1. Archive

The Web monster

Home, sweet home is becoming, finally, home, smart home. The family group is becoming the family network: Computers and appliances and services are shared and distributed through the house. Nesting has gone digital as Americans bring the world home to work and play.

But it is not home, safe home.

People know to lock their doors and close the blinds, but most, security experts agree, haven't developed the same habits in the rapidly expanding digital world.

International electronic prowlers looking for information about people's identities and finances or local players trying to settle a score, like a broken relationship or a suspected snub, have figured this out.

"It's the next frontier of risk," said Peter G. Neumann, a computer scientist who specializes in security issues at SRI International, a research institute in Menlo Park, Calif. "Here we are putting computer communications into the home so that I can turn on your oven, or overload your heating system - jack it up to 80 degrees and burn out your oil burner - from anywhere in the world." And, he added, with unsettling filmic flair, "You could bring down a lot of households simultaneously."

Although arrests and prosecutions of people hacking into homes are few, security experts see it as a potentially huge problem.

The threat is growing, said James Aquilina, a security consultant and former federal prosecutor in Los Angeles, because of the spread of "botnets" in the last year. Botnets are vast networks of computers, usually inadequately protected home computers, that hackers take control of and network into computing "armies" that they can sell, mercenary-style, to electronic criminals.

"Now there's a profit motive," Aquilina said. "Hackers, who might have hacked for bragging rights, have discovered a way to generate serious money."

The increasing variety of activities being performed by family members at home increases a house's vulnerability. Every electronic task, wirelessly between two devices or over the Internet, gives a hacker an opportunity to tap into the network. High-speed broadband Internet service, now in nearly 50-million homes in the United States, allows the connection, and the risk, to stay open 24 hours a day.

That doesn't stop people from enjoying their homes as an electronic hub of recreation and work: You can flip your laptop open, go online and pay some bills, buy some books, catch up with the news, check the temperature at the condo at the beach, send a few e-mail messages and recent photographs, make a dinner reservation and buy movie tickets for later that night.

In her bedroom, your daughter finishes a paper for school and sends it to the printer in the kitchen, which is printing recipes for dinner. Your son is downloading music in the den, copying it to his iPod and sending it to the speakers in his bedroom.

All of it is happening over a network of electronic devices in the home: some of it wirelessly, some of it over the Internet, and much of it in full view of the world beyond your door.

Thieves target homes

In its annual threat report, released in September, Symantec, an information security services company in Cupertino, Calif., reported that 86 percent of all targeted attacks against computers were now directed at home users, "a fertile resource" for thieves. As devices become wireless, technologies become mobile and everything converges on the Internet, which is becoming a universal remote for controlling electronics inside and outside the house, homes are increasingly being exposed to attack. Private lives are transpiring in a public realm.

People are largely unaware of how sophisticated the average device in the house now is. "Your TiVo is a small computer, with an operating system," said Tom Powledge, senior director of product management at Symantec, "and all your devices can 'see' each other. When you have these kinds of devices that can communicate with other devices, the potential goes up that they can be exploited."

Yet roughly 80 percent of those using electronic devices on a home network don't activate any of the safety features, he said.

How it can happen

To most people, home is the safest place you could be, and digital convenience is only another, new level of comfort.

"At home, people don't want a high state of alertness," said Lawrence R. Rogers, a senior member of the technical staff at CERT, Carnegie Mellon University's center for Internet security. "They just want to veg."

Detective Sherman Hall of the Atherton, Calif., police department, who works with React, an electronic crimes task force in California, shared an example of how capabilities in the home can compound the risks.

A popular tax return software program will prompt a taxpayer to save the return to a computer as a PDF (portable document format) file. A popular music-sharing program that was installed incorrectly on the computer by, say, the taxpayer's son, may inadvertently share the entire contents of the computer's hard drive, not just his music. A hacker, by installing the same music-sharing program and searching its site online for "tax return" or "PDF," can pull up the tax return.

The stuff of movies? Couldn't happen here? Someone was arrested in San Francisco this year for doing exactly that. Hall said many such incidents go unpublicized because embarrassed companies fear loss of business.

Targets expand

There are now computers in three-quarters of the homes in the United States, according to Parks Associates, a research firm that specializes in the digital and home networking market. More than two-thirds are connected to the Internet, and 17 percent of homes with computers have a wireless network. Cell phones, which are increasingly Web-enabled and increasingly popular as controls that will operate other devices remotely, including home automation systems, are owned by 65 percent of adults.

The target is expanding, as companies like Microsoft and Apple enter the consumer electronics arena with entertainment services that integrate the Internet with home theaters and pave the way for other applications. Wireless technologies broaden the audience for home automation, making it accessible and cheaper in existing homes without ripping into walls.

The lure of wired homes

Builders of new homes, faced with stagnating sales, are striking alliances with home automation installers, presenting "electronic house" packages with a range of options for networking and interconnections as attractive options for first-time buyers in their 20s and 30s - what the industry calls the iPod generation - and for baby boomers in their 50s and 60s for whom technology might represent a way to remain independent and at home as they grow older.

Major electronics companies like Intel and Philips are now pursuing home health care with devices that can monitor a person at home, relay information to doctors and family, and eventually dispense medications and diagnose the onset of diseases, including Alzheimer's and Parkinson's disease.

Eric Dishman, general manager of health research and innovation at Intel, said the 18-month-old division is now one of Intel's "five core businesses."

At how much risk is your home now?

In October the British Broadcasting Corp. conducted a convincing investigation into personal computer security. They installed Windows XP, an operating system unprotected by any additional virus detection programs, on a computer, to see what it would attract when it was connected to the Internet.

Within seconds, the machine was attacked, and the attacks continued every 15 minutes. Every hour, it was hit by an attack trying to program it to attack other machines. Attackers scanned its ports, the computer's "doors" to the Internet, to see whether they were open. Once a day, a hacker tried to take complete control.

In January, Jeanson James Ancheta, a 20-year-old Californian, pleaded guilty to charges related to assembling a botnet, a network of several hundred thousand similar "slave" machines, typically home computers, to rent to spammers and criminals, who use it to do things like spread viruses or store stolen information. Aquilina, the consultant, was the prosecutor in the case.

Your work's the target

Although botnets have become a significant, if hidden, presence on the Internet, Ancheta was the first botnet master convicted in the United States, according to the FBI.

One former hacker who is now a security consultant said homes are vulnerable because they don't yet have the focus on security that corporations do. The consultant, Kevin D. Mitnick, was jailed twice for a total of six years for hacking into corporate and university networks and into the home computer of Tsutomu Shimomura, a computer security expert.

"Enterprises are usually hardened," he said of corporate security. "They spend money for risk management. What thieves can do is find out where their employees live, break into the homes, and then the companies. You think, 'Why would someone break into my home computer? I have nothing to hide.' It's for what you do for work."

Mitnick has heard of several recent instances of this, including attacks on a software company and a financial company through the home computers of their employees. He now advises corporate clients to "lock down" their houses, too.