition, we're seeking a firewall product with sufficient capacity to add protections that the router cannot.

Database Security and Firewalls 

Advances in firewalling technology, which have increased the processing, and throughput speeds of such boxes, now allow for front-ending of the university's varied databases. As a matter of information security policy, the university has embarked on a mission to protect all of the administrative resources on the campus by means of various firewalling and access control mechanisms. Generally, servers and other important equipment such as physical plant, door system, etc. controls are separated from their users by access controls and/or firewalling equipment. 

Currently, IT maintains access controls to disallow known problematic methods of access to computers at the university. This needs to be grown to provide "DMZ" or "demilitarized zones" as is the common practice in the Internet. Most often, DMZ networks are formed which protect the directly public-accessible resources from those that are part of an internal network. This model protects internal resources from external ones including the viruses that common originate from the outside. However, this model is complicated by the fact that universities are places of free speech and free activity. Broad policies govern actions at the university and actions tend to be subject to the current governance and the interpretation at the time. Meanwhile, real administrative activities occur in the background. It is the goal of the university to continue to provide an environment where the intellectual endeavors can continue to occur without detriment to the business of the university, that is, providing an environment of learning, research, and productivity.

With the goal of providing an environment of learning, research, and productivity, in mind, IT is focused on a first phase of "battening down the hatches" in the administrative areas without detrimental affects on the administrative users. The second phase involves locking down holes via the Internet that are not necessary for connectivity to the university or which are known to cause problems in the various computer systems especially the rollout computers. The third phase is a review of the current practices to review where changes should occur and begin again with the first phase activities. As part of firewalling, the university is creating per-user VPN (Virtual Private Network) connectivity from one user's home to the university. This functionality is necessary for programming, consulting, and off-campus database connectivity to the campus.

As a matter of protection for the university, a policy on disclosure of public information and access to computer data is being formed. A standard practice in many universities is to record and/or monitor traffic to find hackers. Some universities form staffs just to stop intrusions, some use tools which shut off access from the attacker to resources that are being attacked. No method is perfect as there are many means to masquerade true identities in a public Internet. Active methods to stop attackers have the problem that they can stop the wrong people; more importantly, a hacker can fool the intrusion detection software into shutting down access to servers by masquerading as a selected group of good citizens. 

On an annual basis, the university is leasing vulnerability scanning software or outsourcing this (a practice common among information security groups) in order to assess vulnerabilities that might not be uncovered otherwise. This is a low cost and highly effective assessment method. Vulnerabilities revealed do not always indicate that one would want to stop up the holes as such vulnerabilities are often needed by useful software packages. However, vulnerability scanning software has proven useful here at the university. As such, IT will continue the practice of an internal assessment of system vulnerabilities in order to provide course corrections for the application and operating system software settings used in the President's technology initiative computer desktops and department owned computing facilities and laboratories.

Passwords, Biometrics, and Smartcards

We can automate users being required to change passwords frequently and with changes to the culture and with training, we can improve user vigilance. The current CSUF focus is on changing passwords, encouraging those who refuse to do so, with the eventual goal of removing service from those who will not. This is because our weakest link is our weakest password. While the campus recognizes it is not Fort Knox, there are many data privacy, financial integrity, accounting, and auditing issues that are exposed simply by weak password choices. An example of an incredibly poor choice of password is one that is the same as the username. 

Adding fingerprint, facial recognition, or iris scanning, adds another level of security. While biometric measures are growing in popularity, the growth is for certain special applications. For example, Automated Teller Machines (ATMs) administered by large banking institutions are the focus of the introduction of three dimensional photographic images that would be used to validate whether a real person was present at a given ATM. Of course, solutions such as this require increased processing power at the ATM or additional network bandwidth to deliver photographic signatures that would be checked against a central database.

At CSUF, the introduction of smart cards could mimic the same level of authentication sophistication. However, such efforts would be terrific costs in actual cards, workstation and software upgrades and licensing. These would not be sunk costs but would require continual reinvestments. However, a smart card would be more effective in controlling access to important resources as it would be physically required for access. Passwords, while powerful, are often not changed by the staff, faculty, and administrators.

Data Security 

The actual files or data that we transmit to each other can be made more secure as well. Security certificates, watermarks, and digital signatures create another level of confidence in specific files. Security certificates are built-into the Windows 2000 Server Active Directory model. We are awaiting a stable release of this software instead of implementing a proprietary solution that would cost upwards of $80,000 per year. The Microsoft approach is more scalable across our Microsoft enterprise. 

The university continues to utilize de facto standard Secure Socket Layer encryption on the web to provide for secured data transfer in financial and personal information transactions over the Public Internet to its student body, faculty, staff, and administrators. Many of the information technology security keys at the university are based on the NT security model. Strong passwords are key to tight security controls.

At this time, authentication in office forms using Shana's Informed Filler and I-Sign's I-POP signing application allows for electronic review of documents. The signatures in this mechanism are not secure enough to hold up in a court action however they are practical for daily business routines. Again, this forms signature ability relies on the NT account password and is only as good as that password.

Email may need to be encrypted for special types of uses. For example, transmission of human resources information merits encryption to avoid documents falling into the wrong hands. Microsoft Exchange 2000 will provide these capabilities in a manner that will provide easy access to encryption when needed.

Personal Responsibility

It takes a village . . . to reduce network vulnerability. Up-to-date training and regular back-ups of personal data are valuable practices for all of us. Each network user can take additional steps to ensure that the Titan Network has minimal exposure to security breaches. Secure passwords, locking workstations, anti-virus upgrades, awareness of potentially damaging email enclosures—these individual actions will not only enhance network security but minimize lost work and inconvenience to all members of our Titan Network.