NEWS ANALYSIS : Real Computer Threat Laid to Criminals, Not Hackers : Internet: Individuals, companies worry about security. Dangers--and remedies--are the same as for other crimes.
A week after the arrest of hacker extraordinaire Kevin Mitnick, the Internet computer network that served as his playground is clogged with recountings of his exploits, persistent (false) rumors of his escape, and advertisements for “free Mitnick” T-shirts.
But the most pervasive question on the far-flung, fast-growing Internet remains, in the words of one nervous member: “What’s being done for security?”
Mitnick’s arrest, which followed an intense six-week hunt by law enforcement authorities and an angry computer scientist, set off alarms about society’s vulnerability to computer masterminds. The San Fernando Valley native--the quintessence of the nerdy, maverick genius with computer expertise far beyond that of mere law enforcement mortals--had gotten hold of tens of thousands of credit card numbers and cracked dozens of companies’ computers.
It’s a specter that gives pause to individual Internet users and to the many large corporations with ambitious plans for electronic expansion on the worldwide network.
But experts in computer security say the real threat comes not from brilliant hackers out to make a reputation, but from white-collar criminals who view computers as one more way to steal competitive information.
Indeed, the dangers posed by computer criminals differ little from the dangers posed by criminals in other realms of society. It’s corrupt employees and organized gangs that pose a threat--not free-lancing youths.
“We are seeing a transformation in the type of hackers from the Mitnick type, young hackers motivated by a sense of anarchy, to those who commit computer crimes to make money or to get back at people,” said Mark Rasch, a Washington attorney who specializes in computer crimes and prosecuted Robert Morris, a Cornell student whose Internet worm was held responsible for crashing hundreds of computers on the Internet.
Moreover, if businesses employed basic security measures, such as encrypting sensitive information, experts say, the “hacker threat” would be much reduced. Even the highly skilled Mitnick, after all, was caught relatively quickly once it was made a priority by people who were his equals.
And the public must shed the idea that information stored or transmitted on computer networks can or should be more secure than, say, information traveling by voice over a telephone line--or information stored on paper and stuffed in a file cabinet.
“The key is that there are things that can be done today to secure the networks--they’re just not being done,” said James Settle, former chief of the FBI’s computer crime squad and now a computer security consultant. “The security tools that are out there now can work.”
Ironically, it often takes a hacker stunt to induce business to plug security holes. Since the Mitnick arrest, Netcom Communications--the large Internet access provider from which Mitnick allegedly stole 20,000 credit card numbers--no longer stores unencrypted card numbers on its servers.
That, and the fact that Mitnick never used the cards, has lead a minority to defend Mitnick and those of his ilk. Emmanuel Goldstein, the pseudonym of the editor of 2600, a hacker magazine that Mitnick wrote for, says: “Netcom was vulnerable to attack for months before Mitnick did whatever he allegedly did. . . . Long live Mitnick. Viva la revolucion .”
None of this is to say that hackers are not a danger. But unlike the old hackers who sought media attention by pulling attention-getting stunts like turning off power systems or getting into high security government computers (cracking AT&T; was always a favorite goal), these new hackers attack the more mundane but more profitable realm of information.
“The hacker threat is far overblown,” said John Jessen, a Seattle computer expert who helps companies victimized by computer crime. “The lone ranger against the system sounds great, but as a practical matter, you don’t see it.”
“Far worse and on a much more destructive scale is employees who collect phenomenal volumes of information about a company and then leave and start a competing company,” Jessen said. “Those cases are going through the roof.”
Often it is a disgruntled employee. In one case, Jessen said, a company sent a thief posing as a temporary worker to a competitor to steal key information.
High-capacity computer storage devices have made it possible to store a typical company’s entire information system on a couple of microcassettes. There is no need to steal or photograph large, clumsy blueprints for a new product: Most designs are stored in digital form and can be typically downloaded onto a floppy disc that slips into a shirt pocket.
Competitors are another suspect in computer crimes. When a New England manufacturer was undercut by $1 million on a competitive bid, it got suspicious. A quick check showed the company that its computer system had been cracked by a competitor.
The average computer user is seldom a victim of hackers. For all the attention given to computer viruses, for example, few individuals have been attacked by one. And although commerce over the Internet raises the fear that more people will be able to steal credit card numbers, Visa officials says special safeguards that track typical purchases of card users would catch such thieves.
Visa places an extra charge for Visa transactions performed over the net that is the same extra charge placed on Visa transactions by mail-order houses.
Still, those who monitor computer networks say the potential damage that can be caused by hackers is substantial and growing yearly. The Department of Energy, which manages the nation’s weapons laboratories as well as parts of the Internet, says it has had hundreds of cases of snoopers breaking into computer systems each year.
“The problem is fairly significant and it’s going to get a lot worse,” says Sandy Sparks of the Lawrence Livermore Laboratory and head of the DOE’s Computer Incident Advisory Capability, the contact point for computer problems. For the Internet, Sparks said, break-in incidents have increased by more than 73% in each of the last two years. “The potential for significant disaster is there,” she said. “We’ve got ourselves interconnected before securing ourselves.”
Sparks argues that hackers no longer require elaborate skills because they can download tools from on-line bulletin boards that help them break into systems. “You don’t have to be as sophisticated as Mitnick today.”
In most cases, the worst hackers do is cause damage that requires huge amounts of time by system administrators to repair. In part, that’s because there isn’t much on the Internet today that is worth stealing. That could soon change.
“As we put up funds transfer systems on the net, these systems will attract people whose interests aren’t just academic,” said Vinton Cerf, an MCI senior vice president and president of the Internet Society, which overseas standards on the Internet.
“We’ve grown up from the small town where everybody trusts each other. Now we’re a big city,” Cerf said. People will miss the days when they didn’t need elaborate security systems, “just like we miss the days when we didn’t have to lock the front door.”
