New York Times, Wed., 11 Oct., 1995, pp A1, C3

Discovery of Internet Flaws Is Setback for On-Line Trade

by John Markoff

SAN FRANCISCO, Oct. 10 - Newly publicized weaknesses in the basic structure of the Internet indicate that the worldwide computer network may need a time-consuming redesign before it can be safely used as a commercial medium

The flaws could allow an eavesdropper or criminal to divert many types of documents or software programs traveling over the Internet, examine or copy or alter them, and then pass them on to the intended recipient - who would have no easy way of knowing that the files had been waylaid. Not only could electronic mail be read in transit or credit card numbers be copied en route, but special security techniques meant to protect such transactions could be dismantled without the user's knowledge.

That such security flaws exist is not surprising in a system designed originally as a scientific experiment. But the recent rush to the Internet by companies seeking to exploit its commerical possibilities has obscured the fact that giving the system a new purpose has unearthed fundamental problems that could well put off true commercial viability for years.

"Companies would have you believe this is a trivial problem," said Eric Brewer, a professor of computer science at the University of California at Berkeley. "But now there is a financial incentive to exploit these flaws and to do it secretly."

The problems were described in a posting that researchers at the university made on Monday to several on-line discussion groups. While the discussion groups are intended for computer security experts, they are potentially accessible to millions of Internet users - including break-in artists, who are known to monitor such discussion groups for tips on new ways to crack computer systems.

The researchers who described the Internet weaknesses include two Berkeley computer science graduate students who noted a security weakness in a popular Netscape Communications Corporation software program last month. Then as now, the students' stated motivation in publicizing the problems was to underscore vulnerabilities facing all companies and customers wishing to use the Internet for commerce.

When the Netscape problems were disclosed last month, the company said the security flaws would be corrected in the next version of its software, which users would be able to download at no charge from Netscape's Internet site. But the newly publicized flaws in the Internet itself indicate that even if a user downloaded a copy of the new, improved Netscape program, a criminal could tamper with the copy along the way and make it unsafe for use in credit card transactions.

The problem is not Netscape's alone; it potentially affects any organization that operates a computer from which files or software could be downloaded over the Internet. The weakness can be traced to the technical underpinnings of the network, which was set up more than a quarter-century ago not as a medium for conducting business but as a way for academic and scientific researchers to exchange information.

The disclosure of the flaws casts doubt on the aspirations of companies like Netscape, which last summer had one of the most successful stock offerings in Wall Street history based on the promise of the impending arrival of a full-fledged on-line marketplace.

"Companies should take a step back and think about this a little more," said Ian Goldberg, one of the Berkeley students. "If it takes a bit longer but comes out more secure we will all be better off in the long run."

The way many Internet systems are set up - especially the Internet's increasingly popular World Wide Web service in which software images and even video and audio clips can be easily downloaded - information is stored on a computer called a file server and then transferred to a user's computer when it is needed.

The newly publicized weakness occurs in a widely used Internet protocol - or technical standard - known as the Network File System, or NFS. Because NFS does not have any means for allowing the recipient of a program or document to verify that it has not been altered during transmission from the file server to the user, any interception or tampering would go undetected.

"The Internet protocols have been insecure since day one," said Jeffrey I. Schiller, the manager of computer networks at the Massachusetts Institute of Technology and director of an industry task force that is trying to design a new secure version of the Internet.

But the group's timetable is uncertain, and even when it does have recommendations ready, Mr. Schiller is not optimistic that the industry will be willing to devote the time and money to put them into effect.

He said that many technologies al exist for improving commercial security on the Internet, but many of them require too much technical sophistication on the part of computer users. He criticized makers of hardware and software for not moving more quickly to make easy-to-use security features a built-in part of the technology used on the Internet.

"The people who should be the leaders in offering security have been too busy counting their money to build these features in to their products," Mr. Schiller said.

Some commercial Internet merchants have tended to play down the potential for harm from an illegal interception of credit card information over the Internet. They point out that consumers routinely make their credit card numbers available in transactions done by mail or telephone and that the law puts limits on a consumer's liability in cases of credit card fraud.

But Mr. Brewer, the Berkeley professor, said that the crucial difference in the proposed Internet commerce systems was that for the first time it would be relatively simple for a criminal to collect hundreds or thousands of credit card numbers. Then a thief could use each credit card only one time, making detection much more difficult.

Sensitive to heightened concerns about security, Wells Fargo, the large California bank, which earlier this year began permitting customers with personal computers to view their account information with the Netscape software, suspended the service in September after the Berkeley students reported the flaw in Netscape.

After Netscape followed with an improved version of its software, Wells Fargo officials found it secure enough that they planned to resume the service later this week. The bank will, however, require customers to use the corrected version of the Netscape program.

Even then, Wells Fargo customers will be able only to view account balances and other information, but not transfer money or conduct other transactions of the type that might leave them vulnerable to the Internet NFS weakness

"We still hope to be able to offer transactional capabilities next year, but this has slowed us down a little bit," said Lorna Doubet, a Wells Fargo spokeswoman. "Many of our customers feel that security is absolutely essential and we have to be cautious in this regard."

Executives at Netscape said yesterday that they were aware of the security issues surrounding NFS and would make changes in the next release of their software, expected before the end of the year, to permit a recipient of a downloaded program to check it for signs of tampering.

And hoping to take advantage of the fault-finding talents of the Berkeley researchers and other like-minded software experts, the company announced a contest today called Netscape Bugs Bounty, in which Netscape will award prizes to users who find bugs or security loopholes in its software.

Some Internet experts said they expected that many security weaknesses like the one the Berkeley group had demonstrated would be found, because the Internet was simply not designed to insure secure commerce.

"Imagine a walled town or a house," said Noel Chiappa, a member of the Internet Engineering Task Force, a standards-setting group, "It doesn't matter if 99 windows are tight as can be - if the 100th is wide open, the bad guys will bypass your security."