Computer Hackers, Computer Crackers and Computer Security

By now almost anyone who's watched a sporting event on television the past year has seen those IBM "e-business" ads. In one, an executive traveling overseas is awakened with the call "We've been hacked!" As he groggily tries to comprehend what's happened, his company's caller abruptly hangs up, leaving him to drown his confusion in cappuccino. In another, two Generation Xers hack into a firm's personnel files, and e-mail every executive the payroll amounts for their fellow execs. Hackers strike again!

First, let's get some terms straight: Non-techies use the term "hacker" to describe "any computer over-enthusiast, or a criminal who hacks in -- gains unauthorized access -- to computer systems to steal or destroy data," according to Hotwired.com's Web 101 glossary. A "cracker" is what programmers call illegal-entry criminals, since not all hacking is criminal in intent or result. While often worn as a badge of reverse honor, the term "hacker" also refers to an amateur or self-trained programmer, and depending on the context can be either a compliment or insult.

Hackers are generally kids out for a joyride on the Internet, while a cracker "is somebody who has mental problems, who's probably been locked in a room with a computer for way too long," says Doug Goddard, president of The Client Server Factory [http://www.tcsf.com] says. "Hacking is more for a 'gotcha,' done for the thrill and challenge while crackers are people who are trying to destroy something." Hackers often end up going legit, setting up thriving security consultancies and catching their old hacker pals. Crackers often end up building one-room cabins in Montana near power and telephone lines.

Generally, Goddard says, "I think it's good those guys are around, there's a lot of innovation that comes out of that. For one thing, computer security is greatly enhanced."

As a matter of fact, some of the more celebrated hacks are purely mischievous pranks. In October 1996, President Clinton signed the Economic Espionage Act, which made prosecution of computer crimes easier, spurred at least in part by hacking in August and September that covered the Justice Department's site with swastikas and pornographic pictures, and replaced the Central Intelligence Agency's Web site files with spoofs.

Yet it's getting much more serious. As far back as 1996, hacking was costing businesses $800 million a year, according to investigators of the Senate's Permanent Investigations Subcommittee. Few security breaches are reported, since to admit one's security had been compromised would scare off potential customers. The subcommittee's study also concluded that nearly half of all break-ins are committed by internal users.

A more recent survey published by WarRoom Research polled executives from more than 200 companies about their experiences with electronic intrusions and rip-offs. It found that more than half of the respondents had had "at least one" outside attempt in the past year to gain access to their company's secure computing system. A quarter of the victims reported "more than a dozen" attempts -- and over half reported the attempts had been successful. Reliable current estimates of the damage to business are impossible to come by, since the majority of execs in the survey said they wouldn't report any hacking damage anyway.

The number one goal of malicious hacking is industrial espionage, the WarRoom survey concluded, with theft of funds, passwords and data also reported. According to a CNET story on the report, "more than half the respondents calculated the cost of the intrusions at over $50,000 in either actual losses or costs accrued implementing tighter security measures. More than 30 of those surveyed admitted to costs in excess of $1 million."

Types of Hacking Attacks

Internet security vendors Velocet Security list the major types of hacking attacks:

• Trojan Horse. This is a program containing a concealed malicious code, and is often used to steal passwords. The login program of a computer is replaced with one that copies the passwords used by the computer owner. This information can then be used fraudulently.
• E-mail Fraud -- Forgery and Anonymity. E-mail is a great way to communicate over the Internet, but is particularly suited for anonymity. Many online scams depend on fraudulent e-mails.
• Viruses/Malicious Codes. The most familiar form of malicious code is the computer virus, a fragment of code that attaches to the boot sector of a disk or to executable files on the disk. Whenever the boot sector or host file is loaded into memory and executed, the virus is activated, spreading from computer to computer through floppy disks and computer networks. Some of these viruses reformat hard drives, destroying all their files. Others are simply nuisances, printing messages or graphics, playing music, or causing congestion that slows computers down.
• Worms. In 1988 a graduate student at Cornell University launched one of the most famous worm hacks. These are active programs designed to spread through computer networks, often causing catastrophic damage. The 1988 Internet worm eventually infiltrated thousands of network computers, completely incapacitating them.
• Bombs. There are many kinds of bombs. "Logic bombs" are malicious codes that "detonate" in response to some event. A "time bomb" simply goes off at a particular time. Viruses can act like time bombs, lurking in the cyberdark until they have had a chance to spread and "explode" suddenly. A famous example is the Michelangelo bomb, which was supposed to explode on the artist's March 6 birthday. "Letter bombs" are destructive e-mail messages which can explode when the message arrives, is read or loads into memory.

Protection Measures

By and large, anti-hacking measures fall into the following broad categories:

• Firewalls. The most popular solution to business security concerns, Velocet says, is the firewall, a computer that shields the internal network of a company from the Internet at large. They also allow the construction of security domains within the company network.
• Encryption. Encryption schemes encode a file or program, protecting them during local storage or transmission via FTP or another electronic transfer method. An example is Secure HTTP, a protocol enabling cybershoppers to click a "secure submit" button at a shopping site to encrypt their order forms and secure their credit card data. Encryption can be used to facilitate all aspects of security.
• E-mail Security. E-mail is increasingly protected, using such technology as encryption, digital signatures and anonymous mailing services.
• Passwords and PINs. Effective against low-level nuisance hacking. These restrict access and identify individuals online. There are products on the market, token authentication systems, which will generate a new PIN almost every minute so there is no chance the code could be stolen and used.

Can Uncle Sam Stop It?

The cyber-community is generally skeptical, if not downright contemptuous of government involvement in their world -- unless you happen to bear a grudge against Microsoft. In 1998, PC World News's Brian McWilliams reported that security experts dismissed Attorney General Janet Reno's plan for a National Infrastructure Protection Center as insufficient. The proposed NIPC would cull talent from the Department of Defense, the CIA, and other agencies, serving as the government's central command center for responding not only to attacks on government networks and systems, but to private institutions as well.

Many firms simply aren't aware of the security risks. Many think, for example, that since all they have on their Web site is their brochure that that's all a hacker could access. "They don't even realize that someone can see all the workstations" once they get in the system, Goddard says. Should you have security concerns for your firm, Goddard recommends, "get a turncoat hacker who's working as a security consultant," and pay him good money to hack away.