Another Internet security threat is “network snooping,” in which attackers install programs that copy packets traversing network segments. The attackers periodically inspect files that contain the data from the captured packets to discover critical log-in information, particularly log-in IDs and passwords for remote systems. Attackers subsequently connect to the systems for which they possess the correct log-in information and log in with virtually no trouble. The fact that attackers have targeted networks operated by Internet Service Providers (ISPs) has made this problem especially serious, because so much network traffic goes through these networks. These attacks demonstrate just how vulnerable network infrastructures are to attack; successfully attacking networks at key points where routers, firewalls, and server machines are located is in fact generally the most efficient way to gain information that usually leads to unauthorized access to multitudes of host machines within a network (Schultz and Longstaff, 1995).

A significant proportion of attacks exploit security exposures in programs that provide important network services. Examples of these programs include sendmail, NFS³, and NIS⁴. These exposures allow intruders to not only gain access to remote hosts, but also to manipulate services supported by these hosts, or even to obtain superuser access. Of increasing concern is the susceptibility of World Wide Web (WWW) services (and the hosts that house these services) to successful attack. Intruders’ abilities to exploit vulnerabilities in the hypertext transfer protocol (HTTP) and also in Java (a programming language used to write WWW applications) seems to be growing at an alarming rate.

---

³Network File System.
⁴Network Information Service.

---

Until recently, most intruders have attempted to carefully cover up the indications of their activity, often by installing programs that have selectively eliminated data from system logs. In addition, for the same reason they have avoided causing system crashes or causing massive slowdowns or disruption. Recently, however, a significant proportion of the perpetrator community has apparently shifted its strategy by increasingly perpetrating denial of service attacks. Many types of hosts, for example, crash or perform a core dump when they are sent a ping⁵ packet that exceeds a specified size limit or when they are flooded with SYN⁶ packets that initiate host-to-host connections. These denial of service attacks comprise an increasing proportion of observed Internet attacks; they constitute a particularly serious threat because many organizations, above all else, require continuity of computing and networking operations.

---

⁵Ping is a service used to determine whether or not a host on a network is up and running.
⁶Synchronize.

---

Not to be overlooked is another, different kind of security threat called social engineering. Social engineering is fabricating a story to “con” users and system administrators (or even help desk personnel) to provide information needed to access systems. Intruders mostly solicit passwords for user accounts, although information about the network infrastructure and the identity of individual hosts can also be the target of social engineering attacks.

Internet Security Controls

Dealing with the many types of Internet security threats discussed in the previous section of this chapter is not an easy matter because of both the diversity and severity of the threats. As if this is not bad enough, a confusing abundance of potential solutions also exist. Consider one solution, encryption⁷. Encryption offers a powerful way to protect information stored in host machines and transmitted over networks, and is also useful in authenticating users to hosts and/or networks. Although encryption is potentially a very powerful solution in addressing Internet security threats, it is currently limited in usefulness because of problems such as the difficulty of managing encryption keys (assigning keys to users and recovering keys if they are lost or forgotten, in general, are currently formidable problems), laws limiting the export from the U.S. and use of encryption, and the lack of adherence to encryption standards by many vendors. Similarly, using one-time passwords renders passwords captured while in transit over networks worthless because every password can be used only once; a captured password will already have been used by the legitimate user who has initiated a remote log-in session by the time someone who has installed a network capture device can use the password. Nevertheless, one-time passwords address only a relatively small proportion of the total range of Internet security threats and do not protect against many threats such as IP spoofing or exploitation of vulnerabilities in programs. Similarly, installing fixes for vulnerabilities in all hosts within an Internet-capable network does not provide a very suitable solution because of both the sheer cost in terms of manpower needed and also because over the last few years vulnerabilities have surfaced at a far faster rate than fixes have become available.

---

⁷Encryption is using an algorithm to transform cleartext information into text that is not readable without the proper key.

---