SATAN uncovers high risk of Web attack

Software program's study details
wide problems with security

Published: Dec. 19, 1996

BY SIMSON L. GARFINKEL
Special to the Mercury News

SATAN is raising hell on the Internet again.

The controversial software program, created by maverick computer-security researcher Dan Farmer, has been used to show
that nearly one-third of the Internet's most commonly used addresses, or sites on the Internet's graphically oriented World
Wide Web, are highly vulnerable to attack.

Its findings raise a troubling possibility for people who use the Internet to get information or potentially make purchases. While
none of the Web sites deemed vulnerable by the study contain truly sensitive information, such as individual bank account
statements or personnel data, they do store information that many people rely upon to conduct business or make personal
decisions. Also, as electronic commerce becomes more prevalent via the Internet, computer thieves, or ''crackers,'' potentially
could infiltrate the Web sites to commit fraud or theft.

The study, which surveyed more than 2,200 Web sites on the Net was conducted independently during the past two months by
Farmer, the controversial co-author of the SATAN network security tool.

SATAN, an acronym for Security Administrator Tool for Analyzing Networks, was both hailed and reviled by computer
security experts when Farmer released it in April 1995. The program ostensibly was designed so that computer network
administrators could find and then plug security holes before the crackers found them. But with its easy-to-use automated
programs, SATAN also is an ideal tool for people with even rudimentary skills to use as a weapon for infiltrating computer
systems.

Now, more than a year later, Farmer is showing that the Web is as solid as a sieve. The San Francisco resident used it to scan
many commonly used Web sites, which anyone with a computer and Web access can see by using the Web's navigational tool,
known as a browser, and typing in a series of letters and words. Once typed in, a person can see information from computers
around the globe. 

Farmer did not actually ''break in'' to the sites, but simply looked for commonly known weaknesses.

Common sites explored

The results are startling: In addition to the 31 percent of the sites he deemed ''red,'' or highly vulnerable, another 34 percent
were classified as ''yellow,'' or somewhat vulnerable. Specifically, he looked at sites within certain categories that people
routinely view: banks, credit unions, the federal government, newspapers and sex. Within those categories, he found that nearly
36 percent of the bank Web sites SATAN explored have security holes widely known to crackers that can be used to break
into a system and change its Web pages.

There already have been several widely publicized examples of crackers breaking into high-profile Web sites. In August, the
computer that contains information for the Web site of the U.S. Department of Justice was attacked. Crackers broke in to the
system, took it over, and added swastikas and obscene pictures to the department's electronic face in cyberspace.

A month later, another group of crackers broke into the computer operated by the Central Intelligence Agency, changing its
Web pages to read Central Stupidity Agency. Both incidents caused great embarrassment and both are still under investigation.

Farmer's study argues that these two incidents may be more than just isolated pranks. Instead, they may be symptoms of a
widespread inattention to computer security on the part of businesses, organizations and government agencies that are
maintaining home pages on the Web. Home pages are the first pieces of information people see for individual Web sites.

''Many people in the security community recognize these problems are widespread and the public needs to know them as well,''
said Ed Felten, who is a computer security expert at the University of Princeton's Computer Science Department. ''I'm not
surprised to see these numbers.''

'Conservative' results

Farmer refused to release the actual names of the sites that he has probed, citing both safety issues and because the
organizations themselves do not necessarily know their Web sites have potential security flaws. However, he gave a copy of his
data for review to Wietse Venema, a Dutch computer scientist who co-authored the SATAN Web security tool with Farmer
and who is currently on sabbatical at IBM in New York.

''Though the results are scary, they're probably on the conservative side. Remember that the SATAN program is non-intrusive
and that it only recognizes widely known problems,'' Venema said. ''Yes, a quarter of some categories of sites can be
compromised with no effort, and another quarter could be compromised with modest effort -- no rocket science involved.
Now,imagine what a determined attacker could achieve.''

Farmer says he did not obtain permission of the sites that he included in his study. He simply chose the sites from publicly
available sources, such as the Yahoo Internet search service. Yahoo and several other search services allow people to find
information about specific topics of interest to Web users by typing in a series of ''keywords.'' The search service then quickly
scans a database of literally tens of thousands of Web sites and offers the computer user a series of potential matches to
review.

''If I had asked all of them for explicit permission, the number of responses I received would have been very small, and perhaps
statistically insignificant,'' says Farmer in his paper on the study, titled ''Security Survey of Key Internet Hosts & Various
semi-Relevant Reflections.''

Farmer also worried that asking sites their permission might prejudice the findings because of his somewhat rogue reputation.

Extra layer of security

The fact that Farmer succeeded at finding security holes at Web sites such as banks or government agencies does not mean
any highly sensitive information is at risk, Farmer said. 

Just because he could break into ''a bank's World Wide Web site doesn't mean you can break into a bank.''

That is because banks, for instance, typically use one computer to store the information it offers to the public via the Web and
another, more secure, computer to maintain customer financial records. Government agencies, such as the CIA and FBI,
similarly keep their more sensitive information on much more secure computer networks that are not in any way linked to the
Internet.

Nonetheless, the weaknesses do raise some potentially troubling consequences. As more and more banks make it possible for
their customers to view bank statements, transfer money, and write checks over the Internet, there is a very real chance that a
compromised Web site could be used to initiate fraudulent transactions.

Web sites that are on a businesses' internal network can be used for monitoring information traveling on that network.

Furthermore, many system administrators use the same password for a variety of different computers: once the password for
an organization's Web server is learned by an attacker, other computers may be compromised that use the same passwords.

Because the SATAN tool does not actually break into computers on the Internet, most computer security specialists contacted
for this article believe Farmer's study does not violate the law. Instead, it is as if Farmer walked up to the front door of several
thousand businesses in the middle of the night and tried turning the door knobs to see if they were unlocked.

''I think an attempt to quantify the problem is long overdue,'' said Andrew Gross, a computer security researcher in San Diego
who has seen Farmer's results. "I think Dan has taken great care in his efforts. He's thought about the sampling problems and
has carefully documented his methodology.''

Nevertheless, Farmer said, he's a little nervous about his findings.

''I sure as hell hope I don't get in legal trouble for this.''

| Mercury Center Home | Index | Feedback | ©1996 Mercury Center. The information you receive on-line from Mercury Center is protected by the
copyright laws of the United States. The copyright laws prohibit any copying, redistributing, retransmitting, or repurposing of any
copyright-protected material.