Hackers Debunk Myth Of Net Security ----------------------------------- (05/24/98, 11:05 a.m. ET) By Mary Mosquera, TechWeb Many agree security is an elusive concept on the Internet, but it took a group of hackers testifying in the U.S. Senate this week to convince lawmakers they can make short work of crippling or shutting down corporate America as sales and other transactions move online. The seven hackers, known as the Lopht collective, said they can render the Internet unusable in the United States in fewer than 30 minutes. Andy Sernovitz, president of the Association for Interactive Media, in Washington, D.C., agreed, saying the most basic infrastructure supporting the Internet is in the hands of just a few people. "Corporate America should be yelling and screaming that the government acquire the minimal software it takes to keep the Internet secure," Sernovitz said. "It should be locked in a bunker." The Lopht hackers, who use online nicknames, alert appropriate agencies when they find gaping holes in computer security. Internet and computer security are "almost nonexistent," testified the hackers before the Senate Government Affairs committee Tuesday. The Lopht group urged users to configure their computers properly and be alert to computer viruses. Most security attacks are "ankle biters" from people testing the vulnerabilities of a system. Keeping software armed with the latest fixes to come from the manufacturer will reduce the number of ankle biters, they said. "The Internet was not designed to be bulletproof by today's standards," the hackers said, since the underpinnings of network protocols have been around for about 20 years, and changes designed to make the Internet more robust have been welded onto the existing vehicle rather than scrapping it and starting over again. "The problem comes from the weakness of the foundation," they said. And there are no quick fixes, either. Software designed to make networks secure is "appalling," the hackers said in their testimony. For example, the Lopht group tested a $30,000 piece of software and was able to bypass the auditing system easily. The government has addressed that issue, recently forming a joint venture of the National Security Agency and the National Institute of Standards, called the National Information Assurance Partnership, to develop standards for security technology. Encryption, or scrambling data so others cannot understand it, can prevent theft credit cards or other private data in transit, but Lopht members said security at the end points is "woefully inadequate." Software manufacturers should be held to a higher standard of liability than they are now, Lopht said. If companies were liable for product failure, they would be motivated to design security into their products, test the security features, and educate their customers. http://www.techweb.com/wire/story/TWB19980524S0001