Combating computer `worms' has a price. Trade-off seen between open access for users, security of stored data

Several weeks after a clever ``worm'' wiggled its way through 6,000 computers across the country, computer users are more aware than ever of the trade-off between open communications and information security. One of the benefits of computers is their ability to make large amounts of information available to many users simultaneously. The drawback is that anyone who can connect up with a computer from another location can potentially introduce into that computer destructive programs - ``viruses'' and ``worms'' - that can alter, destroy, or steal vast amounts of data.

There are basic two ways to prevent invasion by viruses and worms. One is through security programs in computers. The best way, however, is to keep the computer unlinked from any other, and not to use in it floppy disks or diskettes that have been used in other computers. But this diminishes the flexibility and usefulness of the equipment.

For example, ``credit information computers are very accessible. It's very hard to protect them because what you are trying to do is make them accessible. But they can be misused,'' Peter G. Neumann, an SRI International computer security expert. (Such computer services are used by mortgage companies, banks, real estate agents, and other businesses to look at an individual's credit record.)

Earlier this month, a computer worm created by Cornell University graduate student Robert Morris Jr. copied and electronically mailed itself to computers connected to ARPAnet - a computer system designed for academics that links computers like the telephone infrastructure links telephones.

The Morris worm entered computers by cracking passwords, exploiting a loophole in an electronic-mail program, and overflowing memory so that the overflow would be read as commands.

According to one estimate, the worm wasted $96 million in computer work and time nationwide.

A virus is a piece of computer code that attaches itself to other programs, depending on them for execution and to spread. A worm is a software program that can stand alone and spread itself.

When set loose on a computer network, worms and viruses spread by evading a computer's programmed security, and exploiting weaknesses in the network's software.

In the case of personal computers, the worm or virus may be entered on a floppy disk (or a whole group of floppy disks) or directly into a computer's operating logic. It then spreads to other disks and computers.

A virus or worm can instruct the computer to alter or delete files, send copies of files to other computers, search for a ``telephone book'' so as to get into other computers, and other such mischief.

Kenneth Weiss of Security Dynamics Technologies Inc., identifies five reasons for computer abuse. He calls these the five e's: error, ego, embezzlement, enmity, extortion, and espionage.

``The most insidious problem is the misuse from inside'' a business or organization, says Dr. Neumann, of SRI.

Gerome Saltzer, technical director of Massachusetts Institute of Technology's project ATHENA, a program to encourage students to use computers as education tools, stresses that computer security is a management as well as a technical problem. ``Many people do not configure their systems correctly to take advantage of the security they come with.''

In other instances, the software ``holes'' that viruses take advantage of are deliberate, because managers feel the benefits outweigh the costs.

Programmers may leave in place features that make it easier to correct or update their programs, instead of switching those features off when the task is over. Many managers want systems at work to be accessible from their home computer - an option that also sacrifices security.

To combat tampering, software designers or users sometimes hire ``tiger teams'' to try to outsmart their programs. ``Your confidence in the program depends on the quality of the search team,'' Mr. Saltzer says.

The problem, experts say, is that it is possible to determine when a computer system is not secure, but there is no way to prove that it is secure.

``We have no short-term solution. No matter what defense you put up, and no matter how secure, the next hacker will work around it,'' says John McAfee, chairman of the Computer Virus Industry Association.

``Working around it'' can be made harder, however.

According to Dr. Weiss, computer access can be controlled in five fundamental ways.

Physically isolate computers so that people without access to the site will not have access to the computers or any computers in the network.

Identify authorized users. Besides recognizing passwords, some computer systems can also recognize specified cards (like automatic tellers), fingerprints, eye retina patterns, and hand geometry.

Restrict privileges once a user has access.

Put information in code.

Have the computer record which passwords were used to access programs, when the file was accessed, and whether the file was read or written on.

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.