BY SIMSON L. GARFINKEL
Special to the Mercury News
SATAN is raising hell on the Internet again.
The controversial software program, created by maverick computer-security researcher Dan Farmer, has been used to show that nearly one-third of the Internet's most commonly used addresses, or sites on the Internet's graphically oriented World Wide Web, are highly vulnerable to attack.
Its findings raise a troubling possibility for people who use the Internet to get information or potentially make purchases. While none of the Web sites deemed vulnerable by the study contain truly sensitive information, such as individual bank account statements or personnel data, they do store information that many people rely upon to conduct business or make personal decisions. Also, as electronic commerce becomes more prevalent via the Internet, computer thieves, or ''crackers,'' potentially could infiltrate the Web sites to commit fraud or theft.
The study, which surveyed more than 2,200 Web sites on the Net was conducted independently during the past two months by Farmer, the controversial co-author of the SATAN network security tool.
SATAN, an acronym for Security Administrator Tool for Analyzing Networks, was both hailed and reviled by computer security experts when Farmer released it in April 1995. The program ostensibly was designed so that computer network administrators could find and then plug security holes before the crackers found them. But with its easy-to-use automated programs, SATAN also is an ideal tool for people with even rudimentary skills to use as a weapon for infiltrating computer systems.
Now, more than a year later, Farmer is showing that the Web is as solid as a sieve. The San Francisco resident used it to scan many commonly used Web sites, which anyone with a computer and Web access can see by using the Web's navigational tool, known as a browser, and typing in a series of letters and words. Once typed in, a person can see information from computers around the globe.
Farmer did not actually ''break in'' to the sites, but simply looked for commonly known weaknesses.
There already have been several widely publicized examples of crackers breaking into high-profile Web sites. In August, the computer that contains information for the Web site of the U.S. Department of Justice was attacked. Crackers broke in to the system, took it over, and added swastikas and obscene pictures to the department's electronic face in cyberspace.
A month later, another group of crackers broke into the computer operated by the Central Intelligence Agency, changing its Web pages to read Central Stupidity Agency. Both incidents caused great embarrassment and both are still under investigation.
Farmer's study argues that these two incidents may be more than just isolated pranks. Instead, they may be symptoms of a widespread inattention to computer security on the part of businesses, organizations and government agencies that are maintaining home pages on the Web. Home pages are the first pieces of information people see for individual Web sites.
''Many people in the security community recognize these problems are widespread and the public needs to know them as well,'' said Ed Felten, who is a computer security expert at the University of Princeton's Computer Science Department. ''I'm not surprised to see these numbers.''
''Though the results are scary, they're probably on the conservative side. Remember that the SATAN program is non-intrusive and that it only recognizes widely known problems,'' Venema said. ''Yes, a quarter of some categories of sites can be compromised with no effort, and another quarter could be compromised with modest effort -- no rocket science involved. Now,imagine what a determined attacker could achieve.''
Farmer says he did not obtain permission of the sites that he included in his study. He simply chose the sites from publicly available sources, such as the Yahoo Internet search service. Yahoo and several other search services allow people to find information about specific topics of interest to Web users by typing in a series of ''keywords.'' The search service then quickly scans a database of literally tens of thousands of Web sites and offers the computer user a series of potential matches to review.
''If I had asked all of them for explicit permission, the number of responses I received would have been very small, and perhaps statistically insignificant,'' says Farmer in his paper on the study, titled ''Security Survey of Key Internet Hosts & Various semi-Relevant Reflections.''
Farmer also worried that asking sites their permission might prejudice the findings because of his somewhat rogue reputation.
Just because he could break into ''a bank's World Wide Web site doesn't mean you can break into a bank.''
That is because banks, for instance, typically use one computer to store the information it offers to the public via the Web and another, more secure, computer to maintain customer financial records. Government agencies, such as the CIA and FBI, similarly keep their more sensitive information on much more secure computer networks that are not in any way linked to the Internet.
Nonetheless, the weaknesses do raise some potentially troubling consequences. As more and more banks make it possible for their customers to view bank statements, transfer money, and write checks over the Internet, there is a very real chance that a compromised Web site could be used to initiate fraudulent transactions.
Web sites that are on a businesses' internal network can be used for monitoring information traveling on that network.
Furthermore, many system administrators use the same password for a variety of different computers: once the password for an organization's Web server is learned by an attacker, other computers may be compromised that use the same passwords.
Because the SATAN tool does not actually break into computers on the Internet, most computer security specialists contacted for this article believe Farmer's study does not violate the law. Instead, it is as if Farmer walked up to the front door of several thousand businesses in the middle of the night and tried turning the door knobs to see if they were unlocked.
''I think an attempt to quantify the problem is long overdue,'' said Andrew Gross, a computer security researcher in San Diego who has seen Farmer's results. "I think Dan has taken great care in his efforts. He's thought about the sampling problems and has carefully documented his methodology.''
Nevertheless, Farmer said, he's a little nervous about his findings.
''I sure as hell hope I don't get in legal trouble for this.''