Even casually savvy computer users these days know to beware of security threats on the Internet. They know that the online universe is acrawl with computer viruses, worms, Trojan horses and other malicious bits of code, and if they are prudent, they have equipped their computers with up-to-date anti-virus and firewall software for repelling these invaders. They are leery of unsolicited e-mail attachments, and careful about the web sites they visit. They have probably heard about (or experienced) "denial of service" attacks in which malicious hackers direct thousands of computers to bombard a company's servers with requests to shut them down. They probably even know not to fall for "phishing" scams in which hyperlinks take users to phony sites posing as legitimate banks and credit card companies for the purpose of stealing passwords and account information.
What few in the public realize, however, is that the Internet is vulnerable to much deeper levels of fraud-ones that exploit fundamental security gaps in the network protocols themselves. These attacks, often called "pharming," are all but impossible for individuals to guard against or even detect. They represent a growing threat to personal, corporate and national security that the federal government needs to address urgently.
Consider, for example, the defenselessness of the domain name system (DNS), the Internet's version of "411 information." When you type a "www."-style name into your browser software, the browser converts it into an IP address, a string of digits that is the equivalent of a phone number. It gets the IP address by contacting a local name server, typically operated by your Internet service provider. Unlike telephone numbers, however, which are often valid for several years, IP addresses change frequently and so the IP address comes with an expiration date, known as a "time to live" (or TTL). On the Internet, TTLs are typically measured in seconds, hours or days, even if the associated IP address does not change that often. If a local name server receives a request for an "expired" DNS name, it in turn queries a hierarchy of other servers, keying its request to two 16-bit identification codes-one for a transaction ID and one for a port number. Unfortunately, the port number is often predictable, and so it becomes possible for a cyberthief to produce a likely match to both codes by generating a relatively small number of answers (say 65,536).
On supporting science journalism
If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
The cyberthief can then ask the local name server for the IP address for XYZ Bank's home page and learn when it will expire. At the moment of expiration, he again asks for the bank's address and immediately sends out the 65,536 answers that list his own computer's IP address as that of the bank. Under the DNS protocol, the local name server simply accepts the first answer that matches its codes; it does not check where the answer came from, and it ignores any additional replies. Even though XYZ Bank's IP address has not really changed, the local name server still replaces the correct address with the hacker's address and communicates the false information to customers.
So if our hacker gets his answers in first, the local name server will direct customers seeking XYZ Bank to his computer. Assuming that the hacker runs a convincing imitation of the bank's sign-in page, customers will not realize that they are handing their confidential information over to a fake.
Similar flaws plague other Internet protocols, such as the Border Gateway Protocol (BGP), which governs the pathways followed by data packets on the Internet. They also affect the Dynamic Host Configuration Protocol (DHCP), which roaming computers utilize to find network resources when they connect in new locations. For example, suppose you are sitting in your favorite coffee shop and want to open a connection to the shop's wireless router. Your laptop broadcasts a query for the server to identify itself, and DHCP directs that your laptop will accept the first response it gets as legitimate. If a hacker sitting across the room can fire off a reply before the coffee shop's router does, your laptop will be joined to his. Everything will seem normal to you, but his computer can record all your communications and covertly direct you to malicious sites at will. [break]
Such vulnerabilities imperil more than individuals and commercial institutions. Secure installations in the government and the military can be compromised this way, too. And indeed there have been cases in which these loopholes did allow data to be stolen and records to be altered.
How do we come to be in such a mess? The reasons are partly historical. Today's protocols descend from ones developed 35 years ago when the Internet was still a research network. There was no need to safeguard the network against malicious entities. Now the Internet has opened up and grown explosively, but we have not developed inherently stronger security: the protocols still take for granted that the billions of people and devices online are both competent and honest. Nobody ever went back to do the difficult job of developing inherently stronger security.
Fixing the Internet protocols will be a formidable challenge. Some improvements are relatively simple to imagine-for example, switching to identification codes that use more than 16 bits-but would involve considerable work to adopt on a global basis. Techniques for authenticating that messages come from the proper parties are well developed, but those technologies are not necessarily fast enough to be embedded in all the routers on the Internet without bringing traffic to a crawl (or forcing prohibitive investments in new equipment). Some other important kinds of protocol improvements still need to be conceived. Of course, an essential feature of any new protocol is that it can be implemented without seriously disrupting Internet operations in the process.
For these reasons and more, in its February 2005 report, the President's Information Technology Advisory Committee (PITAC), of which I was a member, strongly recommended increased federal funding for basic research into cybersecurity. The Department of Homeland Security currently devotes only one-tenth of 1 percent of its research budget to this concern. DARPA (the Defense Advanced Research Projects Agency) used to fund this kind of work more generously but its current focus is more narrowly military and its research on cybersecurity is classified, limiting the amount of research that can be conducted at universities, and inhibiting the transfer of technology to industry. The National Science Foundation studies the problem but can only do so much. And, although industry takes the problem seriously, inadequate profit incentives discourage companies from aggressively developing broad-based solutions.
Even once better protocols are in hand, convincing the world to accept them represents its own set of headaches. No central governing body rules the Internet, and standards bodies have been ineffective at getting parties to adopt adequate security specifications. The situation is further complicated by the fact that national governments differ in their views of how the Internet should be run, and many key Internet players argue against any government intervention at all.
What is clear is that cybersecurity deserves immediate, sustained attention. As noted in the PITAC report, "the IT infrastructure of the U.S.... is highly vulnerable to terrorist and criminal attacks. It is imperative that we take action before the situation worsens and the cost of inaction becomes even greater."