Break-ins on the Internet! Assaults on privacy! Theft of information!
Break-ins, assaults, and thefts are prohibited. Yet they happen. How is this so? Just how clever are the invaders? What are the holes in supposedly secure systems? Internet Besieged explains the ingenious strategies employed by intruders. It shows how security experts must be both defensive and proactive to protect information, privacy, and electronic commerce.
Internet Besieged consists of over thirty original and recently published chapters written by leading figures in security. They range from technical explanations of encryption and intrusion-detection systems to popular accounts of hacker attacks.
Internet Besieged is organized for the general reader as well as the practicing professional. It covers:
For software developers, system managers and engineers, students, and concerned citizens, this book provides a broad awareness of Internet security risk while exploring the social, legal, political, and ethical implications of security breaches and suggested countermeasures.
Contributors include: Steve Bellovin, Matt Bishop, Bill Cheswick, Jim Christy, Stephen T. Kent, Steven Levy, Teresa Lunt, Peter G. Neumann, E. Eugene Schultz, Eugene H. Spafford, and Bruce Sterling.
I. THE WORLDWIDE NETWORK.1. The Internet After Thirty Years Peter J. Denning.
II. INTERNET SECURITY.7. An Evening with Berferd William Cheswick.
III. CRYPTOGRAPHY.17. A Brief History of the Data Encryption Standard Walter Tuchman.
IV. SECURE ELECTRONIC COMMERCE.22. Electronic Commerce Peter J. Denning.
V. LAW, POLICY AND EDUCATION.27. Law Enforcement in Cyberspace Address The Honorable Janet Reno, United States Attorney General.
The year 1992 was an historical divide for the Internet. In that year, the number of Internet users surged past one million, enough to form a critical mass for public interest. The Clinton administration made promotion of the "information superhighway" a top priority and formed a National Information Infrastructure advisory council. The World Wide Web and the first browsers, Mosaic and Netscape, seized the public fancy. Since then, multitudes of new businesses, and even new professions, have taken shape-with such names as Internet identity designers, browser builders, electronic marketeers, search engineers, network computers, virtual shopping malls, workflow coordinators, and intranets, to name a few. Business people now routinely include Internet e-mail and Web addresses in their cards, stationery, and advertisements.
Yet the Internet is a risky place to conduct business or store assets. Hackers, crackers, snoops, spoofers, spammers, scammers, shammers, jammers, intruders, thieves, purloiners, conspirators, vandals, Trojan horse dealers, virus launchers, and rogue program purveyors run loose, plying regularly their nasty crafts and dirty deeds. Many do so shamelessly, enjoying near perfect anonymity-using forged addresses, untraceable links, and unbreakable codes. Analogies to the Old American West, populated by unruly cowboys and a shoot-first-ask-later mentality, are more appropriate than the coiners of the phrase "electronic frontier" ever imagined. Many law-abiding citizens, who simply want to conduct their business in peace, are demanding that the marshal come to cyberspace.
But the marshal must be more than a courageous, upright, fair, and tough upholder of the law, for most of the criminals employ high-tech methods that the ordinary person has trouble understanding. The criminals post detailed instructions on bulletin boards on how to test systems for vulnerabilities and then attack them, and the experts among them have made sophisticated "burglar's tool kits" available on Web pages. The marshal must be technologically smarter than the criminals. In an initial attempt to help, the Defense Advanced Research Projects Agency (DARPA) formed the CERT (Computer Emergency Response Team) Coordination Center (CC) in 1988 to work with the Internet community to detect and resolve computer security problems and to help prevent future incidents. In 1996 CERT/CC received over 31,000 e-mail incident reports and 2,000 telephone reports, and they investigated nearly 2,600 of them. The most common security attacks in 1996 were of six kinds.
While the CERT/CC goes about its job quietly, the news media have given a lot of attention to high-tech computer crimes. Here are some examples of big computer-security stories that appeared in the media:
We believe that these problems are a serious threat to information infrastructures everywhere. Until they are addressed satisfactorily, all the widely touted boons of the Internet-from tele-work to distance education to electronic commerce-will not be realized. We have assembled this anthology of leading experts because we want to help you and others understand the enormity of the job faced by system administrators and designers to keep the Internet safe, secure, and reliable. In short, we want to help the marshals become smarter and you to understand why their jobs are so demanding.
We also believe that the solutions to these problems cannot be achieved solely by technological means. The answers will involve a complex interplay among law, policy, and technology. There are many issues. Who should pay the sales tax on a transaction? Under what conditions can the government wiretap digital communications? Can a government prevent critical software or data from crossing national boundaries? What rights does an advertiser have to personal information gleaned from the computers of those engaged in transactions? Some groups see a secure Internet as the foundation of a new world order with government having less influence on private lives, more safeguards on speech and freedom, and more protections for individual privacy and due process. One person's free speech is another's clogged mailbox or tarnished public identity. We think the debates around these issues are healthy and need to be played out in the political and private arenas in the years ahead. Their resolutions will affect the kinds of countermeasures that can be used against the various threats. One thing is for sure: purely technological solutions cannot be defined. We cannot eliminate the marshal.
Originally, this book was intended to be an update of the anthology Computers Under Attack, prepared in 1989 and published in 1990. Yet so much has changed in the field that most of the previous essays were no longer relevant. The few that survived for this edition have been brought up to date by their authors. We retained the anthology format as a reminder that the field is new and still in great flux, and in such times it is more valuable to hear it from the original speakers.
After culling the best essays from a huge literature, we were left with about three dozen important articles. From your standpoint as a reader, this may well look like a daunting amount of information. How might you get the most out of this book in your limited time?
We suggest that you imagine yourself attending a symposium in a large hall with high, arching ceilings. Along the walls are booths, and in each booth is an author speaking on a topic. The room reverberates with the combined drone from all the speakers. You can walk from booth to booth, in any order you choose, listening to the conversations. You can listen as much or as little as suits you. You can return later to listen more and get some of your questions answered. If you are a beginner, a few hours in this forum will give you some basic familiarity with the terms used by the speakers and the capacity to ask intelligent questions. If you are already a working professional, a few hours in this forum will bring you up to date on what the experts are saying and allow you to calibrate whether your current knowledge is complete.
To assist you in navigating this forum, we have prefaced each of the five sections with a short summary of what the authors talk about and what common themes bring them together.
You may be interested in a related work. ACM has produced a new Professional Knowledge Program on Network and Data Security, edited by Matt Bishop and Peter Denning. It is a package of primary and secondary articles with study questions, editorial overviews, and a search engine. ACM will give you a certificate when you successfully complete the reading program. See www.acm.org/pkp.
This book is an outgrowth of our work on a predecessor anthology, Computers Under Attack: Intruders, Worms, and Viruses, published by Addison-Wesley and ACM Press Books in 1990. We are especially grateful to Helen Goldstein of Addison-Wesley for handling the logistics of review and production, Ellen Wollner of Addison-Wesley for masterful marketing, Jacquelyn Young of Addison-Wesley for coordinating production, Peter Gordon of Addison-Wesley for his sharp sense of what will resonate in the market, and Nhora Cortes-Comerer and Debbie Cotton of ACM for arranging for this to be part of the ACM Press Books series and obtaining permission from the previous publishers of these works.
Matt Bishop of U.C. Davis deserves a special mention for his long friendship, sharp technical knowledge, extensive familiarity with the literature, and inspirations over the years. He collaborated with Peter on a related collection, the ACM Professional Knowledge Program on Network and Data Security. ACM Director of Publications, Mark Mandelbaum, facilitated that program and this book. Peter's partner at George Mason University, Daniel Menasc'e, has also been a constant source of inspiration. Sushil Jajodia and Ravi Sandhu of George Mason University have always been freely available to provide technical knowledge and perspective about computer security.
Peter is grateful to the great editors with whom he has worked, notably Steve Mayer of American Scientist, who helped him with several essays whose updates are included here, and Bill Frucht of Springer-Verlag, who taught him much about the secrets of editorial selection.
Peter and Dorothy are grateful to each other for many years of marriage in which their ability to work together professionally was strengthened. They are grateful to their mothers, Catherine Denning and Helen Robling, and to their daughters, Anne and Diana Denning. All four individuals may not have fully understood the subject matter but fully realized its importance, and thus were endless sources of encouragement.