Monday April 10, 2000
Home Is Where The Hack Is
By Todd Spangler, Inter@ctive Week

Nathan Hoffman was almost too angry for words. Pacific Bell had just successfully installed a new Digital Subscriber Line connection in his house in November 1999 in Woodland Hills, Calif., an upscale suburb of Los Angeles.

A few weeks later, Hoffman, a lawyer in private practice, started reading about how always-on broadband Internet connections left computers potentially vulnerable to external attacks. Concerned, he visited a Web site that checks a computer's security - and was horrified to discover that his PC couldn't have been less secure. Because he had file-sharing features enabled on his PC, all of his confidential files were as easy to access as if he had posted them to a public Web site.

"I found that my computer was as wide open as it could possibly be," Hoffman said. "Anybody could take control of my computer. Anyone in the world could be as destructive as they wanted."

For many broadband users, it is becoming a rude awakening to learn that being connected around the clock to the Internet is not just a Valhalla of always-on convenience. Right now, about one in four computers hooked up to broadband connections is vulnerable. By 2003, that could mean 1 million computers that are vulnerable to having their cookies stolen, their hard drives rifled and their operations commandeered.

The same threat has existed before, with dial-up usage. But, around-the-clock connections have made it easier to tap into far-flung computing devices with automated software. The issue spilled over earlier this year with the distributed denial-of-service attacks against Yahoo!, eBay and other large sites on the Net. In those cases, hackers implanted invisible code on hundreds of unsuspecting victims' computers, turning them into "zombies" that could be coordinated into large-scale attacks.

But, it's an issue that Hoffman, for one, will not let go away. In December 1999, Hoffman filed a class action lawsuit against Pacific Bell alleging false advertising, negligence and breach of warranty. The lawsuit said that Pacific Bell did not provide adequate protections against unauthorized Internet intrusions, nor did it inform customers that the Digital Subscriber Line (DSL) connections were not secure.

Representatives from Pacific Bell and SBC Communications, Pacific Bell's parent company, declined to comment on Hoffman's lawsuit. They also would not discuss the security practices of Pacific Bell's Internet services.

Was there any actual harm done to Hoffman's computer? Hoffman said he doesn't know whether any data from his PC was stolen, and he believes that nothing was deleted or altered. What he wants now, he claimed, is simply for Pacific Bell to start recognizing the potential security threats its DSL customers face.

"They just need to tell their customers the truth and make sure their customers have protection," Hoffman said.

Free-Floating Paranoia
Hoffman's lawsuit provides a useful illustration of a radical shift in customers' expectations regarding Internet security. The question now is: How well will service providers and technology suppliers be able to adapt to these fast-changing market dynamics?

Internet service providers (ISPs) - those willing to discuss the issue - almost roll their eyes when someone brings up the topic of "home hacking." They downplay the security risks as minor. If you have turned off your computer's file-sharing functions and have a little bit of common sense, they say, you have less of a security concern than when you give your credit card to the guy at the gas station.

It's the knowledge that their computers are being pinged by someone in Germany, Romania or other far-off land that sends cold water shooting through the veins of average broadband users. New hacking tools allow anyone to automatically probe thousands of Internet Protocol addresses at a time, looking for computers with open IP ports that a hacker can later exploit.

Take the Hoffman case. Once he found his connection wasn't secure, he installed software called BlackIce Defender - and discovered his PC was being scanned several times per day, at all hours, by multiple probes from all across the Internet. Hoffman did not find these results very comforting.

But industry experts say these port scans are basically harmless as long as you're not running a server in your house and you've taken other basic security measures, such as disabling the ability to share files with other users.

"When people get [their computers] scanned, they picture someone sinister hunched over a keyboard," said Jay Rolls, vice president of network engineering at Excite@Home. "But massive port scanning is trivial to do, and it's innocuous in and of itself. I don't think the threat is as big as people think."

Nevertheless, ISPs recognize that the cat is way out of the bag on this issue. For most people, even the remotest chance that some unknown Internet hacker is jimmying their computers' locks manifests itself as a powerful, emotional fear rather than a rational account-taking of the risks, analysts say.

Rex Cardinale, chief technology officer at DSL wholesaler Covad Communications, said he believes it's important to start educating people about Internet security broadband connections. But, he said much of the recent hand-wringing over security threats to always-on computers is misspent. "The fact of the matter is, the vast majority of the population isn't exposed," Cardinale said. "Why scare the guy who's just hooking up a Windows 95 computer?"

Has the fear blown out of proportion? Maybe. But, now that consumers have been "educated" about the risks of always-on Internet connections, the broadband service providers will have to respond to customers' requests for some kind of security protection. Otherwise, they'll appear incompetent or condescending - or worse, negligent.

"The broadband providers have been aware of the security issues, but until now they haven't been pressured by consumers to offer the security piece of the puzzle," said Eric Hemmendinger, an analyst at Aberdeen Group.

Broadband subscribers are now demanding it. Rochelle Garner, a free-lance writer who lives in San Carlos, Calif., is another Pacific Bell DSL user. She's online all day and most of the evening. Because of the recent publicity surrounding the denial-of-service attacks, she wanted to ensure her Macintosh was safe. But, when she asked for help from Pacific Bell, Garner said, she was stonewalled.

"The first time I talked to PacBell, they got defensive. They said, 'We're not responsible for that,' " Garner said. "They were no help whatsoever."

Others didn't wise up to the importance of Internet security software until it was almost too late. Philippe Trahan, a software engineer who lives in Montreal, has a 300-kilobit-per-second cable modem connection from Le Groupe Videotron, a local provider.

"I always found the security lacking," Trahan said. "Then I caught a Trojan horse [virus] starting to erase my entire drive." Trahan thereafter installed Symantec's Norton Internet Security 2000, which includes a personal firewall and anti-virus software, and he hasn't been bugged since.

It was the feeling of being both misled and avoided that sparked Hoffman to legal action. He alleged that Pacific Bell advertised that its DSL service offered "secure, dedicated links to the Internet," even if that claim is not made now. Hoffman said he sent Pacific Bell a number of e-mail messages asking it to address the security issue, but, he claimed, no one responded to him. Then he felt ignored, which made him even angrier.

Who's Hacking Whom?
Regardless of people's amorphous anxieties about security, how serious - really - is the problem of home hacking?

Measuring the extent of home hacking is difficult. No analyst firms or government agencies track specific data on security crimes against individuals. The Social Security Administration recently reported that it received more than 30,000 complaints in 1999 relating to abuse of Social Security numbers, compared with 11,000 in 1998. The agency said the jump was due to the ease with which the Internet can distribute information, but it seems that most of the Net-related incidents were posted on Web sites or e-mailed across the globe rather than stolen from home PCs.

While there may be no empirical data of how many home users have ever been hacked, there's some evidence that a significant number of Internet-connected computers - perhaps as many as one in four - are vulnerable to data theft or destruction. Steve Gibson, an independent software developer based in Southern California, operates a Web site called Shields Up! (grc.com), which performs a remote scan of a computer's ports to show the system's security weaknesses.

As of the end of March, about 2.3 million people had tested their computers at Shields Up!, and almost 650,000 of those computers - or 28 percent - allowed anyone on the Internet some sort of access to their file systems. About 8 percent were "wide open," meaning anyone could copy or even delete files. Gibson acknowledged that the statistics aren't terribly scientific, because the people scanning themselves are self-selecting and the site probably gets repeat visitors.

But, Gibson thinks the results are still unnerving. "This site is a wake-up call," he said. "Everyone knows of the security threats as an abstraction, but it is the reality of having the site say, 'Greetings, Steve!' and you go, 'How the hell did they get my name?' "

The problem of computers with misconfigured security settings at the end of high-speed, always-on connections promises to get worse. By 2003, there will be about 15.3 million households with broadband access in the U.S., according to projections from Jupiter Communications - and that, if you run a conservative calculation based on the Shields Up! results, means there could be at least 1 million computers from which files can be easily stolen. Furthermore, there will be even more users hopping online via dial-up modem: International Data Corp. has predicted that there will be 327 million Internet users worldwide by the end of 2000, and about 600 million by 2003.

Still, it's not clear to everybody why a hacker would want to rummage around on the neighbor's PC. Hackers tend to gravitate toward high-visibility acts: They want their work to get noticed and written up in The New York Times.

Perhaps the hackers themselves aren't exactly sure what they're looking for. Kevin Collins, a Huntington Beach, Calif., resident, was a subscriber of Flashcom's DSL service for almost a year and a half; he recently switched to Time Warner's Road Runner cable modem service. "When I started, I knew the service wasn't totally secure, but I wasn't concerned because I thought, 'What do I have that anyone wants to get?' " he said.

Then Collins installed Network Ice's BlackIce - and discovered a virtual United Nations of hackers trying to connect to his computer. "We were getting whacked like crazy," he said. "In particular, we were getting probed from an ISP in Egypt."

Theft of personal data isn't the most likely motive for a digital break-in of a home computer, said Greg Gilliom, president and chief executive of Network Ice, an intrusion-detection software company that has tapped into the growing home Internet security market.

"Cracking into one system for a credit-card number is a tough way to make a living," Gilliom said. The main reason a hacker wants to break into a home system, he said, is to attack someone else - ... la the denial-of-service attacks against Yahoo! and others - because "then the FBI comes knocking on your door instead of his."

Point The Finger
So whose responsibility is it, ultimately, to protect home users from malevolent forces on the Net? In Hoffman's case, Gilliom said, Pacific Bell is accountable, since the company - according to Hoffman - said it was delivering a secure connection.

Other users of broadband Internet services voiced similar sentiments. Pearce Smithwick, who uses the AT&T@Home cable modem service in Oregon, also thinks the onus of educating and informing users about security lands on the shoulders of the service provider. He said ISPs need to take a more proactive stance in informing their users about how to make sure their connections are hackerproof.

"AT&T@Home never made any suggestion that I was at risk or that I should take steps to secure my connection and my computer," Smithwick said. "Their techs never suggested it, their installer never mentioned it, and you have to hunt on their site to find any reference to the fact that you might be in danger."

Is signing up DSL and cable modem users without advising them about the kinds of security precautions they need to take akin to selling a sport utility vehicle without brakes or seat belts? Not necessarily. Other observers suggested that Internet users who complain about security need a big, fat whack with the caveat emptor stick.

"Everyone installed virus software because they believed that passing around a diskette was a problem, but they freely and willingly hooked up to the Internet and thought they weren't susceptible," said Matt Kovar, an analyst at The Yankee Group. "Look, if you're driving your car on a dirt road, you might get a flat tire."

Still, some service providers offer scant guidance on security. Here's the advice Pacific Bell offers DSL subscribers in its Frequently Asked Questions document: "If you're concerned about the security of your Basic DSL connection, simply turn off your computer when you're not using it."

InternetU.org NOTE: The above is not true. You are at risk just by connecting to the Internet. It takes under 8 seconds to be hacked. It takes only 1 email to let in a worm or Trojan horse.

America Online, which is now offering DSL connections through partners that include Bell Atlantic and SBC, gives users information about firewall software and describes "common sense security things you need to know for going online in general," according to an AOL spokesman.

Meanwhile, EarthLink is taking a more hands-on approach. The company expects to start offering a firewall with its DSL service around the third quarter of this year, said Mike Lunsford, executive vice president of broadband services at EarthLink.

"As we get into more of the general public, you run out of the folks who really know all the security concerns who can protect themselves, " Lunsford said. He said EarthLink doesn't necessarily see the firewall add-on as additional revenue stream; rather, "there's potential revenue lost if we don't have a solution that makes all of our customers comfortable. We need to be a step ahead of everyone else."

Excite@Home is already offering McAfee.com's anti-virus and personal firewall as an option to its users. Curiously, though, the move backfired a bit: Excite@Home's Rolls said people read too much into the deal.

"The reaction by the press was: 'Oh, this must mean something - @Home feels there is a need to provide additional security to its subscribers,' " he said. "The truth is, it's not like we're having thousands of people hacked. There's not a huge need for it. That was mainly an anti-virus deal, and the firewall was just thrown in."

Security Hawks
Certain service providers are skittish about dealing the security card, even though it may generate good will from customers and perhaps even turn into a source of incremental revenue, according to analysts. The truth is, some view talking about security threats as bad for business, according to Network Ice's Gilliom. "The ISPs have a strong interest in having people believe this isn't a problem," he said. "The ISPs don't want the security issues to inhibit their sales."

But, a hungry band of technology companies - including McAfee, Network Ice, Symantec and Zone Labs - is swooping in to provide personal firewalls and other home security software to fill the sudden, desperate demand from cable and DSL subscribers.

Due to that demand, the market for consumer Internet security software is expected to grow like a magic mushroom. Symantec expects the sales to ratchet up from being essentially nonexistent at the beginning of 1999 to $200 million by 2002, said Tom Powledge, product manager for Symantec's Norton Internet Security 2000 suite.

"We were in a similar situation three years ago with anti-virus, where people knew about viruses, but the macroviruses exploded the need for anti-virus software," Powledge said. "Now, you have a lot of things going on with hackers and an explosion in the number of broadband connections."

SofaWare Technologies is another company casing the home security market, but it's taking an approach different from that of the PC-based security software vendors: SofaWare wants to partner with the cable and DSL modem manufacturers to embed firewall software into their equipment. The company also wants to sell management software to ISPs. Founded by Etay Bogner and Adi Ruppin, two former BackWeb Technologies executives, SofaWare is backed by Check Point Software Technologies and has access to Check Point's technology and software engineers.

Analysts expect embedded-firewall approaches such as SofaWare's to appeal most to ISPs, because they will drive down the cost of providing managed security services. A hardware firewall is more or less invisible to an end user, unlike a PC-based firewall, which provides numerous opportunities for a user to get confused or misconfigure it - and call the technical support hotline.

"What we saw happen in the car industry was airbags and intelligent braking becoming more cost effective to put into the lower-end models," The Yankee Group's Kovar said. "Ultimately, the same transition is happening in the network security industry."

For Hoffman, the plaintiff suing Pacific Bell for false advertising, such an integrated security service would seem to address his concerns. All he wants, he said, is for Pacific Bell to deliver a safe, hackerproof service or tell people how to do it.

"You need to safeguard your own private personal information," Hoffman said. "People are worried about DoubleClick collecting your personal information, but that isn't anything compared to what someone can get if your home computer isn't protected."

See this story in context on ZDNN's Page One Section.

Back To The Study