Bullet Proofing The NetJohn W. Verity
A year ago, the explosive growth of the Internet was sparking a new vision of all-electronic commerce. The boundless Net would let businesses trade with one another and reach millions of consumers directly--all in the time it takes for bits of data to cross phone wires. Almost immediately, though, questions arose about how safe it would be to do business on the Internet's public--and anarchic--circuits. Would consumers feel safe, say, typing credit-card numbers into this hacker's heaven, where you can't be sure who's who and what's what?
The answer, echoed by a chorus of enthusiastic technologists and eager executives: Sure, there are security problems. But there's nothing that can't be licked within a year or so.
FORMAT JOCKEYS. So much for wishful thinking. The year is up, and Internet security looks to be as tough a problem as ever--at least, as measured by public perception and the hesitancy of many companies to attach to the Internet and do business there. New security holes are uncovered almost weekly, it seems, even after earlier ones get fixed. "If consumers and merchants don't have a certain degree of confidence, [electronic commerce] is not going to work," says Carl F. Pascarella, chief executive officer and president of Visa USA Inc., which has teamed with Microsoft Corp. to develop a scheme for safely processing credit-card transactions on the Internet.
It's no wonder the public perceives Internet security as lax. In September, Netscape Communications Corp., a leading maker of Internet software, saw the security locks on its Navigator Web- browser program broken--for the second time in a year--by a couple of graduate students. Netscape rushed to issue a fix.
A few weeks later, the same pair said they had found a major security gap in software used at many Internet sites, which seemed to open the way to so-called bootstrap attacks. Crooks might use the gap to intercept and alter copies of Internet-related software packages--perhaps copies of Netscape Navigator. If a package's security routines were secretly gutted, any other program that the corrupt package touched--perhaps while copying the new program from a remote Internet computer--could be compromised, too.
As alarming as these breaches are, a more fundamental obstacle has stood in the way of electronic commerce. Technology companies and would-be cyberbusinesses have yet to agree on important protocols for sending payments over the Net. A year ago, the experts said these protocols would be standardized by now. But because security protocols are so critical to the future of the Internet and the digital economy in general, a battle has broken out over what formats to use. Various players, including banks, software makers such as Microsoft and Netscape, and major credit-card companies, are all jockeying for strategic position.
Would-be cybermerchants aren't at all sure which payment scheme to back. As a result, the hoped-for surge in cybershopping remains a year or two away (chart). Today, consumers are scanning the shelves of online stores, but when it's time to buy they log off and dial a trusted 800 number.
POSTCARDS. The Internet industry is "discovering that security is pretty complex," says Jay M. Tenenbaum, founder and CEO of Enterprise Integration Technologies, a maker of electronic-commerce software that was acquired in August by VeriFone Inc., a supplier of credit-card terminals. Plugging security holes in business-to-business networking is relatively easy, because trading partners in electronic commerce typically know one another. Retailers, however, face bigger risks: When they open their Internet computers to the masses, they have little protection because the Net was designed to help people share information, not hide it. Adding security now is a huge challenge. Says Tenenbaum: "There is no ironclad security on such a widespread and open network."
Perfect security is just not attainable--on the Net or in any business milieu. On the other hand, says Gene Spafford, a professor at Purdue University's COAST computer-security research project, "Good security is possible." In other words, the Net can be given a level of safety that business and consumers can live with. Any risk that remains will be treated as a cost of doing business--just as it is in today's credit-card business. No single technology or protocol will handle all aspects of Internet security. But the right combinations can secure credit cards, business documents, and even cash.
The basic difficulty is that the Internet moves information as if it were written on postcards--readable by anyone who bothers to look. As messages move across the Net, they can easily pass through a half-dozen computers. Theoretically, a hacker could reprogram one of those machines to keep copies of messages. Cryptographic software, though, can scramble the messages according to a mathematical formula. Without the right numerical key, even those who know the formula can't read the encrypted message without a great deal of trouble.
Here's how it might work in a home-shopping setup (table). When a consumer decides to buy an item, his personal computer would encrypt credit-card information for safe passage to a merchant. In competing payment schemes proposed by Netscape and by Visa and Microsoft, the merchant's computer would actually pass the encrypted number directly to a bank. The bank would unscramble the number and, if appropriate, authorize the merchant to proceed with the transaction.
NIGHTMARE SCENARIO. In fact, the bank's exposure to risk here could be less than if the item were bought at a store or by phone or fax. That's because the credit-card data are kept hidden from the merchant--a key advantage of using encrypted electronic messages. Says Scott McNealy, chairman and CEO of Sun Microsystems Inc.: "My E-mail is far harder to get at than my hard-copy mail," which gets dropped off "in a tin box with no lock on it."
The other major challenge in Internet security is shielding Net computers from hackers. The Internet merchant's worst nightmare is that a hacker breaks in and steals thousands of credit-card numbers. The answer is firewall software, often running on a machine dedicated to the purpose, which itself is hacker-proof and lets in only selected types of Internet traffic. Intuit Inc. has just bought 20 of Sun Microsystems' SunScreen firewalls, which will create secure Internet links between banks that handle payments and other transactions for users of Intuit's Quicken software.
Ultimately, every service on the Internet is rooted in software, which usually isn't as reliable and bulletproof as it should be, says Purdue's Spafford. One reason: Today's software products "contain disclaimers disavowing any liability, so there is no incentive for the vendors to do better" at getting security right, he says. "If [these programs] were automobiles, they would stall out every few hours without warning and occasionally explode, killing all inside."
Take Netscape's problems with Navigator. In an apparent rush to launch the program into the booming Web market--and thereby to establish its proprietary security protocols as a standard for credit-card transactions--Netscape's programmers did what the company admits was a sloppy job in coding an otherwise sound security procedure. The routine depends on random numbers to calculate encryption keys for each transaction. The way Navigator was originally programmed, however, these random numbers were relatively easy to predict, which made the resulting keys worthless. "It was a thoroughly unnecessary bug," says Whitfield Diffie, a cryptographer at Sun Microsystems. "It's quite possible to get crypto systems right." Netscape has since begun offering prizes to anyone who finds new loopholes in its software.
No doubt there will always be some security problems on the Net. But the holes can be reduced to an obscure few and the odds of break-ins drastically reduced. Just ask NASA, which for more than a year has been quietly shipping space-shuttle software back and forth over the Net with a handful of contractors. Using firewalls from Harris Corp., NASA has carved out a private, ultra-secure network within the Internet at large. The setup is being scrutinized by other federal agencies, which are all under mandate to use the Internet's low-cost connections. Evidently, it is quite possible to teach this old dog of a network some dazzling new tricks--if you're willing to put in the time and money.
THE INTERNET: OPEN BUT INSECURE
The Internet is not centrally managed, and it's open to use by anyone--including crooks, eavesdroppers, and impostors. Various technologies can make it safe for business, but only if consumers and merchants both do their part.
DATA ENCRYPTION scrambles data to prevent its being read or tampered with during transit. Only those with the right key can read it.
SMART CARD, with embedded microchip, generates unique passwords that confirm a person's identity. Each password gets used only once.
FIREWALL software blocks bogus and virus-laden messages sent by hackers to invade a computer.
SAFE SOFTWARE practices call for using only authenticated copies of Web browsers and other Internet programs.