To get an understanding of the underlying problems that allow harm to occur, we have selected some typical computer networks as examples. We cover, at an introductory level; their functions and uses, their architectural structure, and their communication methods; and point out some of the protection problems presented by these factors.
Kermit is a general purpose networking program that can be used on many different types of computers and operating systems. It allows terminal based interaction and file transfer between any two machines linked via telephone, hard wire, or through sequences of kermit servers. Kermit uses packets for passing messages, and has error detection and correction capabilities. Any version of Kermit running anywhere can communicate with any other version of Kermit running anywhere else, but the user must login to the remote sight each time it is used. Kermit was written and is distributed in source form free of charge by Columbia University to anyone requesting it (under the stipulation that they don't resell it and give credit to the authors where due). It has already been implemented on nearly every machine under nearly every operating system in existence today.
Anyone can get a copy of Kermit, and if the distribution version were corrupted, it would likely be able to corrupt most computers in common use in the US today. In addition, all machines linked to a corrupt machine might fall prey to attack since, in order to perform normal Kermit operations, it is necessary to login. The passwords from logins can be easily collected by modifying the Kermit source at a given sight. From this, valid accounts on a set of accessible computers can be entered. As sites are taken over, local versions of Kermit may be corrupted, and so on. Once a Kermit sight is taken over, all networks connected to that sight could be similarly attacked. Kermit connects computers at many sights including most major computer manufacturers, all major computer networks, nearly every university and government installation, and many businesses.
To exacerbate these problems, it is fairly difficult to get a copy of Kermit from Columbia, and fairly easy to get one from anyone that has a copy. Thus the vast majority of installations don't have distributions from the original source, and therefore the likelihood of corrupt versions being widespread is very high. Even though sources are commonly distributed, they tend to be quite large and difficult for the average programmer to understand. More often than not, users don't even look at the source except to correct compilation errors the first time the program is compiled at each site. Many executable versions are sent between computers without sources, and these are easily corrupted as well. Kermit checks the integrity of file transfers through the use of checksums, but no other protection is available.
Many high performance local networks are connected by a single wire which allows any node in the network to talk or listen to any other node in the network. Ethernet is an implementation initially developed at the Xerox corporation. In essence, packets are sent through the network with headers that indicate the desired receiver. Every node watches for packets with their destination and picks those out of the ether (so to speak). In order to eliminate conflicts when competition for the network takes place, packets have sufficient redundancy to detect simultaneous access. When receivers hear this, they ignore the signal, and the senders retransmit with random delays.
Ethernet is available for a wide variety of computers, but because of its high bandwidth (about 2 to 8 Mhz), it must be restricted to a distance of a few hundred meters from one end to the other. It is fairly easy to program an ethernet host to watch all packets sent over the network and pick out those which login users. Since every node can watch every packet, this sort of network can be compromised very quickly. In a matter of a few minutes in the middle of the day, one site on a heavily used Ethernet was able to obtain passwords to each of over 50 computers on the same network, and gain access to multiple accounts on several of them. Ethernet has no cryptographic capabilities and uses checksums for integrity. In many ways it is worse than Kermit from a protection standpoint because it depends on trusting all connected nodes.
The UUCP network is a loosely coupled network used mostly to send files and mail to remote UNIX sites throughout the world. This network doesn't allow interactive use of remote sites or binary file transfers. This restriction makes its use inconvenient (delay times are typically up to several days for electronic mail at very remote sites), but it is acceptable to many sites which cannot afford the expense of high performance networks.
UUCP is often used to send sources around the network, which may be very dangerous if systems programmers don't verify the code by hand before implementing it (which they don't do in most cases). Because of the long delays involved in UUCP networks (mostly due to the cost of phone calls and their reduced cost during the evening), it takes a long time to get a message around the network, Only simple checksums are performed to verify data integrity, and because bitnet is a 'store and forward' network, there are many untrusted nodes with access to packets over extended periods.
The ARPAnet has been in use for over 20 years to allow universities and government agencies to communicate information quickly and efficiently throughout the US and Europe. In the ARPAnet handbook, it is clearly stated that the network is not secure, and that it should not be used for transmitting secure information in uncoded form. Despite this fact, almost no coded information is ever sent on the ARPAnet. Sites send information through sequences of intervening nodes in the network to get them to desired destinations. At any given site, traffic to every other node can be expected to regularly be transmitted. In addition, there are regular packets sent throughout the ARPAnet to transfer performance information that in turn effects routing. In such a network, it is reasonable to believe that the entire network could be taken over in a matter of a few days.
The ARPAnet has already been brought down on one occasion by a protocol flaw that caused the network to become saturated with packets. The protocols were changed after this, but it seems likely that such an attack could work again if the proper technique was used. The DoDnet was recently split from the ARPAnet to separate military information from insecure nodes, but attacks that work on one network are likely to work on the other, and because of the interconnection between them, it is likely that corruption could bridge the gap.