In their quest for an ever-better Internet, the builders of the information superhighway have created some pretty well-paved access roads. The problem is that those up to no good can travel them too, and, armed with the proper knowledge, they can visit almost anywhere they want–including the average person’s computer. So how high is the risk? NEWSWEEK’s Laura Fording asked Bruce Schneier, a security expert and founder and chief technology officer of Counterpane, an Internet security company, for his impressions. Excerpts:
NEWSWEEK: Just how vulnerable is the average person’s computer to security breaches?
Bruce Schneier: Very vulnerable. In one study, a typical Windows computer, taken out of the box and plugged into a broadband connection, was successfully hacked in an average of 24 hours … In the same study, the fastest time a system was broken into was 15 minutes. You have to assume that every computer in a home has been broken into, usually by an automatic program. Still, in general, nothing will come of it.
Why?
Because even though their systems are vulnerable, average computer users are not usually singled out and targeted. Automatic hacking tools break into thousands of computers at a time, and no one can possibly poke around that many. Some kids collect hacked computers as trophies.
Who is doing the breaking in?
Some of them are kids looking for fun, some are criminals looking to steal stuff–often they’re looking for credit-card numbers, but they can be looking for other data, too, like stock numbers to manipulate. Sometimes industrial companies try to break in [to their competitor’s systems]; it doesn’t happen often, but it does happen. Counterpane monitors hundreds of companies, and the biggest problem we face is finding the real attackers amongst the fake attackers. A company might be attacked dozens of times a day by kids, but once a month, there might be an actual criminal, or an industrial competitor or an insider trying to break in.
When they do break in, do these people have access to everything on your computer?
It depends upon how they hack in, but in general, they can access anything you can.
What’s the worst thing that could happen if I open spam? Can someone break into my system just by my opening an e-mail?
Yes. But that’s not what usually happens … Usually you’re just annoyed and you waste a lot of time sorting through stupid e-mail. [Nonetheless] I think Microsoft Outlook is a very dangerous e-mail program to use.
Why?
Because Microsoft Outlook has features designed into it that are very adverse to security. And the average user doesn’t turn those features off.
Is it safer to use an online e-mail account?
I don’t know the online programs. I use Eudora.
Can spy software be installed remotely on someone’s machine without that person knowing about it?
Sure, once you hack in, you can install spy software. Software is software. I can hack into your computer and install, say, Powerpoint. Once I hack in, I can do whatever I want. Recently, a pair of Japanese men installed spy software on computers at an Internet cafe and stole bank passwords from the people who were using the computers. They stole about $130,000.
What can people do to protect themselves?
I wrote an essay [www.counterpane.com./crypto-gram-0105.html#8] on this topic not long ago, and I’d advise people to read it. It outlines a list of things people can do.
I read it. But if most people are like me, they probably just add this to the bottom of their own unending “to do” list. There are just too many other things that take priority.
You’re right. The average person is screwed. Computers are insecure and it’s not the user’s fault. At the end I said, “Let’s be realistic. Nobody is going to do all of this.”
So is there a solution?
No. This isn’t tidy television. There isn’t always an answer.
If I make an online purchase and give out my credit card number, where does the vulnerability lie?
People think the danger is in sending the number over the Internet, but nobody steals them that way. Hackers steal credit-card numbers from vendor computers, in huge batches … sometimes in the millions. The risk is the same whether you buy something over the Internet, the telephone or by mail. I believe that every one of your readers has a credit-card number in his or her wallet that has been stolen. But most likely it will never be used fraudulently. When someone steals a million credit-card numbers, he just can’t use that many of them. And he may be a kid, just collecting more trophies.
You’ve written about why you think security problems within a system should be made public. Isn’t that giving the bad guys easy access to the information they need to break in?
For many years, it was the industry norm to keep things secret. Manufacturers would deny that vulnerabilities existed or they would lie about their severity and take years to fix them. And while the manufacturers were doing nothing, the attackers would find out about it anyway and attack the systems. Because vulnerabilities are now made public, vendors are now fixing them. It makes them accountable.
Are the government’s systems vulnerable?
The government may take more precautions than the average consumer but probably not more than the average corporation. And many businesses do pay attention. But security is only as good as the weakest link. If there are a hundred vulnerabilities and you catch 99 of them, you are still vulnerable.
What about classified information?
Classified information is not stored on computers attached to the Internet. Period.
What changes do you predict in federal monitoring of the Internet since September 11?
I think the federal government will do their best to remove whatever freedoms we have left on the Internet. I think they are going to monitor as much as they can. If you take, say, scuba lessons, or if you talk about politics in the wrong way, or maybe if you have the wrong religion, it will be monitored. We live in scary times.
