type: NYT (Copyright 1995 The New York Times) priority: Urgent date: 01-22-95 2108EST category: Financial subject: BC NETWORK NEMESIS ART title: NEW FORM OF ATTACK ON COMPUTERS LINKED TO INTERNET IS UNCOVERED author: JOHN MARKOFF text: SAN FRANCISCO -- A federal computer-security agency has discovered that unknown intruders have developed a new way to break into computer systems, and the agency plans Monday to advise users how to prevent the problem. The new form of attack leaves many of the 20 million government, business, university and home computers on the global Internet vulnerable to eavesdropping and theft. Officials say that unless computer users take the complicated measures they will prescribe, intruders could copy or destroy sensitive documents or even operate undetected by posing as an authorized user of the system. For computer users, the problem is akin to homeowners discovering that burglars have master keys to all the front doors in the neighborhood. The first known attack using the new technique took place on Christmas day against the computer of a well-known computer security expert at the San Diego Supercomputer Center. An individual or group of unknown intruders took over his computer for more than a day and electronically stole a large number of security programs he had developed. Since then several attacks have been reported, and there is no way of knowing how many others may have occurred. Officials of the government-funded Computer Emergency Response Team say that the new assaults are a warning that better security precautions will have to be taken before commerce comes to the Internet, a global web of interconnected computers that exchange electronic messages, documents and computer programs. It is expected that by the end of this year such businesses as florists, supermarkets, credit card companies and banks will peddle wares to customers via their personal computers over the Internet and the new intruders could then be able to steal credit card numbers, merchandise and money. The response team, a federally sponsored agency at Carnegie Mellon University in Pittsburgh, plans Monday to post an advisory on the Internet, alerting computer users to the attacks and urging them to take a variety of protective measures involving software and hardware security mechanisms. ``This was a sophisticated attack,'' said James Settle, a former FBI computer crime expert who is now an executive at Inet Corp., a computer security firm. ``Essentially everyone is vulnerable.'' The Internet works by breaking computer messages in groups of digital packets of data, each of which has an electronic ``envelope'' that provides ``to'' and ``from'' addressing information used by special network computers known as routers that deliver the data. The new attack makes uses of a flaw in the design of the network to fool the router computers into believing that a message is coming from a trusted source. By masquerading as a familiar computer, an attacker can gain access to protected computer resources and seize control of an otherwise well-defended system. Computer administrators at several organizations that have been broken into by individuals using the technique said they had been contacted by federal law enforcement officials as part of an investigation into the break-ins, but Justice Department officials refused to comment. The lack of tight security on the Internet has remained a well-known risk, even as thousands of companies have been flocking to the global network in the last year hoping to find new ways of doing business in cyberspace. However, many computer security experts point out that the basic Internet software was never designed with this use in mind. It was originally created by academic researchers to conveniently exchange computer data with little thought to the problems that are now emerging in which anonymous individuals, hidden by a web of computer links, can eavesdrop and steal electronically. Classified government military computer systems are not thought to be at risk because they are not directly connected to the Internet. And until now, most companies and other organizations with computers directly connected to the Internet have assumed they could protect themselves from intruders by creating various types of hardware and software defenses known as ``fire walls.'' But the new type of attack can in many cases easily penetrate these common defenses, according to officials of the Computer Emergency Response Team. ``Out of all the sites on the Internet, there are only some small fraction that care enough about security,'' said Tom Longstaff, manager of research and development for the security agency. The security warning to be issued Monday will include a list of brands of router computers that can use a computer program to protect against the new attack, which is called IP, or internet protocol, spoofing. The new defense works by recognizing packets that have been forged and rejecting them. But the advisory will also list brands of routers that have no way of protecting against the attack. Computer security experts said there was no good way of estimating what fraction of the Internet computers have routers or fire wall software capable of protecting against the attack. ``This is a really tough problem because it is an attack based on the way things work normally,'' said Marcus Ranum, a senior scientist at Trusted Information Systems, a computer security firm. The flaw, which has been known as a theoretical possibility to computer experts for more than a decade, but has never been demonstrated before, is creating alarm among security experts now because of the series of break-ins and attacks in recent weeks. The weakness, which was previously reported in technical papers by AT&T researchers, was detailed in a talk given by Tsutomu Shimomura, a computer security expert at the San Diego Supercomputer Center, at a California computer security seminar sponsored by researchers at the University of California at Davis two weeks ago. Shimomura's computer was taken over by an unknown attacker who then copied documents and programs to computers at the University of Rochester where they were illegally hidden on school computers. Most computer security experts say that real security on the Internet awaits the widespread adoption of encryption technology for scrambling data and authenticating messages. ``The right answer is encryption because when you encrypt your business data you don't care how many people get a copy,'' said Eric Schmidt, the chief technical officer of Sun Microsystems. ``My prediction is that this will be the only real solution to these problems.'' Internet veterans also expressed anger at the new style of attack because it would cause many organizations to strengthen their security systems, thus making the network less convenient and less useful. ``These guys are striking the basis of trust that makes the network work,'' said Marcus, ``and I hate that.''