Fear of "hackers" and electronic whizzes is spurring some Southern California corporations to tighten security at their computer installations.
But many companies have hardly protected their computer systems at all and could be sitting ducks for electronics experts eager to steal secrets or money, according to a recent Price Waterhouse study.
This is the age of computer "hackers" who--like 19-year-old William Landreth of Poway, now on probation for breaking into GTE Telemail, an electronic mail network--use home computers and telephone hookups to crack into computer networks, where Americans' business and personal secrets are stored on magnetic disks. Others have no trouble stealing post card-sized "diskettes" that contain information on the credit ratings, medical histories or income sources of thousands of people.
Nationwide, such misuse of computers costs billions of dollars annually. And the problem might be worse than the estimates indicate because companies seldom publicize such crimes, fearing that they'll lose investors or customers, experts told The Times.
Cases of computer fraud or break-in occur in San Diego County an average of once every three to four months, according to an estimate by a knowledgeable figure in San Diego financial circles who insisted on anonymity.
In an effort to stem the tide, some firms have taken the following steps:
- Built big, ominous-looking computer headquarters guarded with TV cameras and full of "1984"-style devices such as the "man trap," which traps an intruder inside a room. An example is Home Federal's new $20-million computer headquarters in Sorrento Valley.
- Purchased insurance policies to cover losses or lawsuits triggered by someone's unauthorized use of a computer. The San Diego insurance firm of John Burnham & Co. offers several such policies, including one from the underwriter Shand, Morahan & Co., that provides as much as $30 million in coverage with deductibles as low as $10,000.
- Cracked down on employees who leave diskettes lying around or who commit gaffes--for example, pasting their password to the side of a terminal.
- Hired consulting firms, such as Compusec of San Diego, that specialize in computer security. Compusec's experts test a computer system's penetrability by, among other things, attempting to crack into it. Their services can cost millions of dollars--and business is booming.
At Compusec, "We've gone from two people three years ago to 50 now," according to its president, David Snow, a mathematician whose clients include the Air Force. "And we're still hiring. We expect to break 100 next year . . . What really increased our business was the movie 'WarGames,' " about a youthful hacker who almost starts World War III by breaking into a military computer.
Another San Diego firm that specializes in computer security is the Merdan Group Inc., where--thanks to recent booming business--"we can't train specialists fast enough," said Gilbert Huey, president of the firm. Its consultation fees range from $15,000 to $400,000.
Corporations might garner cheaper advice from the soon-to-be-published autobiography of one of the nation's most publicized hackers: Landreth, the Poway youth who became an underground hero to hackers nationwide who knew him only by the code name "The Cracker."
Landreth was indicted in May by a federal grand jury in Alexandria, Va., for breaking into the private electronic mail network operated by GTE Telemail of Alexandria. His tools were a home computer and a device called a modem, which transmits computer signals over telephone lines. GTE Telemail's customers--which include NASA--communicate by transmitting messages over the Telemail network.
In November, U.S. District Judge Rudi Webster put Landreth on three years' probation and ordered him to finish high school, reimburse GTE $87 for unauthorized use of its computer system, and complete 200 hours of charitable community work.
Landreth's book, "Out of the Inner Circle," is scheduled for April publication, according to Microsoft Press of Bellevue, Wash. A publishers' spokeswoman said the book will, among other things, advise companies how to avoid computer break-ins; she refused to divulge details. Landreth declined to talk to The Times.
Since the Landreth debacle, red-faced officials at GTE Telemail have greatly tightened security procedures by requiring system users to type in six-character passwords instead of three-character passwords.
"We did some calculations and we found that if you use a password that's only three letters long, it takes a personal computer user two minutes to come up with all the possible combinations--and, in short, to come up with your password. If you use six characters, it takes two years, " according to GTE spokeswoman Claudia Houston.
Those few extra characters can make a big difference. Assuming that a password can use the 26 letters of the alphabet, the total number of arrangements--or permutations--possible for a six-character password is 309 million, according to San Diego computer consultant Walter Venable.
And the longer passwords really seem to make a difference. At GTE Telemail, some attempts to crack into the system have been made since Landreth's time--none successfully, Houston said.
Computer operators are also starting to share security tips. The Computer Security Institute of Northborough, Mass., has gained national stature. "Just a few years ago, that was a small, tightly knit group of people. This last time, at the (Institute) convention, there were 1,300 people," Houston said.
The data processing department of Los Angeles County is seeking bids from consulting firms interested in assessing its computer security. Bids are due by Feb. 25, said department director Edgar H. Hayes.
In a San Diego County study, "over half of the companies polled . . . felt that they had not adequately addressed the security of their data files," according to Lloyd Russell, director of management consulting at the San Diego branch of Price Waterhouse, which conducted the survey.
"We must have 50,000 microcomputers in San Diego County; that's a lot of data. And it shows how vulnerable we've become," Russell said. "Executives at the top levels of companies are putting some pretty sensitive data on diskettes, like competitors' information and vending information and pricing information. Those little diskettes are pretty hard to keep out of the wrong people's hands . . . You can just walk out of the office with it."
Poor morale is often a cause of computer break-ins, experts think. Disgruntled employees destroy computer files, steal information and even insert profanities into computer transmissions.
Willingness to invade computer systems reflects larger social trends, Huey of Merdan believes: "We are faced in industry with a general problem of personal ethics and loyalty that seems to have deteriorated in the last 20 years. It has to do with the whole breakdown of the family, with the fact that people's careers are more fluid. Moving from one company to another, they have less loyalty to one company."
Price Waterhouse has recommended a number of security steps: for example, the creation of "read-only" files that a low-level employee can read but not change; computerized logs that record each use of the system; regular changes of passwords; deletion of ex-employees' passwords, and prompt investigation of repeated, unsuccessful attempts to "sign on" to the company computer.
Even more important is "physical" security--that is, preventing undesirable people from getting physically near the central computer or its many terminals.
An example is Home Federal's new computer headquarters, a structure that has no identifying signs except a number on the side. Here is the computer heart of Home Federal's statewide financial operations, including its hundreds of 24-hour teller machines.
To confuse would-be intruders, the entrance is on the far side of the building, away from the parking lot. Remote-controlled TV cameras scan the surroundings.
Upon entering the building, a visitor must talk to a guard, who gives the visitor a red identification card. The card, when inserted in a slot, admits the visitor through a gate.
"As far back as I know, no one has ever penetrated the system," according to Gideon Urbach, a top executive in Home Federal's computer department.
A similar structure is the Great American building, which opened in January, 1984, to monitor the system of 700 human tellers and numerous teller machines statewide, said executive vice president Rodney Tompkins. "So far it's worked," he said. "We've had absolutely no one in there who didn't belong in there."
Anti-hacker technologies include:
- Encryption devices that encode computer signals. Only the recipient can crack the code. All Home Federal banking data is transmitted in a special code that "would take a very large computer thousands of years to crack," Urbach said.
- "Callback" or "dialback" systems. To enter the computer network, a user dials the number and connects his computer to the telephone. Then the callback device automatically "hangs up" and dials him at his home number, or whatever number he is authorized to phone from. That way, an unauthorized user can't tap into the computer network from an unauthorized location--say, a motel or a telephone booth.
A disadvantage of a callback system is that it can only call a certain number, which limits one's access to the system if one is traveling. Worse, clever hackers have discovered ways to get past callback systems--ways that computer consultants are reluctant to discuss.
A drawback of all these precautions is that red tape thickens as computer security improves.
"Sometimes it's so extensive that our regular users resent all the security they have to go through just to do their jobs," said John Crane, director of data systems for the San Diego Unified School District. Last year, students at Gompers High School broke into the school computer and changed several students' grades.
The district's central computer isn't vulnerable to break-in, as the Gompers computer was, Crane said.