The New York Times, March 17, 1997, pp. D1, D7:

Go Ahead, Be Paranoid: Hackers Are Out to Get You

By Steve Lohr

In a chilly, windowless room in a New York suburb, four men are
tapping furiously at their laptop computers. Their mission: to crack
into the computer system of a major U.S. corporation. 

Things seem to be going well, for them. "All right, we're through the
firewall," announced one bearded hacker. A few moments later, a
second practitioner of high-tech mischief pronounced himself pleased by
what he saw inside -- a digital picture of vulnerability rendered by the
lines of computer code dancing across his screen. "Looks like we can
toast it," he said. 

Charles Palmer, a slender, bearded 40-year-old computer scientist, 
looked on with pride at the members of his team. Skilled hackers, 
Palmer noted, are scarce these days, at least ones that he will hire. 

"It's hard to find good people in this field who do not have criminal 
records," he explained. 

Palmer and his team work for IBM, and their brand of computer hacking 
is legal. Companies pay the IBM squad to attack their computer systems 
to test how well they can stand up to the increasing assaults by real 
hackers. 

The growing ranks of cyber intruders are engaged in everything from
snooping around to "parking" pornography and pirated software on
unsuspecting corporate machines to computer-assisted fraud and theft. 

White-hat hackers, like those at IBM, are only one kind of computer-
security professional whose skills are much in demand today. 

Once an arcane specialty, computer security has moved into the
mainstream. As companies rush onto the Internet, they benefit from
improved communication with customers, suppliers and far-flung
employees, but they also take on far greater risk that their corporate
computer systems will be breached by outsiders with malicious intent. 

The dangers of a networked world have created boom times for
computer-security consultants, auditors, cryptographers and others. Now
they must contend with pushy headhunters as well as hackers. Five
years ago, six-figure salaries were rare in the security field. Today it is
not uncommon for skilled computer-security veterans to be making
$200,000 a year or more. 

Recognizing a seller's market for computer-security expertise, Wietse
Venema has come to the United States, and he's selling. A computer
scientist from the University of Eindhoven in the Netherlands, Venema
is the co-author of Satan, a sophisticated software program intended to
find security flaws in any computer system linked to the Internet. 

The 45-year-old Dutch researcher is considering offers from IBM and
other leading American computer companies. "Many people are
interested in my capabilities now," he observed cheerfully. 

Experts like Venema are suddenly stars because corporations are
spending more on computer security. This year, companies worldwide
are expected to spend $6.3 billion on security for their computer
networks, estimates Dataquest, a market-research firm. 

Within three years the security price tag is projected to more than double
to nearly $12.9 billion -- a figure that is only for services supplied by
outside contractors, so it excludes spending on in-house staff, security
software or hardware products. 

The industry in the United States, the world leader in computer security,
is composed of hundreds of companies. They run the gamut from large
companies with worldwide computer consulting practices, like IBM,
Science Applications International Corp. and Perot Systems, and Big Six
accounting firms, like Coopers & Lybrand, Ernst & Young and Deloitte
& Touche, down to one-man independent consultants, like Seiden. 

Fueling the surge in computer-security spending is fear. The corporate
concerns are heightened with every report of hackers defacing
well-known World Wide Web sites, like the recent attacks on the sites of
the CIA and the Department of Justice. 

The FBI says few intrusions into corporate computer systems -- 15 
percent at most -- are reported to law-enforcement agencies. But the
handful that are reported, like the 1994 case of Russian hackers who 
tapped into Citibank and made $10 million in illegal fund transfers 
(all but $400,000 was recovered), tend to cause alarm. 

"The business is not so much network security as it is network 
insecurity," noted Alice Murphy, an analyst at Dataquest. "There's so 
much anxiety out there now." 

Just how great the threat is to corporate computer systems is a matter 
of debate. The Internet, observes Peter Neumann, a computer scientist at
SRI International, a research group in Menlo Park, Calif., was never 
really designed to be secure. 

Once the bailiwick of a small community of researchers, it is starting 
to be used as a freeway of commerce. "The infrastructure is vulnerable,"
Neumann said. "From that larger perspective the risks are enormous." 

Dan Farmer, the co-author of Satan with the Dutch researcher Venema,
did a survey of 1,700 corporate and government Web sites late last year
and found that more than 60 percent of them had "serious potential
security vulnerabilities." 

Farmer, a programmer at Sun Microsystems Inc., did not break into the
computer systems, but he said they were open to attack and often could
be severely damaged. (His survey results are posted on the Web.) 

Yet there is a significant difference, some analysts say, between potential
vulnerability and the actual business risk to corporate computer systems.
"There is risk, but the threat tends to be vastly overstated," said George
Colony, president of Forrester Research Inc., a consulting firm in
Cambridge, Mass. 

Forrester estimates that losses from fraud in Internet commerce are
likely to be roughly $1 for every $1,000 of business. To put the matter
into perspective, the fraud losses in cellular phone service are $20 for
every $1,000, according to Forrester, while the losses on credit-card
transactions are nearly $2 for every $1,000 of goods charged. 

Still, even skeptics, like Forrester's Colony, agree that computer security
requires continuous attention. "It is a manageable risk, and it should not
deter companies from jumping into Internet commerce," Colony said.
"But I also tell our clients that they should think of computer security as
a guerrilla war that will last forever." 

The FBI is treating the battle against computer crime as a long-running
campaign. All new agents are now trained in cyberspace investigations as
part of the curriculum at the FBI Academy in Quantico, Va. And last
year the bureau established three computer-crime squads in San
Francisco, New York and Washington, to pursue cybercrime more
aggressively. 

"We're really on the cusp of this becoming a major problem," said James
Kallstrom, head of the FBI office in New York. "As more and more of
the economy goes digital, there are huge incentives for criminal attacks
on American corporations." 

Computer crime, of course, comes in many forms. An employee with a
grudge and access to a company's computer network may well be far
more dangerous, and costly, than even the most artful hacker. 

A survey released two weeks ago by the Computer Security Institute,
and conducted on behalf of the FBI's computer-crime unit, estimated
computer security losses last year at $100 million -- a total only among
some 250 companies and organizations that would place dollar figures on
their losses from fraud, theft of trade secrets and other breaches. 

The criminal hackers have long been engaged in a kind of cat-and-mouse
game with law-enforcement agencies and private computer-security
experts. And that game is increasingly being played at a higher level, with
greater skill and new tools. 

The cell-phone hackers of the past, who electronically jimmied phones
for the thrill and free phone service, have graduated to Web-site hacking.

Today there are an estimated 440 hacker bulletin boards, 1,900 Web
 sites purveying hacking tips and tools, and 30 hacker publications like
"Phrack" and "2600: The Hacker Quarterly." There are readily available
software programs for hacking tactics like "war dialing," "sniffing" and
"fingering" -- all used to exploit security weaknesses in computer
systems. 

"As the stakes become higher, the technical sophistication of the people
doing this kind of illegal activity is increasing," said Edward Hart, a
senior vice president of Science Applications International. 

Today there is a brisk illicit market in hacking, according to security
experts, with the street price for breaking into a corporate Web site
typically in the $8,000-to-$10,000 range. Bonus payments are usually
demanded for trade secrets pilfered or damage inflicted on a competitor's
computer system. 

Limiting the risk, and damage, to corporate computer systems is the goal
of Palmer and the other security specialists at IBM. The test hacking
done by his team is mainly a fact-finding tool, and only one of many. 

The authorized break-ins by these groups, called "tiger teams," are often
more valuable as a marketing tactic than as a research tool. Thick and
exhaustive studies of a company's computer security can be met with
yawning indifference by top executives, but a break-in gets their
attention. 

Mundane rules, not high-tech wizardry, are crucial to reducing security
risks. A robust firewall to filter what electronic traffic gets into a
company's computer system is helpful, but it can be a Maginot Line
approach to security -- the real weaknesses are elsewhere. 

To work from home, employees may have dial-up modems at their
desks, unprotected by firewalls or even passwords. Employees, security
experts warn, must be told to give their passwords to no one; one scam
is for hackers to call new employees, pretending to be members of the
corporate technology staff doing a check of passwords. Another frequent
weakness is simple physical security, watching who goes in or out of the
building. 

These are hectic times for security consultants like IBM's Nick Simicich,
a 44-year-old self-taught programmer. He works from his home in Boca
Raton, Fla., equipped with powerful computers running Linux, a
shareware program that is the operating system of choice for hackers. 

Mostly, though, Simicich is on the road -- 85 percent of the time, he
estimates -- logging perhaps 150,000 air miles a year. Continental, the
airline he flies most regularly, invited Simicich to a company parade last
year. 

He proudly calls himself a "paid professional paranoid." His goal, he
says, is not to make corporate computer systems immune to hackers.
"That's impossible," he explained. "Our real goal is to raise the bar. First,
we do want to make it harder for them to break in, so the average
hacker moves to an easier target. Second, when they do get in, we want
to ensure that the damage is limited."

[Sidebars] Dumbest passwords. Do's and Dont's of preventing hack attack.

[Photos] Nick Simich. Charles Palmer.

[End]



