sptimes.com
Crown AutoNet

HomeHome
WeatherWeather
LotteryLottery
ClassifiedsClassifieds
SportsSports
ComicsComics
InteractInteract
AP WireAP Wire
Web SpecialsWeb Specials

 

 

Hidden dangers

Computer hackers "Mudge," left, and "Weld Pond" testify on Capitol Hill on May 19, 1998 before the Senate Governmental Affairs Committee hearing on computer hacking. The hackers told the committee that computer security is so lax, they could disable the entire Internet in a half-hour.
[AP photo: William Philpott]

As more commerce moves to computer networks, business and the government turn to their former nemesis -- the hacker -- for help.

By ROBERT TRIGAUX

© St. Petersburg Times, published June 16, 1998


One-time Tampa consultant Jack Kerivan became so concerned his hacking tools could fall into the wrong hands that he designed his break-in programs to self-destruct every 30 days.

Scott Ramsey, who set up Ernst & Young's national computer security team, gives corporations a B- for their security efforts but a D+

for execution. "It pays to be paranoid," he warns.

Click here for the main Hackers page from the Times.

Good-guy hackers -- known as "ethical" or "white hat" hackers -- are part of a fast-expanding and cocky breed of security troubleshooters delivering a blunt message to U.S. companies. With malicious hacking on the rise, corporate computer networks increasingly linked to the Internet are as easy to penetrate as fists punching through Jello.

Long in denial, corporate America is starting to listen. Company-approved attacks by ethical hackers are cropping up nationwide. So far, their efforts are rarely unsuccessful.

In San Antonio, Texas, ethical hackers at Cisco-WheelGroup Corp. spring their attacks on corporate customers from a "war room" run by ex-military types from the Air Force Information Warfare Center. From a windowless room in the New York City suburbs, IBM's security squad launches its hacks on dozens of corporate customers. In Miami, an Ernst & Young team recently hacked with ease into the network of a high-tech client in the Tampa Bay area.

Work is plentiful. Nearly two of every three companies responding to a recent Computer Security Institute/FBI survey say they experienced unauthorized use of their computer systems in the past year. That's up from 50 percent in the 1997 survey and 42 percent in 1996. And while company computer systems were hit both internally and externally, companies' Internet connections were cited increasingly as a frequent point of attack.

But security expertise does not come cheap. Ethical hackers, especially those backed by big corporate and consulting names, regularly charge $20,000 to $200,000, depending on the depth of their attack and the size of the business client's network.

American companies spent about $6.3-billion on computer security last year to combat computer fraud, theft of proprietary company software and industrial espionage, according to the research firm DataQuest. The market is expected to double to $13-billion by 2000.

Security experts say companies simply will have to pay to play on a secure Internet.

At California high-tech giant Sun Microsystems, Linda McCarthy spent years breaking into the networks of her employer. It was her job to recommend security improvements to Sun's network, which is hacked an average of 300 times every day. More hacking is inevitable as the hacker population matures, says McCarthy, who now runs the Network Defense security firm in Berkeley, Calif.

"Anybody who was a B-grade hacker is probably much more advanced now, at least in knowing where to get hacker tools, and can typically get into lots of computer systems," she said. Give us 30 minutes and we can bring down the Internet and cripple many businesses, a hacker known as "Mudge" testified before a congressional panel last month. The hacker is a founding member of Boston's elite hacker group called L0pht, which alerts appropriate agencies when they find gaping holes in computer security.

Seasoned IBM security consultant Nick Simicich of Boca Raton gives the same advice to client companies about hackers that a locksmith offers homeowners about burglars: Convince them other places are more vulnerable to attack.

* * *

"Generally, our work is to deter hackers," Simicich said. "There are hackers you catch and hackers you don't."

* * *

Besides assaults from malicious hackers, companies face other online threats. Disgruntled workers and ex-employees are common sources. Competing businesses -- under the buzzword "competitive intelligence" -- increasingly are snooping online for any information to help make the next big sale or gain a technological edge.

There is even a Society of Competitive Intelligence Professionals. The group, with more than 6,500 members, only endorses legal research tactics. (Some air routes in and out of high-tech cities like San Jose, Calif., and Boston are considered intelligence gold mines.)

Corporations in some industries also must guard against intrusions from tech-hungry foreign governments -- in particular China, France, Israel, Japan, Germany and Russia -- that converted their cold-war spy machinery into "economic espionage" units.

While companies are reluctant to disclose a hack of any kind, recent examples are plentiful:

INSIDER: Timothy Lloyd lost his job in 1996 as a computer network programer in Bridgeport, N.J., at Omega Engineering. Twenty days later a software bomb deleted critical company files. Federal prosecutors put direct costs of the wipeout at $2.4-million and its indirect costs in lost business at another $8-million. Lloyd pleaded innocent to charges of destroying computer files valued at $10-million. He faces up to five years in jail and a fine equal to twice the company's losses, or up to $20-million.

COMPETITOR: A unit of the British news agency Reuters is accused of trying to steal software from competitor Bloomberg LP by urging a consultant to transfer screens full of data from Bloomberg to Reuters. The matter is before a grand jury.

FOREIGN GOVERNMENT: French intelligence allegedly has spied on U.S. companies by wiretapping U.S. businessmen flying on Air France between New York and Paris. And Germany's Federal Intelligence Service had been successful in economic espionage by using a top-secret computer facility outside Frankfurt, Germany, to break into data networks and data bases of companies and governments around the world, according to a report by Edwin Fraumann, an FBI agent in New York.

A few companies are taking steps on their own to improve thesecurity odds. In the Tampa Bay area, a group of companies recently formed the first local (and currently Florida's only) chapter of the Information Systems Security Association as a forum to swap ideas. The group (http://www. tampaissa.org) meets for the first time June 24 to hear experts discuss cybercrime at the Tampa Airport Hilton at Metrocenter.

Even the stodgy insurance industry is starting to recognize hacker attacks as a real business risk. Lloyd's of London in April joined a small number of insurers offering companies insurance against hackers, viruses and computer sabotage.

* * *

The big fees paid for corporate security are attracting hackers with more troubling credentials. Many are swapping their old black-hat ways for white-hat paychecks, jumping into the poten-tially lucrative corporate computer security business.

Among the "reformed" is Yobie Benjamin, a hacker for 20 years who now works as the technical security guru at Cambridge Technology Partners, a Cambridge, Mass., network consulting firm with a penchant for hiring ex-hackers. Best known for finding flaws in Microsoft's Windows NT operating software, Benjamin says he hires white-hats, though many are reformed street hackers now in their 30s.

Large companies don't seem to mind. Last month, Benjamin's company invited data security managers from three dozen Fortune 1,000 companies to attend "New Hack Tour," a seminar on the latest hacking trends. They were dismayed to hear of dozensof new network hacks making the rounds.

Six years ago, a massive party was thrown by a young computer bulletin board operator who goes by the name Dark Tangent. That party evolved into the DefCon annual convention, the biggest hacker gathering in the country. And Dark Tangent, who in real life is Jeff Moss, now provides security consulting for San Jose's Secure Computing Inc.

Alongside DefCon, Moss helps run an accompanying seminar dubbed the "Black Hat briefings" that serves as a mixer for hackers and corporate security professionals.

Once a cosmetics company approached Moss and, sight unseen, commissioned the hacker to break into a competing company's network and steal a perfume formula. Moss declined. But the attempt at corporate espionage by using hackers is increasingly popular.

Former hacker Erik Bloodaxe (real name: Chris Goggans) helped found and lead the infamous 1980s hacker group Legion of Doom. Now he is peddling his hacker skills to corporations, first in Austin, Texas, and now at Security Design International in Falls Church, Va.

SDI's consultants, the company says on its Web site, are "carefully selected for a combination of technical ability and "real world' experience."

Ex-hacker Christian Valor recently lectured a paying audience of corporate and government security employees on how, for bragging rights, gangs of malicious hackers last year broke into 363 major Web sites, including ABC News and the Army Information Center. Valor was hired by retired Army colonel Fred Villella, founder of the California security firm New Dimensions International.

The trend of hackers-turned-consultants makes for some lively debate.

"Would you trust an ex-burglar or an ex-arsonist?" Ken Lindup, a senior consultant at security specialist SRI Consulting, asked at a recent security conference. Lindup gives a thumbs down to hiring once-nasty hackers to wander through company computer systems. Avoid the temptation, he advises. On the flip side, many traditional hackers suspicious of Big Brother aren't happy about their brethren defecting to the computer security establishment. Complained one hacker: "It's like Anakin Skywalker (Luke Skywalker's father, before he became Darth Vader in Star Wars) being seduced by the Dark Side of the Force."

As more commerce moves to computer networks, business and the government turn to their former nemesis -- the hacker -- for help.

Ira Winkler doesn't mince words about the inability of U.S. businesses to protect themselves against hackers.


Advertise online!

Business | Citrus | Commentary | Entertainment
Hernando | Floridian | Obituaries | Pasco | Sports
State | Tampa Bay
| World & Nation

Back to Top
© Copyright 1998 St. Petersburg Times. All rights reserved.