An impregnable computer is probably an impossibility, but you can make life harder for hackers, writes Paul Rodgers
Computer security chiefs celebrated the capture last month of Kevin Mitnick, the Internet's most wanted man. But the danger from hackers is far from over. One lesson from the two-year hunt for Mitnick is that much of the Net is too weak to defend itself against a concerted assault.

"On this superhighway there are car-jackings, drive-by shootings, and some of the rest-stops are pretty dangerous places to hang around," says Alan Brill, a senior computer expert with the security consultancy Kroll Associates. Other experts know just how easy it is for hackers - even those with lesser skills than the man who broke into the US National Security Agency and North American Air Defence computers - to compromise the Net. Much of the information needed to set up as an electronic cat burglar can be obtained by any diligent Internet browser.

Mitnick's technique, called protocol spoofing, has been known in security circles since 1985. Essentially, he overloaded a computer's defences until it threw up an error message, then he wriggled inside and seized control. It was a bit like using a battering ram to knock down a door. Entry could take as little as 16 seconds.

Ordinary hackers usually use a more subtle approach. They may look to see if the cyber door has been left ajar, or pick the lock with the help of specialised tools. Sometimes they just wait for legitimate users to go through, listen to their passwords, then repeat it to gain entry.

Most hackers use a string of conquered but mundane host computers - the hubs of the Internet to which individual users connect by modem - as bases where they can change disguises and stash their loot. Their first step is to gather freely available information on techniques and useful software. This can be done by reading hacker billboards or the US hackers' quarterly, 2600. Some of these are actually run by the sleuths, who believe explaining a system's weakness will help people to combat it. They can also attend conventions, such as Hackers On Planet Earth, held in New York last summer.

There are other ways of obtaining information. Several high-profile ex- hackers claim they have gone legitimate and now run computer security consulting services. Some even advertise on the Internet, asking operators to send in details of their problems. Whether this information is kept confidential, or used properly, is hard to know.

"One of the secrets is persistence," says Peter Sommer, a research fellow at the London School of Economics and author of The Hackers Handbook under the pseudonym Hugo Cornwall. "There are 10 or 12 basic tricks and lots of variations."

Equipped with a basic knowledge of the system, and possibly a copied program, the hacker's first task will be to take over a host. Signing on as a legitimate user, he pulls down every menu and presses every button. If he is lucky, he will generate a UNIX prompt, a request by the host computer for a command in its operating language. The prompt is like the C> prompt in MS-DOS, but usually appears as a percentage sign. Thus armed, the hacker can quickly get to a screen inviting him to log on as the system operator - the human who controls the computer. The trick is to guess the password, known as the root. Often this is laughably easy.

When shipped from the factory computers have standard root passwords, which the new owner is expected to change during his first session. Many do not. Others use passwords so common they appear in computerised dictionaries.

At this point the hacker might meet his first counter-measure. A well- defended computer will have a security program that notes whenever the wrong password is entered, often locking the user out after the third try. So good hackers will try twice, back off, then go in again. A security system should flag this behaviour for its operator's attention.

Once he hits the right root password, the hacker is logged on as the operator, giving him virtually complete control. The temptation to run riot might be strong, but a veteran will immediately withdraw, allowing any sentinels to calm down after being probed. A smart hacker will return later under a different user identification, gain access first time with the password obtained earlier and begin delicately examining the system.

During his first few sessions the hacker will have three main aims, the first being to turn off any security programs. This can be dangerous. Some security programs send out messages to human operators when they are turned off, or automatically switch themselves back on, or both. Veterans will find out what the security program is looking for and avoid exciting it.

The second move would be to subvert the journal, a program that logs significant events on the system, such as the creation of new user accounts or changes in access privileges. To cover his trail, the hacker will erase any record of his presence, and turn off the bits that would note any of his likely future activities.

Then he will set up a trap door, a program that monitors any changes to the root password. If the legitimate operator changes the key, the hacker's program will fire off an e-mail message advising him of the new password so he can still get in.

Secure in his new system, the hacker will create a new identity, give it lots of access privileges, make copies of interesting files, monitor the flow of information to other hosts and pick his next target, which he will attack with his new identity. The target could be a computer system halfway around the world. The advantage is that it is harder for law enforcement officials to track him if the trail leads through many different jurisdictions, with local authorities that speak different languages and may have a less strict view of computer crime.

When he gains enough confidence, and has a long enough trail through which to escape, the hacker will go for a more profitable target, usually a government or corporate computer. These have files really worth stealing - results from secret research, personal data on individual citizens, criminal records or financial accounts.

The big prizes are military and police security programs. Some of these can be examined from the inside to locate weaknesses, others have their own abilities to break into computers. A new program, Satan's Tool, is designed to help system administrators to manage remote networks, but could also assist burglars.

The most popular defence for computer operators on the Net is a program called a firewall. This runs on the operating system and controls who has access to the computer. Unauthorised users are not allowed even to browse through safe files. Some companies have used them to set up shop fronts. A single computer is given information that the company wants to make public. Outside users can access and even hack this machine, but are not allowed to log on to the rest of the company's network.

"It's like living in a medieval walled city," says Dr John Leach, a principal consultant at Zergo, a Basingstoke company.

Unfortunately, firewalls proved far from foolproof against Mitnick. Clive Watts, European development manager for security consulting at Digital Equipment, estimates that 80 per cent of the Net's firewalls are flawed.

In the long run, the solution to the Internet's security problem may come from encryption, says Christopher Davies, a director of Cambridge Consultants. Programs are available that scramble a message so thoroughly it is unbreakable. These "public key" codes could be used to attach verifiable signatures to every piece of data on the Net. A computer receiving a message would unscramble the signature using the alleged sender's public key. Only if the result made sense would it know that the signature was encrypted with the sender's private key.

"It's a way of associating an individual with their persona and its past record of behaviour," says Dr Davies.

Unfortunately, governments on both sides of the Atlantic are blocking moves to introduce encryption. The US is promoting Clipper, a system invulnerable to prying by everyone, except the FBI. Both Britain and America argue that encryption programs are sensitive military technology and cannot be exported. The growing list of companies and individuals that have fallen victim to computer crimes might not agree.

Comments