06/26/95 HACKER HEAVEN: So many computers, so few safeguards

HACKER HEAVEN
So many computers, so few safeguards
Ever since armed men guarded the ``electronic brains'' that cracked Nazi codes, securing data against theft and tampering has been a concern in computing. With today's distributed computing networks, though, it's enormously more difficult to keep unauthorized users out and data secure. Networks, as the Office of Technology Assessment reported to Congress last year, ``can make every user essentially an `insider''' with the potential to clobber vital information systems.
It's enough to make you want to yank out those network wires. But that won't be necessary, experts say, if businesses adopt a new approach to network security. With so many modems and local-area network (LAN) connections installed on so many PCs, and with private and corporate connections to the Internet proliferating, companies must take it for granted that every computer on the planet can now reach and possibly meddle with any other--and will, if appropriate protection isn't in place. ``We assume that everyone is a hacker,'' says Carmine Villani, vice-president of information management at McKesson Corp., a drug wholesaler. ``That's the only way.''
The range of security measures for PCs and LANs is expanding daily. Devices originally designed for spy agencies are now standard corporate issue. Security Dynamics Technologies Inc. and LeeMah Datacom Security Corp., among others, supply pocket-size cards that generate a brand new password every minute. Biometric devices can now identify people by the size of their hands, patterns in retinal blood vessels, or the dynamics of their voice or handwriting.
Connecting your network to the hugely popular Internet opens it to potentially millions of largely unidentifiable visitors--of whom, you can be sure, at least a few are malicious, and even criminal, hackers. To keep the bad guys out while still allowing insiders full access to the Internet, many organizations are setting up ``firewalls''--gateway computers programmed to block unwanted traffic arriving from the Net. ``It's like having a big bouncer at the door,'' says Rick Tinsley, assistant vice-president at the Vivid Business Unit of Newbridge Networks Inc., a maker of networking hardware.
To keep information away from prying eyes as it moves beyond the local network, companies are also encrypting their traffic with secret codes, or keys. This raises a new issue: When millions of individuals and corporate entities are doing business in cyberspace, each using a unique key, who will manage all of those keys? Who'll keep official record of them? A government agency, perhaps, such as the post office, or a private company? ``No one's done this for 100,000 people, much less a million,'' says Geoffrey Baehr, chief network officer at workstation maker Sun Microsystems Inc. ``It smells like an opportunity to me.''
One company that has seized the opportunity is Northern Telecom Ltd. The phone-equipment maker now sells a program called Entrust that, besides helping manage large numbers of keys and protecting network traffic against snoops, makes sure messages arrive intact and verifies that senders are who they say they are.
Indeed, network security is a field rife with opportunity--and unknowns. Baehr and his colleagues at Sun are working on strategies for countering so-called denial-of-service attacks. Using a powerful computer, an adversary could effectively shut down a company's Internet server by bombarding it with false messages. One solution: a new breed of firewall system programmed to continuously look out for and then block such threats. It just shows: For every solution in cyberspace, there's always another problem to solve.

By John W. Verity in New York