Printer Friendly


Byline: Steve Lohr The New York Times

In a chilly, windowless room in a New York suburb, four men are tapping furiously at their laptop computers. Their mission: to break into the computer system of a major U.S. corporation.

Things seem to be going well for them. ``All right, we're through the fire wall,'' announced one bearded hacker. A few moments later, a second practitioner of high-tech mischief pronounced himself pleased by what he saw inside - a digital picture of vulnerability rendered by the lines of computer code dancing across his screen.

``Looks like we can toast it,'' he said.

Charles Palmer, a slender, bearded, 40-year-old computer scientist, looked on with pride at the members of his team. Skilled hackers, Palmer noted, are scarce these days - at least the ones he will hire.

``It's hard to find good people in this field who do not have criminal records,'' he said.

Palmer and his team work for IBM, and their brand of computer hacking is legal. Companies pay the IBM squad to attack their computer systems to test how well they can stand up to the increasing assaults by real hackers.

The growing ranks of cyber-intruders are engaged in everything from snooping around to ``parking'' pornography and pirated software on unsuspecting corporate machines to computer-assisted fraud and theft.

White-hat hackers, like those at IBM, are only one kind of computer security professional whose skills are much in demand today.

Once an arcane specialty, computer security has moved into the mainstream. As companies rush onto the Internet, they benefit from improved communication with customers, suppliers and far-flung employees, but they also take on far greater risk that their corporate computer systems will be breached by outsiders with malicious intent.

The dangers of a networked world have created boom times for computer security consultants, auditors, cryptographers and others. Now they must contend with pushy headhunters as well as hackers.

Five years ago, six-figure salaries were rare in the security field. Today it's not uncommon for skilled computer security veterans to be making $200,000 a year or more.

Recognizing a seller's market for computer security expertise, Wietse Venema has come to the United States, and he's selling. A computer scientist from the University of Eindhoven in the Netherlands, Venema is the co-author of Satan, a sophisticated software program intended to find security flaws in any computer system linked to the Internet.

The 45-year-old Dutch researcher is considering offers from IBM and other leading American computer companies. ``Many people are interested in my capabilities now,'' he observed cheerfully.

Experts like Venema are suddenly stars because corporations are spending more on computer security. This year, companies worldwide are expected to spend $6.3 billion on security for their computer networks, says Dataquest, a market-research firm.

Within three years the security price tag is projected to more than double to nearly $12.9 billion - a figure that's only for services supplied by outside contractors, so it excludes spending on in-house staff, security software or hardware products.

The industry in the United States, the world leader in computer security, is composed of hundreds of companies. They run the gamut from large firms with worldwide computer consulting practices, like IBM, Science Applications International Corp. and Perot Systems, and Big Six accounting firms, like Coopers & Lybrand, Ernst & Young and Deloitte & Touche, to one-man independent consultants, like Seiden.

Fueling the surge in computer security spending is fear. Corporate concerns are heightened with every report of hackers defacing well-known World Wide Web sites, like the recent attacks on the sites of the CIA and Justice Department.

The FBI says few intrusions into corporate computer systems - 15 percent at most - are reported to law enforcement agencies. But the handful that are reported, like the 1994 case of Russian hackers who tapped into Citibank and made $10 million in illegal fund transfers (of which all but $400,000 was recovered), tend to cause alarm.

``The business is not so much network security as it is network insecurity,'' noted Alice Murphy, an analyst at Dataquest. ``There's so much anxiety out there now.''

Just how great the threat is to corporate computer systems is a matter of debate. The Internet, says Peter Neumann, a computer scientist at SRI International, a research group in Menlo Park, Calif., was never really designed to be secure.

Once the bailiwick of a small community of researchers, it is starting to be used as a freeway of commerce. ``The infrastructure is vulnerable,'' Neumann said. ``From that larger perspective, the risks are enormous.''

Dan Farmer, co-author of Satan with Dutch researcher Venema, did a survey of 1,700 corporate and government Web sites late last year and found that more than 60 percent of them had ``serious potential security vulnerabilities.''

Farmer, a programmer at Sun Microsystems Inc., did not break into the computer systems, but he said they were open to attack and often could be severely damaged. (His survey results are posted on the Web at

Yet there is a significant difference, some analysts say, between potential vulnerability and the actual business risk to corporate computer systems. ``There is risk, but the threat tends to be vastly overstated,'' said George Colony, president of Forrester Research Inc., a consulting firm in Cambridge, Mass.

Forrester estimates that losses from fraud in Internet commerce are likely to be roughly $1 for every $1,000 of business. To put the matter into perspective, the fraud losses in cellular phone service are $20 for every $1,000, says Forrester, while the losses on credit-card transactions are nearly $2 for every $1,000 of goods charged.

Still, even skeptics like Colony agree that computer security requires continuous attention. ``It is a manageable risk, and it should not deter companies from jumping into Internet commerce,'' he said. ``But I also tell our clients that they should think of computer security as a guerrilla war that will last forever.''

The FBI is treating the battle against computer crime as a long-running campaign. All new agents are now trained in cyberspace investigations as part of the curriculum at the FBI Academy in Quantico, Va. And last year the bureau established three computer-crime squads in San Francisco, New York and Washington to pursue cyber-crime more aggressively.

``We're really on the cusp of this becoming a major problem,'' said James Kallstrom, head of the FBI office in New York. ``As more and more of the economy goes digital, there are huge incentives for criminal attacks on American corporations.''

Computer crime, of course, comes in many forms. An employee with a grudge and access to a company's computer network may well be far more dangerous, and costly, than even the most artful hacker.

A survey released two weeks ago by the Computer Security Institute and conducted on behalf of the FBI's computer-crime unit estimated computer security losses last year at $100 million - a total only among some 250 companies and organizations that would place dollar figures on their losses from fraud, theft of trade secrets and other breaches.

The criminal hackers have long been engaged in a kind of cat-and-mouse game with law enforcement agencies and private computer security experts. And that game is increasingly being played at a higher level, with greater skill and new tools.

The cell-phone hackers of the past, who electronically jimmied phones for the thrill and free phone service, have graduated to Web site hacking.

Today there are an estimated 440 hacker bulletin boards, 1,900 Web sites purveying hacking tips and tools, and 30 hacker publications like ``Phrack'' and ``2600: The Hacker Quarterly.'' There are readily available software programs for hacking tactics like ``war dialing,'' ``sniffing'' and ``fingering'' - all used to exploit security weaknesses in computer systems.

``As the stakes become higher, the technical sophistication of the people doing this kind of illegal activity is increasing,'' said Edward Hart, a senior vice president of Science Applications International.

Today there is a brisk illicit market in hacking, security experts say, with the street price for breaking into a corporate Web site typically in the $8,000-to-$10,000 range. Bonus payments are usually demanded for trade secrets pilfered or damage inflicted on a competitor's computer system.

Limiting the risk, and damage, to corporate computer systems is the goal of Palmer and the other security specialists at IBM. The test hacking done by his team is mainly a fact-finding tool, and only one of many.

The authorized break-ins by these groups, called ``tiger teams,'' are often more valuable as a marketing tactic than as a research tool. Thick and exhaustive studies of a company's computer security can be met with yawning indifference by top executives, but a break-in gets their attention.

Mundane rules, not high-tech wizardry, are crucial to reducing security risks. A robust fire wall to filter what electronic traffic gets into a company's computer system is helpful, but it can be a Maginot Line approach to security - the real weaknesses are elsewhere.

To work from home, employees may have dial-up modems at their desks, unprotected by fire walls or even passwords. Employees, security experts warn, must be told to give their passwords to no one; one scam is for hackers to call new employees, pretending to be members of the corporate technology staff doing a check of passwords. Another frequent weakness is simple physical security - watching who goes in or out of the building.

These are hectic times for security consultants like IBM's Nick Simicich, a 44-year-old, self-taught programmer. He works from his home in Boca Raton, Fla., equipped with powerful computers running Linux, a ``shareware'' program that is the operating system of choice for hackers.

Mostly, though, Simicich is on the road - 85 percent of the time, he estimates - logging perhaps 150,000 air miles a year. Continental, the airline he flies most regularly, invited Simicich to a company parade last year.

He proudly calls himself a ``paid professional paranoid.'' His goal, he says, is not to make corporate computer systems immune to hackers.

``That's impossible,'' he said. ``Our real goal is to raise the bar. First, we do want to make it harder for them to break in, so the average hacker moves to an easier target. Second, when they do get in, we want to ensure that the damage is limited.''


Photo, Box

Photo: (Color) Charles Palmer and his team at an IBM lab in Hawthorne, N.Y., test computer security systems for corporations.

The New York Times

Box: (Color) DUMB & DUMBER

The New York Times
COPYRIGHT 1997 Daily News
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1997, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:BUSINESS
Publication:Daily News (Los Angeles, CA)
Geographic Code:1USA
Date:Apr 28, 1997

Related Articles
Plucky Pirates.
Alert citizens help police catch thief. (The Goodness of America).
Hack job: tech savvy Brazil becomes a haven for those who dwell on the dark side of technology--hackers.
Counter Hack: a Step-by-Step Guide to Computer Attacks and Effective Defenses.
Security news: one in six may have had private personal data compromised.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters