We are now going to hear from two IBM experts in the area of security requirements for personal privacy on the Internet. First, Dr. Charles Palmer will discuss ethical hacking and pragmatics. And then Dr. Mark Green will talk about cryptography, vaults and certificates.

Charles Palmer founded, and continues to lead the Global Security Analysis Lab in research, better known as the Internet Hacking Lab. The lab began live in 1995 as IBM center of competency for network security analysis tools and techniques. Not everyone's job description allows lurking in the electronic shadows and spending long hours in front of computer screens breaking into computer system of IBM's customers. But that is precisely what Charles and his team of world class ethical hackers have a unique charter to do. Go, break in, and after you've broken in and almost all the time you break in, help customers learn how to now fix the problems that Charles and his team found.

Mark Green is Vice President in the Electronic Commerce Group of the Internet division. His responsibility centers on products which enable Internet commerce including payment solutions and certificate services. Mark joined IBM in January 1995, and he's been a major part of helping build IBM electronic commerce strategy. So it's my pleasure now to present Dr. Charles Palmer.

CHARLES PALMER

Good morning. Thank you for that introduction. It's an interesting group that we have in Watson and in Zurich. People blame us for lots of things that we weren't even involved with. But the main thing that I wanted to try to talk about today was what's going on in security and privacy.

So I'm sure everybody that's here thinks their systems are pretty secure, not any problems, you have really good people working for you, you know where they came from and all like that. Well, I'm afraid I'm here to tell you that our experience shows that about 80 percent of your companies are vulnerable right now to some sort of hacker or inappropriate use of business assets kind of attack.

Now I'm sure a lot of you are looking at the two people on either side of you and saying gee, are those guys in trouble! Well, the real problem is that most people think that. They look on either side, and they think gee, I've got good people, I know where they came from, I know what's going on, I don't have to worry. I've got a firewall. Well, we'll talk about that.

It's not just that that hackers know that everybody is basically thinking they're safe. Hackers know how to get into your systems and do things you couldn't imagine. They know how to get in and install two gigabytes of dirty pictures on one of your outside servers or a server you didn't know was outside. They know how to modify that home page in such a way that it displays the name of your company in a different font. Or perhaps with different graphics associated with it.

Or if they can't do that, they might just get really nasty, and just turn it off entirely. So when people go to www.your company.com, they go to the Dole '98 campaign. Dole '98? They go to someones '98 campaign.

What else? They can find out information about your people. I've got a book in my bag here called "Net Spy". If you've ever had somebody that you'd like to be able to find, someone from high school or the military or somebody. There's hundreds of websites out there to help you find these people, some for free, some not. And you can use this for good, or you can as most things turn it to the dark side as well.

So you can find people. You can find the CEO of your company. That's not too hard. It's usually published. But you can find out where he or she lives. You can find out if they have children, you can find out where the children go to school. You can even find out their college schedule, and probably the dorm room and maybe even the license plate on their car. This information is put forth as a feature of most universities. You finger Charles at somewhere.edu and you'll get all the Charles's there. And a lot more information than you might think.

So given the amount of information that's out there, and the unfortunate lack of security that surrounds it, you understand why they call us the paid professional paranoids. So that's what we're going to try to talk about. Now who should be worrying about this? Well, that's pretty simple, everybody; corporations, governments, private citizens, across the board. There's corporate espionage there's currently a couple of cases that have been in the news, Reuters, Bloomberg, and some others perhaps. Employees leaking and selling information, this happens every day, and especially in this part of New York. Companies with friends in other companies say "did you hear about the so and so trade?", well they pass it along.

People have actually installed firewall and intrusion detection software to watch this stuff. And there's so much of it, that they can't even keep up with prosecuting it, or keeping track of it, so they just sort of keep a log, and when bad things, really bad things happen, then they choose to attack those.

There's always the disgruntled employees of course, and that bothers everybody. Government has a particularly difficult situation here. And I'm sure you've all heard about the crypto debates, and I'm not going to start that. I'll let somebody else deal with that. But they've got a real issue with all sorts of security and privacy themselves.

Recently a bunch of pagers, just like this one, belonging to government officials, police and celebrities, some people had learned how to grab these messages out of the air, and were selling the messages to the news media. Certain less than ethical news hounds were using to track down activities of these sorts of people. And also where the cops are going, that sort of thing.

Law enforcement is also victim to things like a phone company employee was selling tap and trace information. So whenever someone would have a trace put on a line, this individual would find out about it, cause he had positioned himself in just that way, and would tell the tracee for a certain amount of money, hey, guess what, you're on a tap and trace. Very lucrative.

And then there was the kid up north who was threatening to turn off all the lights at an airport, because he had learned that they had done some rather creative design with the light control system.

Personal information? Well, there's lots of it out there. Recently at PC Forum we were doing an ethical hack for the benefit of the attendees. And one of the things that we found when we got in, was that sometimes when a computer program dies it leaves stuff around on the disk. And just sort of throws up on the disk. We found one of these little files, and we started digging around in it. Because there's usually good stuff in there.

Sure enough we found phone numbers for different parts of this company. We found management information, who manages whom, sort of a chain kind of stuff. But the good part was that we found a bunch of Social Security numbers and home telephone numbers. And we could have certainly had a good time with some of those. As you'll see later, though, we try not to go too far.

And then there was the Social Security number fiasco last year. You can go to that Website that the government put out to find out what your Social Security account was. And of course if I know your Social Security number, or could guess it, I could go get all your earnings information, and so on. The Texas Department of Motor Vehicles, if you know a valid license plate number you could get all of the information about that particular car that wasn't so bad. But you could also twist it, because they had added extra links and capabilities so that you could find out where that car lived, and the other people who lived there in their cars. So you could easily find the 16 year old son or daughter of whoever, and whatever that led to. There you go.

Medical information, I don't have to say anything about that. Lots of problems there.

So why does this happen? Why do bad things like this happen? Well, we're putting more and more interesting stuff out there. It's worthwhile data to somebody. Is it worth direct money? Prestige in the hacker world? It's not so much that they make money at it, because most of them do not. It's an economy. It's a hacker, different kind of a world. You move up in this economy or this hierarchy by what you know and what you can do. And so it's not so much that you broke in and got credit card numbers, like some of them do, it's more that you got in at all, and then you could tell your friends, hey, I did AT&T.com or I did IBM.com or whoever that makes me more elite than you.

Defenses are not very good. People put up a firewall, and they think they're done. And unfortunately, there is no silver bullet, and firewall is certainly not one of those. And it doesn't always take a computer genius to take advantage of this stuff. We found, actually we didn't, someone else found one computer system in California was being shared. That word should always send up a little warning, shared? Okay. Between who?

Well it was between the police department and the public defender's office. Now I wouldn't exactly want to put those two groups on the same system, because they're not always on the same side. You've got to watch for that as well.

Now who's going to be a victim? Just about anybody. Here we got UNICEF, great organization, doesn't hurt anybody, only helps. And yet they were the victim of some, not quite awful, but nevertheless, disruptive hack. How was this done? Everybody in the world has got to put up a Website now. I get asked every day, well where's your Website? Where's your home page? I purposely don't have one, because I don't want to be a target.

When I stand up and talk in front of groups like this, if I had a www.Charles.com, I would be in trouble. I would have to spend all my time trying to make sure it's safe. People like UNICEF put up the Website because they need to. And corporations like yours put a Website because you need the presence. But you don't always have the time or the staff to actually do it right. So that's when these things happen.

Now what is hacking? I probably don't have to explain that to you. People fooling around with your systems in ways that you hadn't quite intended. Usually it's not what you had in mind. Sometimes you learn a little bit from it. Other times you learn other things. And it's beginning to make a big difference to the bottom line.

Corporate image. What would it cost you? can anybody even actually imagine what it would cost you if all of a sudden your home page, instead of saying your name.com, said "hot pictures.com." Or if you are bank, and you have interest rates on one of your pages, and all of a sudden the interest rates are very, very good interest rates. Not a good thing, not a good situation to be in.

Customer and employee privacy. Okay. This is the stealing of credit card information, or stealing of other information. One of the latest things to hit is stealing customer lists. Not so much the customer private information like Social Security number or credit card numbers, but more "who are those customers?" And then they go to one of the other organizations on the Web, and for a small fee will give you the home address of this person, and everything you'd ever want to know about this person.

From that point, you, as the person stealing this information, can go to those customers and say look, you're buying telephones from this company, my telephones are cheaper. Or my widgets or whatever.

And my favorite all time was the plumber in Massachusetts who didn't like his competitors, so he had call forwarding ordered for his phone and you could get what he did. He forwarded the phone calls to him. And he only got caught when his wife, the wife of the other guy got a little confused.

Now there's been survey after survey. The most recent one is the CSI FBI survey, it was done with the FBI International Computer Crime Bunch in San Francisco. And you've probably seen the numbers already. 64 percent of those responding, I believe it was 520 respondents, reported some kind of break in during the past year. Now the definition of break in here is a little bit loose if you read the report. It's not somebody who came into your system and ran amok. It's somebody who came into your system, somehow. Or they turned off your system with a denial of service.

The next number is the one that's interesting. 72 percent are reporting financial losses. And this is an increase for a couple of reasons. 46 percent actually we're able to quantify. This is interesting, because people are beginning to actually try to think about and actually quantify how much money they're losing when their image is impacted, or when intellectual property leaks out the door.

It's still very difficult to keep track of all of this, though, because a lot of companies don't want to report it. It's been a problem in the banking industry for years. Whenever you have a security problem, you keep it quiet because of your image. Why wants to trade with a bank that has break ins all the time? Well, luckily the banking industry is getting together and realizing that this sort of information needs to be shared, at least among the other banks. Because when these attacks come, they come in groups. They come in waves. You find one bank, you can do one bank, and then you go and try another bank, because a lot of them use the same software. It's very similar in the oil industry. One oil company will start using the zap 2,000, and then another member of the oil industry will say oh, cool, I'll use that too. It must be good. And if there's a bug in the zap 2000, guess what?

Threat from inside is still high. Most people don't realize it, but most of the computer security problems have been on the inside up to now. But the outside is increasing. Again, because there's many more people connecting, many more people putting up websites, and many of those people don't always have the skills to do it safely or the time to maintain it and keep it safe over the years.

Now who's doing this? It used to be just kids. You used to think it's just some generic pimply faced overweight geek, usually male, with the diet Pepsi and the Almond Joy. Well, it's not quite like that anymore. There are still those people. They'll never go away. But it's beginning to be a little more lucrative. Now there's a point to it. It's not just the hacker economy, which most of them outgrow. There are some 45 year old guys still out there hacking away. Most of them are satisfied with that.

But then there are few that come around and they start becoming interested in making money. And many of you may have been approached by some of these X-hackers who have seen the light and will no longer use their powers for the dark force, or the dark side. They want to be security consultants. Well, be very, very careful.

Our opinion, at Watson, is that there is no such thing as a reformed hacker. You would not hire a convicted arsonist to run your fire marshall program, even though he or she probably knows a lot about fires. I just couldn't bring myself to do that.

So the next question I get right now is where do you hire all these people that work with you? They were all just like me, minding their own business, doing whatever they were doing, in university and companies, or whatever, and somebody messed around with their computer, and they took it personally. I have a lot of physicists, a couple of math and then a couple of just plain old computer science loons like me who just took offense at this, and say by golly, I'm going to learn everything I can about this to stop it from happening to my computer, and everybody else's.

So it's just an exciting a chase on my side of the force as it is a game on the other side. There's also the disgruntled employee. Yeah, we've all got those. What can you do about these things? Well, we'll get there.

We have some interesting numbers that we made up. And I accent the word "made up." I don't have any statistics to back this up, but this is our estimation of what's out there. What are we up against? We guess there's about 100,000 active bad guys out there. Most of them do no harm, other than irritation, get in the way. And a lot of those 99 or 90 percent, they will accidentally take you off line. They don't mean to. Most of those kids don't know what they're doing. Somebody gave them a tool, and they started playing with it.

About 10 percent of them are really out there to make a buck. There were several guys at the hacker conference who wear little T-shirts that they've had made up "I only hack for money" and they're not joking. That's what they do. Whether it's trying to get intellectual property or just employee lists. Think about it. Employee lists could be good money too. It's hard to find people in security. It's hard to find people who are really good at securities industry, financial industry. I get the list of your employees, if I have any way of figuring out who the good ones are, I'll go after them. I'll try to hire them.

We think there's about 100 people worldwide who are extremely dangerous. I'm usually asked "is Kevin one of those?" No. Sorry. We're talking about people that you've never heard of. And we've encountered some of their activities. We've seen some of their trails. And it's very scary. Because these people are very, very talented. They could make six figure salaries in Wall Street at any time ... programming, just programming. But they choose the more exciting life, I guess, of this.

The really bad guys have an in depth knowledge of multiple, multiple platforms. They're not just a UNIX person. It used to be if you're a UNIX system, you think oh, gosh, I've got to worry about security. Well, there's a lot more systems you have to worry about, NT, MacIntosh, all of them. They all have their little problem. And the really talented bad guy knows how to use them all. Because the bad guy breaks into your company, he doesn't know what you have typically. And the more obscure the machine, the more likely you aren't paying any attention to it.

One company was broken into because they had a big plotter system, make big pictures for their for their business. The computer that ran the plotter was insecure, but it was also connected to the outside by a modem for the system's support guy, so he wouldn't have to drive in at night when this old machine broke down. Old machine usually means bug fixes are no longer generated or applied, and that's how they got in. Or how the bad guy got in.

Many times these bad guys will employ the lesser talented kids preferably a minor because if a minor gets caught, he doesn't do time. And the cops, police, law enforcement around the world, are less likely to really mash real hard on a minor. However, some of the tools that the bad guys give the minors, give the kids to use, are sort of like handing them a shotgun and a bottle of tequila, and saying "have a good time" because they don't know what they're doing.

Hackers have a lot of time. Most of them are socially challenged. And everybody chuckles. And I don't know if it's a cause and effect, but it does happen quite often. Many of these kids actually have real psychological problems. A lot of them, it's just all they do. Now if your kid spends eight hours a night working on his computer at home, don't immediately freak out. Chances are, he or she has not been pulled over to the dark side, but let's you might look over their shoulder a little bit.

They spend weeks and weeks and weeks to try to break in. Now when we do an ethical hack, we don't have weeks. We have week. Usually. And so we do as best as we can in that time. These people, I mean I have a picture, later, of a hacker pit we call it. They don't leave their rooms. They do everything in that room. Food is delivered, that's what New York's such a great place for hackers, because you can have just about anything delivered. So that's what they do.

Once they get in, they immediately look around to make sure nobody's watching, plant a back door or something so they can get in again and then they leave. And they may be gone for six months. They come back later, if the door is still there, they assume either you're really good, and you left it there on purpose. yeah, right! or you didn't even notice. And then they come back and have a good time. That's what happens.

It's not just the teenagers. It's a growth industry with lots of fraud. Denial of service, this is one thing you really should know about. Denial of service is a technique where you can make a Website or an Internet connection unusable by flooding it with information. You can do this with mail bombing, just write a program to send E-Mail to your account 6,000 times per second or just try to hook up to your Website 6,000 times per second. That tends to flip most computers out. And your customers, and your own employees can no longer get there. Theft of services, this is pretty obvious, and theft of cash. That's actually beginning to happen. All right. Now you may think oh, gosh, that is my kid's room!

But we do occasionally help out people in law enforcement or the government when they find information and they want us to let them know if we've ever seen it before, or who we think this might be and so on. And they occasionally send us pictures, like this just for laughs. This is one of the nicer pictures actually.

This is what it looks like at Watson. A little less hair maybe but its' a little cleaner. Not too often. Sometimes. So many times when we start this kind of work, first reaction is "what do you mean IBM's breaking into our systems?" Well, the goal is to find out what the hackers can do to you before they do it to you. We try to collect tools and techniques, and we try to stay ahead of the curve as much as possible, with our team of six people at Watson, and five people in Zurich. And then of course IBM consulting, we work with them, and the IBM emergency response service, we work with them as well.

Now what we try to do, is we try to simulate a real attack. Now we have to work with you, the customer, to make sure that we're not doing anything that's going to really annoy you. We encourage what we call a no-holds barred kind of attach, whereas it's very, very real. You, the CEO, CIO, do not tell anyone. You want this to be a valid test. So you just very quietly sign the papers, or whatever, and you say all right, Charles, Tuesday. And there we go. You learn a lot that way.

If you leak the information, if the customer tells his IS staff "okay, you better all come to work on Tuesday", it's like we're running down the hall and someone is running down in front of us locking doors. We've actually had situations where that happened. You sometimes need to do this kind of testing, either with us, or with your own staff, just to wake people up. Because a lot of the times they'll think you know, I've got a firewall, I don't care. And you have to wake them up a little bit.

The best part is, though, that the ethical hackers, when they're finished, just like they said earlier, we tell you what we did. Now how to do it yourself, because that would not be particularly ethical but we tell you how we did it in general terms, and how to stop it. And in some cases you can't stop it, but at least you can detect that it was going on.

One test typically doesn't find everything. You may have to come back and do it several times. And one key point here, it's safely and controlled, it's also silent. You get this test, and the results are not in the newspaper the other day.

We try to electronic penetrate the defenses from the outside, again, within the rules of engagement. We'll talk about that. Dial up, Internet, extranet, intranet, whatever kind of situation you have that you want evaluated. Let us know. Think however of the weakest link theory. A lot of companies are putting together Extranets where company A plays nice with company B plays nice with company C. If any one of those is weak, in themselves, or any of their subsidiaries, all of them are trashed or could be.

We do this work from a highly secured lab upstate so that we don't become much more of a target. We tend not to tell people where that is. And it's a very secured lab for one very important reason. When I'm doing this work, I have the keys to your company. I can see stuff, I can do stuff, and if your competitors have this, or if really bad guys have this, we would be in deep trouble. So we are very, very careful with what we find.

What's the key to an ethical hack? Get out of jail free card. What we do is illegal in every state. We set up an agreement with the customer beforehand and make sure that the customer realizes what is about to happen to them. So you pick the time. You pick the level of the attack. If you want an all out attack, that's wonderful, you will learn a lot. If you want us only to do it between 6 p.m. and 6 a.m. on Tuesday, that's fine, you won't get as good a test, but that's okay.

You can also define things like, it's a production Website, so we only want you to do this type of thing on off hours and please don't try denial of service, because Joe's on vacation this week, and if it goes down, we're dead. You know, that sort of thing.

Specification of non-targets is a really bad idea. "Hack everything but the so and so server." We had one company say please attack everything but our mainframe. And we said okay, fine. And they had misconfigured the mainframe, and you can guess the rest of the story. We handed in our report, two days later they were hacked through the webserver on the mainframe.

We can take three different standpoints too. We can be an insider. I don't have my little pointer here, but the guy on the lower left, the inside bad guy, we can be an employee or a co-op, or whatever you want, with a valid user ID, valid account, doing whatever we want to do, seeing what we can find. We can be in the Extranet position, of course any of these can be simulated through dial up and as well from the Internet itself. You have to be careful from all of these perspectives.

We are also occasionally asked would you please do a physical test. Anybody ever see the movie "Sneakers" or "Mission Impossible?" We don't hang from ceilings, but we have been asked on a few occasions to try to get into a building and then see if you can find the computer room. That is way fun. However, the get out of jail card for that is much more detailed. Because rent-a-cops have only a few rules and they tend to just sit on you until the CEO gets there. So that requires all sorts of connectivity with the CIO and the corporate security and so on. But unfortunately we've done, I think four or five of those, 100 percent, we found the computer room every time. Security guards told me where the computer room was once. I called. I couldn't find it. It was a huge site. Multibuildings all over campus. And I found a phone. Dialed Zero. Asked for security. Got security. Said hey, this is John in shipping and receiving, I have a box here says it's computer stuff, but the address is all mangled, would you please tell me and he says "oh, yeah, it's room 315 on the second floor." Great. Walked right in. Even got up there, had the box, some guy was coming out and said "oh, let me hold the door for you." I try to look older and had a heavy box and they let you in every time.

People basically are nice even in New York. They will help you out if you have computer troubles. So we can do all of those kinds of things. The latest hacking scenario that I haven't added to my little picture is the lost laptop. I'm sure no one in this room has their laptop set up to type in and remember their password. Right? Nobody does that. Sure. We had one customer give us a laptop. They said this is Joe Executive's laptop. We took it away from him because he's on vacation. Have a good time.

Sure enough the password was in there, we dialed in, we fooled around, we saw neat stuff in addition to all the information that was on the laptop itself. Simple. Clearly people have to be careful with their laptops now.

The result of all of this, you get a detailed description of everything that we were able to find. Many companies don't even have an accurate picture of their complete network presence. That is, every connection that they have everywhere. Most people don't know.

Description of what we could have done, because a lot of times your customer will tell you, all right, if you get to the mainframe, please stop. Or if you can create a file on this machine, do so, and call us, and call it all off. We tend not to be able to finish a job, because we take the ribbon and then they tell us all right, game is over.

A lot of times a complete ethical hack is not always necessary. The reconnaissance and just poking around is usually enough to scare people into calling it off.

Our top five vulnerabilities? bad webservers, bad passwords. People will disable access controls just because it makes their job easier. And research people are really bad about that. That's a constant battle that I have, because scientists tend to think "I want to get my work done, this computer security stuff is in my way", a real problem. Uninstalled security updates. There's an update a week at least that you should be aware of or your IS shop should be aware of. And lack of system and network monitoring.

Very, very seldom when we do these tests, does anybody even notice. That's the scary part. What are the top five excuses? We've got a firewall. That's number one. Okay. One site we went to had 17 pages of rules for their firewall. The first rule had an error invalidating all of the others. So they had this big whopper of a firewall that absolutely did nothing. "My system's secure." Well, that's the person saying, not my problem. Somebody else does that. I don't have time for that kind of stuff.

"Security is too expensive." Okay, well that goes back to the first foil. How much is it going to cost you in image and lost sales when you're hacked? You have to make this risk analysis. And "hackers are just playing around. They won't really do any harm." Okay.

This really deprives the typical security posture in the companies we go to. Crunchy on the outside. Chewy on the inside. Once we get through the outside wall, whatever it takes, there is nothing on the inside, no security. Accounting can look at personnel, who can look at operations. You don't have firewalls just on the edge. You have them on the inside as well. Compartmentalization is very, very important.

So to sort of summarize what you can do about it, you have to know your value. What are you trying to protect? And what is it worth to you? And in the sense of privacy, keep in mind the prime directive, that is, you only have personal information on your systems if it is necessary. If you're going to collect this stuff, treat it with the value that it requires.

Know your network. A lot of companies don't know what they've got. "We're a worldwide corporation, we've got connectivity everywhere." That's true. But do you know about the modems? Do you know about the connections that your subsidiaries have put in, because they want to cooperate with, oh, God, a university? You have to know all about these things.

Threats, you have to keep up with the software updates. Keep your people up to date. Keep your machines up to date. And most importantly employee awareness. Keep your employees up to date with what's going on. If you make them understand how important security is to them personally, maybe you'll get some help.

And finally, you need to know a plan. Have a security policy in place, just like you have a privacy policy. Know what you're going to do with the data, know how you're going to maintain it, how you're going to watch for viruses, break ins and so on. One last point there. Have an emergency plan. Not just for if there is a virus attack. But also if there is a break in, or something weird. Like the laptops all booted up funny this morning, I wonder why. You need a coordinated plan just to keep track of all of that stuff.