Once Connected, Always Connected

If You're Always Connected, You're Easy to Find

The Internet is Open

Operating Systems are Closed

What is Broadband?

Cable

Digital Subscriber Lines (DSL)

Broadband: Connecting the World

A Dangerous New Law

The LoveBug, Trojan Horses, and Other Mischief

The Big Question is Not "What Do I Have to Hide?" It's "Who's in Control?"

The Five "A"s of Security

Footnotes

Appendix I: Frequently Asked Questions, and Resources

Appendix II: A Note from Eugene Spafford on Microsoft Security

Appendix III: Some Questions to Ask Your (Potential) Broadband Provider

This document is available as a regular HTML document, in ASCII text, in MS Word 5.1 and Rich Text Format (RTF) for import into most other word processors.

Broadband: Are You Exposed?

By Judi Clark
NetAction Advisory Board Member

Broadband offers the promise and convenience of blazing speed and a continuous ("always-on") connection to millions of home computers. This connection is not unnoticed by opportunistic and malicious forces. By the very nature of your DSL (Digital Subscriber Lines) or cable Internet connection, you are vulnerable to increased risk for security problems. You can take steps to decrease your risk. This report shows you how.

Cable modem users number over two million, and there are about half a million residential DSL subscribers in North America today.[1] Many large and small media companies are poised to deliver bigger, better, faster, and more extensive content that takes advantage of, or even requires, this expanded bandwidth. The marketplace for expanded and enriched goods and services is poised for explosive growth. However, consumers and network operators are increasingly aware of the perils, as well as the rewards, characteristic of this technology-based future.

Once Connected, Always Connected

Your modem and your Internet Service Provider (ISP) link your personal computer to the Internet. Traditionally, your ISP has provided you with a dial-up account which, using a regular dial-up modem and your phone line, allows you to:

  • call your ISP,
  • log in to their server, and
  • use their Internet services (email, the web, and more).

More recently, ISPs began offering high-speed broadband service as an alternative to dial-up. One of the greatest conveniences of broadband service is that you're ready to surf or get your email at any time. Broadband access is available whenever your computer and modem are turned on.

If You're Always Connected, You're Easy to Find

All traffic on the Internet is routed according to a common protocol called IP numbers[2], also called IP addresses. Your Internet service provider assigns an IP number to your computer whenever you're connected to the Internet. This number identifies the route to and from your machine. [See Appendix I for more on your IP number.]

Many service providers assign one fixed IP number to each subscriber; some assign different IP numbers each time a subscriber connects. If you have a fixed IP number, your computer has a dependable "location" in cyberspace. If your ISP permits, your fixed IP number will allow you to run a home server with web, email, and other applications.

But if your machine is running a server, you also provide a dependable target for mischief. More on this shortly.

The Internet is Open

What we know today as the "Internet" was just an experiment back in the early 1960s. Much of the development that happens today relies on an open architecture and the knowledge of how things work.[3] The Internet's open architecture allows anyone, anywhere in the world, to make significant contributions to our body of information, software, and abilities.

What makes the Internet revolutionary is also the very thing that makes it vulnerable. The Internet's open architecture also offers potential for headaches. Our computers can be infiltrated by others to cause significant problems. The trouble might include:

Operating Systems are Closed

The recent development of the personal computer (PC) enabled a single person to conveniently use applications like spreadsheets, word processing, email, web browsers, and more. These applications ran on top of a PC operating system that was designed to facilitate file sharing with other PCs. In the design of operating systems, little regard was paid to security.

The most widely used consumer operating systems--Microsoft's Windows98 and WindowsNT, and Macintosh--are proprietary, or closed. We can't tell what's going on inside our own machines. These systems were not designed so that we would need to know. They were designed to easily run programs and to facilitate file sharing.[4]

Microsoft's operating systems, by far the most widely used[5], were not originally designed to support such interdependent access as is provided now by the Internet. Nor was it designed to inform us of the nature of its internal problems. The applications have become more tightly integrated with the operating system, allowing functions (including malicious code) to move through users' files and applications without our knowledge or consent. In a twist of unintended consequences, most people are now dependent on Microsoft operating systems...which are designed to be vulnerable.

"...when taken straight from the box, most of its security options aren't turned on to their highest levels."[6]

NetAction has long been active in a variety of Microsoft-related concerns. You might be interested in checking out our archives at http://www.netaction.org/msoft/.

What is Broadband?

Cable modems and residential DSL are two of several high-speed Internet technologies grouped under the term "broadband services." While the whole of broadband services can be either one-way or two-way, and wired or wireless, this report is concerned primarily with two-way, consumer-oriented services predominated by cable modems and residential DSL.

Why would someone want broadband services? Convenient, high-speed delivery. This is desirable for several reasons:

Broadband services can provide multiple channels of data over a single communications medium, such as a telephone or cable TV line. This means you can use one line for multiple services such as voice (telephone) or other (fax) analog signals, and data (digital movies or your computer) at the same time. Depending on the condition and age of your house's present phone lines, rewiring or additional phone or cable lines are often unnecessary.

Broadband offers an affordable alternative to regular dial-up modems. Subscription dial-up services, for which a modem is required, need to be initiated--you need to dial up and log on each time you want to access the Internet. And if you wish to use your telephone and your computer at the same time, you may need a separate phone line.

Broadband services don't need to go through a lengthy connection process. Instead, they offer a continuous/persistent connection to the Internet, sometimes referred to as "always on." Broadband services mean you're connected to the Internet whenever your computer is turned on.

Cable

The cable system was designed to carry television programming to subscribers' homes.[7] With the addition of a cable modem, cable services can now offer broadband access to Internet services.

With cable, all homes within the network's community share available bandwidth. Each local cable controller, or "headend," serves up to 2,000 households in one local community.[8] The cable network is shared by all homes that are active at any moment in time. (Subscribers are considered "active" whenever they request or receive information. They are not active, with regard to network usage, while reading or composing email, scanning a web page, or if their computer is turned off.) For example, if many homes are actively using the Internet at 8 P.M., service is divided among all active requests at that moment. This usually results in slowed services, compared to the number of subscribers surfing, say, at 4 A.M.

Digital Subscriber Lines (DSL)

DSL is a newer technology that may allow an ordinary phone line to be "split" into two parts: the traditional voice/fax (analog) services, and a new digital data line. These two parts can be used simultaneously.

DSL services connect the subscriber's home directly to the local telephone company's Central Office (CO). This point-to-point connection may not exceed 18,000 feet, limiting DSL's effective range.[9] Internet Service Providers (ISPs) offer DSL Internet access accounts using telephone company lines. With the addition of a DSL modem, home (and "small business") subscribers can now get broadband access to Internet services over their existing phone lines.[10]

DSL comes in several forms. xDSL is a generic term referring to any of these forms. ADSL, or Asymmetric DSL, offers higher speed (bandwidth) usually coming into a home than the speed of signals going out. SDSL, or Symmetric DSL, offers equal bandwidth coming and going.

Broadband: Connecting the World

Many promises and perils of a networked world are still to be realized. As thousands of new subscribers sign up every day, the complexity and diversity of our world increases. New opportunities for good also bring risks.

A Dangerous New Law

The Uniform Computer Information Transactions Act (UCITA) is currently moving through the governments of many states. Coming out of a highly critical debate, this controversial bill makes an open Internet a dangerous place. Two aspects of UCITA are of particular interest to broadband users.

This law-to-be "binds purchasers to terms disclosed only after the purchaser pays for the software, and allows the software vendor to change the terms of the contract unilaterally by email."[11] Additionally, UCITA allows software developers to protect against license disputes by embedding security holes and "back doors" in their software. These proprietary safeguards can later be used to change or disable the operation of your software remotely, "without court approval and without incurring liability for the foreseeable harm caused."[12] While it's not presently in a large software maker's best interest to do so, this law leaves open the possibility that a software maker could collect a portion of your income from, or claim intellectual property rights for, any work created using the software maker's product. If you don't agree to their license, they can simply reach in to your computer, which is always connected to the Internet, and just disable your software (or worse), leaving you no recourse.

Who's to stop malicious forces from also taking advantage of this new vulnerability? Will thousands of home users be held hostage to the whims of some computer-savvy teenager having a bad day? UCITA, combined with normally problematic software development, places an undue burden on home and small-business broadband users--those who can least afford the added security threats.

The LoveBug, Trojan Horses, and Other Mischief

There's a fine line between software makers being responsibile for the unsecure nature of their software and creating transparency by design (and vulnerability without intention). For example, the "Love Letter" worm is a malicious program written in Microsoft Visual Basic. Visual Basic, a scripting language, runs on Microsoft Windows, and also on Microsoft Internet Explorer (MSIE) (by default, Windows and MSIE come with scripting enabled). People generally don't change software defaults, so the Love Letter worm (virus) runs on most MSIE systems. Microsoft--a leader in adding new features--has been, and will continue to be, plagued by their own vulnerabilities.[13] (Also see Appendix II for more on this.)

To be fair, all systems on the Internet can be compromised. CERT/CC, a major reporting center for Internet security problems, documents Trojan horses as an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend."[14]

Any system can be affected by Trojan horses. Given that: 1) the Internet is open, 2) software was created to share and execute files, and 3) operating systems (which are already vulnerable) evolve, therefore introduce new vulnerabilities, we have a computing environment characterized by continuous and evolving risk. It makes sense, then, to put products and monitoring processes in place to help you be aware of and active about managing your risk.

The Big Question is Not "What Do I Have to Hide?" It's "Who's in Control?"

Having a computer connected to the net is a potential resource for outsiders. Without your knowledge or consent, your computer can be used as:

...and more. When a malicious person gets access to your home computer, you loose control of it. You may not know. You may never know until something goes wrong and the police come knocking on your door.

Even if you install anti-virus software or a firewall (special security hardware and/or software that sits between your computer and the Internet), it's not safe to assume you'll never need to worry about security again.

Noted security expert Bruce Schneier points out:

"Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce our risk of exposure regardless of the products or patches."[15]

Toward this end, NetAction has developed a guideline called:

The Five "A"s of Security

Awareness
Your computer is one among millions of other computers networked together. As a broadband subscriber, your computer is (generally) reliably connected to the Internet, and your connection is quickly responsive. You have physical control over your machine, and can take informed action to protect your resources and files.

Authentication and Authorization
If you don't want to allow global access to your files, you may need to set logins and passwords to limit your computer's users. Authentication means verifying the user. Authorization is allowing that user access to your system. Verifying users of your machine can help you track the activity in files and resources.

Access Control
To further limit access to your resources, you may wish to set permissions on individual files. For instance, you may have a text file that anyone can read. This is called global access. Another file may only be read by anyone in a special group that you design. This is group access. A third file may only be readable by you--individual access.

Auditing
Your computer may generate logs which can be important diagnostic tools. For instance, your web server keeps track of machines that have requested your web pages:

If you run an FTP server, you also have logs of who moved files in or out. Your security products also produce information logs that can inform you about traffic, system users, and more. In combination with active security products, logs can be a powerful tool to mitigate your security risks.

In reality, these five "A"s are somewhat intertwined. For example, it doesn't make sense to have Authentication without Authorization. Access control doesn't happen without Authentication and Authorization, and none of these make sense without Awareness.

Let's take a look at the first of these Five "A"s in practice.

The first step is awareness about your computerized self.

Most people keep stored computer files that reflect their lives. Generally, the "ordinary life" is not of interest to malicious hackers and crackers--unless they have easy access to your financial persona: transactions, credit card numbers, mother's maiden name, etc.

The second step is awareness about your system.

Many of your system's vulnerabilities are known and described on public security sites. In some cases, fixes (often called patches) are also published for your use.

What you can do to reduce your system's security risks:

If you only have one computer:

If you have a home network with more than one computer:

The third step is awareness about your network.

Being comfortable with your computer and the Internet, and being aware of the inherent risks, is an important part of the broadband environment. Many resources exist to help you get a handle on your situation. The following Appendices provide more links, perspectives, and information to help you with this important task.

Appendix I: Frequently Asked Questions, and Resources

Appendix II: A Note from Eugene Spafford on Microsoft Security

Appendix III: Some Questions to Ask Your (Potential) Broadband Provider

In Closing

NetAction wishes to thank Molly Glennen, James Glick, Michael Gold, and Nicole Parizeau for their assistance in preparing this report, and Phil Agre for his timely and ongoing wisdom.

About the Author

Judi Clark, a NetAction Advisory Board Member, has been riding the curl of the Internet wave for over a dozen years. During that time, she has explained, instructed, illustrated, documented, written copy, set context, and provided perspectives for a wide variety of businesses, schools, and clients.


Footnotes

  1. Bandwidth Bandwagon, from The (Industry) Standard http://thestandard.com/article/display/0,1151,15018,00.html

  2. An IP number, also called IP address, is a 32-bit number that identifies the sender and receiver of information on the Internet. Your IP number corresponds to your domain name, if you have one. IP, or Internet Protocol, is part of TCP/IP, the communication language of the Internet. More information on IP addresses is found at http://whatis.com/ipaddres.htm and also in Appendix I.

  3. The early concept for the Internet was laid open for discussion and improvement. The first idea of a computer network was combined with other independent works in designing packet switching, network structure, topology and economics. The architecture used in the continuing development was left open, as described in "A Brief History of the Internet" (see below): "the choice of any individual network technology was not dictated by a particular network architecture but rather could be selected freely by a provider and made to interwork with the other networks...".

    By the end of 1969, four geographically distant computers were successfully connected, forming the early Internet. A key underlying technical understanding of this and future development of the Internet was that of open architecture networking. To learn more about the origins of the Internet, see "A Brief History of the Internet," by Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff http://www.isoc.org/internet-history/brief.html

  4. A few operating systems such as Linux and FreeBSD have an "open architecture." They are often referred to as "open source." With these systems, you can tell what's going on inside your machine. But these operating systems are complicated--beyond the understanding of most computer users. For more on Open Source software, see NetAction's archives: http://netaction.org/opensrc/

  5. See the Department of Justice's Court's Findings of Fact from the U.S. vs. Microsoft anti-trust case, section on market share: http://www.usdoj.gov/atr/cases/f3800/msjudgex.htm#iiia

  6. from "For Starters: #8. How to Feel Secure" http://msdn.microsoft.com/workshop/essentials/forstarters/starts0709.asp

  7. Many of our cable companies are using outdated equipment. Before cable companies can expand their services to include Internet access, they need to upgrade their infrastructure. This includes upgrading their broadcast systems and building networking infrastructures within each community. Your cable company may or may not be ready to offer these services in your neighborhood. Check with them to find out.

  8. CableLabs says, "...segmenting an existing system into individual serving areas comprised of 500-2,000 customers." http://www.cablelabs.com/about_cl/pubs/cableNII.html

  9. Definition of DSL at WhatIs.com: http://whatis.com/dsl.htm

  10. Note that not all kinds of DSL use a single telephone line. Depending on the age of your home's phone wires and other factors, you may require an additional phone line to your house. More information about DSL technologies is found at http://whatis.com/dsl.htm and the DSL Glossary: http://www.nwnexus.net/dsl/dsl_glossary.htm

  11. Quote taken from http://www.4cite.org/action_talking.html

    Of note, several professional and governmental organizations have expressed serious concerns about this bill. Read their letters and commentary at:

  12. Quote taken from http://www.4cite.org/action_talking.html

  13. Inherent vulnerabilities are widely known in the Microsoft user world:

    Commentary from Microsoft users on a public bulletin board, May 18, 1996 http://www.nfbcal.org/nfb-rd/1059.html

    "How Safe Is Microsoft's ActiveX?" from European Telework Online, 11th February 1997 http://www.eto.org.uk/faq/faqactvx.htm

    NT Security Frequently Asked Questions (FAQ) http://www.it.kth.se/~rom/ntsec.html (last updated 1997)

    "Microsoft Needs a Different Approach to Security Risks" from Windows 2000 Magazine, InstantDoc ID 266, page 144, 10/97, http://www.win2000mag.com/Articles/Content/266_01.html

    Following up the news at that time about how easy it is to use ActiveX as a security vulnerability, "Microsoft announces debuts security program to address ActiveX issues" in ZDnet's news http://www.zdnet.com/zdnn/content/pcwo/0219/pcwo0017.html

    It's worth noting that ActiveX, which is at the heart of scripting in MSIE, remains one of Microsoft's, and therefore our, major vulnerabilities. Section 174 in the Department of Justice's Court's Findings of Fact concludes that "Microsoft has unjustifiably jeopardized the stability and security of the operating system." http://www.usdoj.gov/atr/cases/f3800/msjudgex.htm#vf

    More amusing and informative exploits are found at DigiCrime's exploits page http://www.digicrime.com/exploits.html. This one also includes a few vulnerabilities in other applications. You may also wish to read their disclaimer for proper perspective on their work and this site: http://www.digicrime.com/disclaimer.html

  14. CERT advisory on Trojan horses http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

  15. From Bruce Schneier's Crypto-Gram newsletter, May 15, 2000. http://www.counterpane.com/crypto-gram-0005.html#ComputerSecurityWillWeEverLearn