WHO'S READING YOUR E-MAIL? AS THE WORLD GETS NETWORKED, SPIES, ROGUE EMPLOYEES, AND BORED TEENS ARE INVADING COMPANIES' COMPUTERS TO MAKE MISCHIEF, STEAL TRADE SECRETS--EVEN SABOTAGE CAREERS.
(FORTUNE Magazine) – This is it. We're in. There are things here I can now destroy. This is a good thing. The geek in me is happy. --Three hackers in San Antonio, 11:10 p.m.
Twas the week before Christmas, and the employees of XYZ Corp. were logging off a successful year with holiday parties at company headquarters in New York City. Meanwhile, inside their locked, darkened offices, not a creature was stirring, not even a computer mouse--or so they thought. Unbeknownst to the merrymakers, a team of professional hackers in Texas was preparing to invade XYZ's systems from 1,600 miles away.
Operation Nutcracker, as we'll call it, spanned two nights. By the time the sun started to scroll over San Antonio on the second day, the hackers had penetrated seven of XYZ's computers. They'd invaded a subsidiary near Washington, D.C., and the corporate tax division in Manhattan. They'd gained "root access" on five systems, meaning that they'd seized the full powers enjoyed by XYZ's systems administrators. Most alarmingly, they'd invaded XYZ's electronic heart--sophisticated computers used exclusively by its technology department. (For a detailed account of the hack, see box.)
The operation was never detected; fortunately for XYZ, the hackers had no malicious intent. They were experts at WheelGroup Corp., a San Antonio security firm that conducts "external assessments" as a diagnostic service for clients. Two months before, a WheelGroup executive had boasted to FORTUNE that the firm had yet to find a network it couldn't pierce electronically. "It's really very easy to do," he'd said. "If it's a big network, it may take us an evening. Otherwise, it may take two hours."
That was Texas optimism; all computer systems are different, and making Nutcracker succeed took longer. But WheelGroup has the requisite hacker talents--technical ingenuity and stare-at-the-screen obsessiveness--in abundance. Most of its founders are ex-military men who served in the Air Force Information Warfare Center; in 1994, four of them teamed up to capture one of the military's most notorious hackers.
FORTUNE saw the boast as a challenge. It took some time, but we found a well-regarded FORTUNE 500 company that was willing to serve as a guinea pig, provided its name wasn't disclosed. To make the exercise realistic, XYZ agreed that its chief of information systems would be kept on the sidelines; a team of computer experts from the Coopers & Lybrand accounting firm was retained to monitor the break-in and safeguard XYZ's computers and data.
Nutcracker's success attests to what every technology manager knows: The more the computers of the business world become interconnected--via the Internet and private networks--the more exposed they are to break-ins. Says Bruce Schneier, author of the book E-mail Security: "The only secure computer is one that is turned off, locked in a safe, and buried 20 feet down in a secret location--and I'm not completely confident of that one either."
On a planet where at least 200 million E-mail messages traverse cyberspace each day, and where companies depend increasingly on networks to speed communications with customers and suppliers, enemies and mischief-makers no longer need to trespass physically on corporate turf. Computers offer ready points of entry for spies, thieves, disgruntled employees, sociopaths, and bored teens. They're all hackers, a term that once meant hobbyist but now denotes someone who barges into a system uninvited. Once they're in your company's network, they can steal trade secrets, destroy data, sabotage operations, even subvert a particular deal or career.
Computer vulnerability is becoming a giant, expensive headache. Corporate America spent $6 billion on network security last year, according to Dataquest. Nevertheless, when the FBI and a respected think tank surveyed some 400 companies and institutions last March, more than 40% reported recent break-ins. Some 30% of all break-ins involving the Internet took place despite the presence of a firewall, a computer equipped with costly software that is supposed to let only legitimate traffic pass. The going estimates for financial losses from computer crime reach as high as $10 billion a year.
But the truth is that nobody really knows. Almost all attacks go undetected--as many as 95%, says the FBI, like our invasion of XYZ Corp. What's more, of the attacks that are detected, few--perhaps 15%--are reported to law-enforcement agencies. Even at that level, the good guys can't cope. Speaking before hundreds of computer experts from IBM, Fidelity Investments, Mobil, the Secret Service, U.S. Customs, and other institutions last fall, Dennis Hughes of the FBI declared flatly: "The hackers are driving us nuts. Everyone is getting hacked into. It's out of control." Hughes should know: He is the FBI's senior expert on computer crime.
The companies Hughes was addressing did recently get a break: In October, President Clinton signed into law a new bill that should make it easier to prosecute hackers. The bill allows for criminal forfeiture, fines of $10 million, and sentences of 15 years in computer cases involving economic espionage--broadly defined as stealing trade secrets from U.S. companies. The law permits corporate victims to use court orders to safeguard secrets in the courtroom. There's just one caveat: The corporation is required to have taken "reasonable measures" (like installing firewalls) to keep its data secret.
Companies that fail to take reasonable measures may lose more than just secrets. A new concept--"downstream liability"--is emerging in computer law. Say a hacker exploiting XYZ's lax security invades its network and uses it as a springboard to disrupt computer operations at other companies. If the other companies' damages are substantial, they might seek to hold XYZ liable--especially since hackers rarely have deep pockets. While there hasn't been such a case to date, computer experts say it's only a matter of time.
A terrifying variant of downstream liability arose in the case WheelGroup's experts solved in the Air Force. During three weeks in 1994, more than 150 Internet intrusions came through Rome Laboratory, the Air Force's top command-and-control R&D facility. The perpetrators--a 16-year-old British hacker and an associate who was never identified--used the Air Force computers as a hopping-off point to invade computers of several defense contractors and the South Korean Atomic Research Institute. (For a time, investigators feared that the atomic-research computers belonged to North Korea, whose leaders could have taken the intrusion as an act of war by the United States.)
Another victim of the British hacker was Xilinx, a $600-million-a-year computer-chip maker in San Jose. Recalls Eric Schemmerling, Xilinx's technical manager: "Our people were tricked into giving password information about our system. The passwords wound up on computer bulletin boards all over Europe. We eventually had a ring of people using our site to hop into government facilities. We became a public hack express."
Despite these and other horror stories, thousands of companies have yet to install even the most rudimentary defenses--such as insisting that employees use hard-to-guess passwords. A 1995 survey by the American Society for Industrial Security found that 24% of corporations have no procedures for safeguarding proprietary data. Another industry survey revealed that nearly half of U.S. companies don't even have a basic security policy for their computer systems. Warns WheelGroup's Lee Sutterfield: "If CEOs don't believe that this is a problem, at some point they're gonna get whacked."
David Rivera, one of the Coopers & Lybrand experts who monitored Nutcracker, has helped test-hack two dozen corporate clients. The latest: a pharmaceuticals giant whose systems he invaded in December. "We were led to a computer in a conference room that was accessible to every employee," he says. "In less than an hour, we got so far into the payroll system that we could have given anyone a bonus. Within two hours, we cracked 30% of their passwords. They were shocked."
Wind River Systems learned its lesson the hard way. A publicly traded, $44-million-a-year software company in Alameda, California, Wind River had set up an Internet site to exchange E-mail with customers. The system was protected by just a rudimentary firewall. By guessing some passwords, hackers in Germany were able to sneak through the firewall and gain access to Wind River computers in France and California.
An inflated bill for Internet access tipped off systems administrators that something was wrong; they checked the computer logs and found hacker footprints. Says Steve Sekiguchi, the company's top technology manager: "You could see them logging into various machines in our network and wandering around in the middle of the night. The legitimate users were home asleep."
Like many computer-crime victims, Wind River cannot determine whether anything was stolen; at worst, the hackers made off with programming code whose circulation could hurt future sales. "Our family jewels are software, and once it's out, it can be duplicated forever," says Sekiguchi, who is now outsourcing computer security to a firm called Pilot Network Services. "We're like a lot of companies. Once a hacker gets in the front door, he's in the house. Nobody locks the doors between the bedrooms, the kitchen, and the dining room. So once a hacker is inside, you don't know which rooms he's been in."
Wind River's problem is common; its willingness to discuss it is not. Most companies that have been electronically molested won't talk to the press--or even the police. "Nobody wants to be on the front page of a newspaper because they were broken into," says Lloyd Hession, a key architect of Internet security for IBM. "A big concern is loss of public trust and public image." Not to mention making your company a target for shareholder suits or copycat hackers. Moreover, many executives fear that calling the cops will hinder their operations. "There's a common misconception that if you call the FBI, we'll haul your entire computer system away in a 40-foot trailer," says an FBI agent in San Francisco. "The level of ignorance out there is just amazing."
When Citibank discovered in 1994 that a group of Russian hackers had made $10 million in illegal transfers, the bank had a private security firm quietly crack the case. All but $400,000 was recovered. Citibank eventually spoke to the FBI and the media. It was apparently an outside job, the first such grand larceny in cyberspace--or at least the first a major bank has admitted to. Citibank's reward for being forthright? It saw its top 20 customers wooed by rival banks, all claiming their computer systems were more secure.
If money in the bank is vulnerable, how safe are the secrets you put in your E-mail? When sent via the Internet, E-mail is like a postcard that can be read by hackers or copied in every "post office," or Internet computer, it passes through. E-mail confined to a private network isn't necessarily more secure: Tools for getting to it are readily available to hackers. "Just assume that anything you can do, someone else can do, like accessing E-mail from a remote location," says security expert Schneier.
Computer attacks can originate anywhere. Even in the age of the globe-girdling Internet, the perp frequently is no farther away than the office next door. At Intel, a technical contractor named Randal Schwartz used his access to company premises to steal a password file from a network server. The file was encrypted, or scrambled, for safety, but Schwartz simply ran a program designed to break the codes. Intel had him arrested before he did any damage.
Chemical Bank suffered a security breach several years ago involving one of the top technology administrators at headquarters in New York. The administrator, who went by the office nickname Mad Dog, was caught erasing E-mail that was unfavorable to him from colleagues' computers. Subsequent investigation revealed that Mad Dog had also been using his computer to do consulting work for a rival bank. His career was over.
At the same time, security breaches from outside are on the upswing. Last February, FBI director Louis Freeh told a Senate panel that 23 countries are engaged in economic spying against American business, succeeding in some cases "with a few keystrokes." Major culprits: China, Canada, France, India, and Japan. The FBI's Hughes says that at least seven nations are training intelligence agents to hack U.S. computers for commercial data.
More and more freelancers are getting into the act. Hackers thrive in the Internet's anarchic subculture, which glamorizes their skills. For some, sneaking into computers is an adolescent phase they outgrow; others never do. Consider Brooklyn's Morty Rosenfeld, 25, who was convicted in 1992 after a Secret Service raid on his house netted 176 credit reports he had hacked from TRW, the giant credit-information provider. Rosenfeld's grand plan was to build and sell PCs using parts bought with stolen credit card numbers.
Having paid his debt to society with eight months in prison, Rosenfeld is back in Brooklyn. He feels he is reformed, but he's still hacking. "I'm invading systems on a regular basis," he says. "You have to learn new techniques to stay current." One recent target: a McDonald's office in Manhattan. "Security was lax, and they were running some software I wanted to test," Rosenfeld says. "McDonald's is a training hack, a baby hack."
There's demand for a man of his skills. Rosenfeld has been in talks with Panasonic Interactive Media to sign a juicy six-figure deal to develop a computer handball game. "So he was arrested for hacking--that's no big deal," says Panasonic manager Jim Jennings. "I've done stuff like that too. I'm 40 years old, and most guys in my generation did. That's how you learn. You break into programs, commit piracy, all kinds of wild and crazy things."
Another admirer is Rosenfeld's local Internet service provider, Escape Internet Access Services. It gives him free Internet service in exchange for security advice and the latest gossip about hackers. "Trust me, it's better to have them on your side than against you," says a manager at Escape. Of course, Rosenfeld did use Escape's service to hack McDonald's.
Rosenfeld is also a master at "social engineering," hacker-speak for tricking workers into offering information that will help during break-ins. That appeals to Al Zaretz, a private eye who has worked with Rosenfeld in the past. Zaretz runs A-Z Investigative Services in New York City and is in the business of corporate espionage. He knows not to ask too many questions about the source of valuable data. "Corporations don't hire me to infiltrate computers," he says. "They hire me to get the information. I've paid as much as $100,000 for a file. I don't always know the method we use because I subcontract it, but the information generally is taken out of a computer."
Whatever a hacker's motive, in the frontier world of the Internet, virtually every weapon he needs is just a keystroke away. The renegade Intel contractor got convicted, but the software he used to decode stolen passwords, a program called Crack, is still available free on the Internet. (In a recent test, WheelGroup used Crack to break 42% of a client's passwords.) Rootkit is another Internet freebie; it helps hackers gain root access to computers they invade. "War-dialing" programs, like the one WheelGroup used to penetrate XYZ, are also freely available on the Net. They let hackers scan thousands of phone numbers in search of those connected to modems.
Periodicals like Phrack and 2600: The Hacker Quarterly provide step-by-step tips for hackers. They claim they're performing a public service by helping people exploit gaps in computer security. Secrets of a Super Hacker, available in paperback at bookstores everywhere, offers many ideas for committing computer crime at corporations, including posing as a journalist to get a company tour. Once you're in the door, writes the author, who calls himself Knightmare, "if you're suave enough, you can talk a proud computer owner into showing off the power of his machine...This can only help you when you go home that night and hack the place." Theft is another option. Knightmare writes coyly: "I am not going to suggest that you actively steal [computer] disks that you find in an office or wherever, but if you can manage to sneak one away for a few days..."
Among the most potent intelligence-gathering tools are "sniffers." These are programs that, planted in a computer that is connected to a network, work like hidden recorders, capturing E-mail messages and passwords as they flow by. "You can get inside information on everything flowing through a company," says Daniel Kozin, a Boston computer-networking expert. Dan Webb, a Seattle security consultant, once helped a major real estate developer nab an employee who was sniffing a colleague's E-mail. He'd been selling the information to a Japanese rival, which had used it to win bidding contests.
Hacker technology gets more exotic still. The FBI won't comment, but security experts believe it used a so-called Van Eck device to capture CIA double-agent Aldrich Ames. The gizmo is named after a Dutch scientist who in 1985 published a paper explaining how an ordinary TV set can be modified to pick up emissions from any particular computer screen at a distance of up to two kilometers. The National Security Agency routinely classifies information on the subject, but today you can buy a high-quality Van Eck unit for $4,000 out of a catalogue. It will let you see everything your victim sees onscreen, and even watch him type--keystroke by keystroke.
In 1992, Chemical Bank discovered a Van Eck aimed at its credit-card-processing facility in Manhattan. The police offered to help, but the bank turned them down. More recently, a unit of a major chemical company spotted a Toyota van with a suspicious antenna in its parking lot. "It was clearly a remote Van Eck interception program," says Winn Schwartau, a Florida consultant who describes the devices in his book, Information Warfare: Cyberterrorism. "We brought jamming equipment and within three days the van was gone. The company didn't confront the spies. It was conducting a lot of corporate and government business and just wanted the problem to go away."
One of the smartest things a company can do to ward off hackers is to scramble the traffic that flows through its networks. Encryption software, which jumbles messages so they are virtually impossible to decipher without the requisite keys, is becoming easier to use and will eventually be common in corporations.
Companies also need to teach employees to be security-conscious. Passwords are a notorious weak link. Operation Nutcracker succeeded largely because some passwords were lacking and others easily guessable. Technology managers are forever urging users to create codes that are hard for even a computer to guess, but people prefer passwords they can relate to--favorite sports teams, astrological signs, children's names. Police last year raided a Mob-linked gambling house in New York where bookies were using IBM computers to handle $65 million of bets per year. Police cracked the system's security after discovering that one of the gangsters was using his mother's name as a password. Writes Knightmare: "The dumb password will be a good guess for a long time to come."
Using the Internet tends to compound security problems. Companies love the Internet for the ease with which it lets them unite disparate networks and form links with customers and suppliers. Yet the risks can be daunting. At Pinkerton, the world's oldest security firm, executives debated for years whether to start using the Internet for business. The company was growing fast in part by scooping up smaller firms, and was having difficulty unifying the E-mail systems of the new units any other way. But technology managers like Ed Lien were cautious. "Can you imagine what would happen to the Pinkerton name if we had an infraction through the Internet?" he says. The decision to move forward went all the way up to the CEO.
The challenge of invading companies like Pinkerton is what truly inspires amateur hackers. One underground group, the Internet Liberation Front, claims it can penetrate virtually any firewall. "Just a friendly warning to Corporate America," reads its manifesto. "We have already pillaged your million-dollar research data...So you'd better take an axe to your petty f---ing firewall machine before we do." Hacker braggadocio? Perhaps. LAN Times, a trade magazine, tested seven leading firewalls last June and found all lacking.
Some innovative defense systems have begun to emerge. Today Pilot Network Services in Alameda, California, is widely considered the state of the art. Rather than connect directly to the Internet, Pilot's corporate clients hook their networks to one of the company's service centers around the country. There, for about $5,000 per client per month, Pilot provides supervised Internet access. This involves a "dynamic" five-layered firewall with data pathways it routinely alters to fool hackers. The system is monitored around the clock by a team of electronic cops (human ones). Explains founder and CEO Marketta Silvera, a 28-year computer industry veteran: "You're dealing with a challenge that moves. If you buy a static, shrink-wrapped firewall in a box, so can a hacker."
Complex as it seems, Pilot's system works. Seeing it in action is what persuaded Pinkerton to venture onto the Net. Last year Trident Data Systems, a well-known security consultant for the Pentagon, conducted an independent review of Pilot's system. Its report concluded that "of all the various audits Trident has performed, Pilot was by far the most secure network we have encountered." Clients like the Gap, Hitachi America, PeopleSoft, Playboy Enterprises, and Twentieth Century Fox echo that kind of praise. Each still attracts anywhere from one to 30 intrusion attempts per day, most of which are considered minor. Serious attacks often originate overseas, particularly in Germany, Japan, and Eastern Europe.
A typical one occurred at sunup on October 3. An alarm buzzer sounded in Pilot's operations room in Alameda. As the engineers watched, an outside computer made nearly 1,000 unsuccessful attempts, at a rate of 20 per second, to invade a customer's network. The pattern suggested that the hacker was using scanning software in search of a vulnerable computer port. Quickly the engineers identified the intruder's host computer and blocked its access to Pilot's customers. But Pilot doesn't always cut off an invader right away. Sometimes the engineers will let a hacker penetrate one or two layers of the system's defenses, the better to study his methods. "We can watch a hacker's keystrokes like we're sitting behind one-way glass," says Silvera. "They don't even get close to my clients."
WheelGroup, meanwhile, has developed an innovative solution aimed at thwarting hacker attacks within corporate networks. It is a hardware and software package called NetRanger that lets a customer monitor and alter computer traffic in real time--like a flight controller guiding planes. The $25,000 device can also be programmed to work automatically, squelching suspicious internal activity and sounding an alarm when it detects any. Says Allen Forbes, a top computer-security expert with AT&T Wireless Services: "This is definitely the cutting edge."
Last summer, after the National Security Agency tested and verified the NetRanger's traffic-filtering component, the Pentagon bought 32 of the devices. One application: to help prevent what a Defense Department panel, warning darkly of national-security threats posed by hackers, has called an "electronic Pearl Harbor." Unlike missile systems, H-bombs, and other old-fashioned defenses, computer-security devices are practical in peace as well as war. In the coming century, they may prove just as essential in the affairs of commerce as those of state.
REPORTER ASSOCIATES Amy Kover and Melanie Warner