one of his friends across the country hacks into the computer
system of a company that processes credit card transactions for
Web sites. He goes deep into the system, finds and downloads the
credit card files of 1,200 customers, with their Internet addresses,
usernames and passwords. After clicking to a hacker community
Web site, he launches his furtive attack on those 1,200 home and
office computers, implanting each with his stealth code which
lies dormant until he issues further attack instructions hours,
days or weeks later. At his signal, 1,200 "drones" will
simultaneously attack the specified target. It could be Yahoo
or AOL. It could be your local Internet Service Provider - PacBell.net,
JPSnet, or Quiknet. It could be any business with a Web site.
What is clear: the attack will tie up systems and system administrators
Welcome to the brave new world of computer insecurity. It's a
world of stealth software and denial of service attacks, of worms
and viruses, spam storms and mail bombs, script kitties and drone
bots. And it's a world we're going to inhabit for a long time.
Tim Burke, CEO of Quest, a Sacramento-based technology consulting
firm, has watched this world evolve at lightening speed and has
positioned his company to join the battle while growing from a
company selling office supplies to more than $100 million in revenue
as a technology consulting and management firm. Burke's current
customer base includes companies with 200 users or more, but he
says this ever-widening wave of computer security risks extends
to even very small users. "Companies believe that security
is static, like a medieval castle. They say, 1 built a firewall
and now I'm safe.' A lot of companies don't understand that the
security process needs to be managed regularly."
The incidents cited at the beginning
of this article are not fiction. They are real and widespread.
With some variation, they happen every day; in fact, several hundred
times a day - both across the country and here in Sacramento.
And the frequency and dollar damage caused by cybercriminals have
grown exponentially. The Computer Emergency Response Team Coordination
Center ("'CERT") at Carnegie-Mellon University in Pittsburgh,
Pennsylvania, tracks such activity. Their statistics show a four-fold
increase in the last three years. In 1999, there were 9,859 incidents
reported to CERT; in year 2000 the number increased to 21,756
break-ins. For the first three quarters of 2001, the number stood
Likewise, the Computer Security Institute in San Francisco conducts
nationwide annual surveys of computer security personnel. According
to this year's survey results, the threat is greater than ever,
increasing at exponential rates with no sign of abatement.
The Sacramento Valley Hi-Tech Crimes Task Force, an intergovernmental
organization dedicated to preventing and solving high tech crimes,
is the largest law enforcement organization of its kind in the
United States. According to Captain Jan Hoganson of the Task Force,
local computer security problems are rising just as quickly. Between
December 1999 and March of 2000, there were 200 reported break-ins
in the private sector and 100 in the government sector.
Damage costs: $15-billion in losses last year due to network security
breaches, viruses and other hacker attacks according to RBC Capital
Markets' 211-page research report, Safe and Sound, a Treatise
on Internet Security.
The Sacramento dollar figures are also rather large. For the nine-county
region served by
the Hi-Tech Crimes Task Force, in 2000, private sector computer
crime damages alone totaled $411,000.
So while the current economy is in slow-down mode, cybercrime
and security breaches are clearly a wildfire growth industry and
so are businesses and organizations specializing in stopping the
for the Fire
Why the sharp spike in computer crime? According to industry experts,
several factors are at work. First is the development of more
sophisticated attack tools. Hackers now have at their disposal
an array of software automation tools which generate software
source code, send pinging signals to detect the presence of other
computers, distribute the code to unsuspecting computers across
the Internet, and imbed other systems with the malicious code.
standardization. The more computers run the same software as everyone
else, the more prone they are to attack. Since a large number
of users rely on a small number of popular computer operating
systems, a would-be hacker only has to
create instruction for a small variety of systems.
Third is the rise in use of "always on" Internet connections
like DSL and cable connections. These open connections are more
likely to be victims of attack since they are always available for
A fourth factor is the increasing number of hackers. Steve Daugherty,
longtime security expert for Earthlink, the nationwide Internet
service provider with a large presence in Sacramento, says the typical
profile of a hacker is male, 12 to 25 years old, curious in a destructive
way and heedless of laws, security defenses and property rights.
In his experience, there are more of them now than ever before.
Just as the number of computer security violations is increasing,
so too is the variety of violations. A malevolent person's computer
can be a silent accomplice to denial of service attacks, creation
and propagation of worms and viruses, running of mail bombs and
spam storms, Cybersquatting, theft of trade secrets, credit card
fraud, identity theft, invasion of privacy, employee abuse of Internet
access privileges including downloading pornography, financial fraud,
and in-house vandalism. The list is endless.
Have you ever clicked on Yahoo and found the wait interminably long
(other than on a Sunday evening, the highest Internet traffic peak)or
the site non-available? The site was probably suffering from a denial
of service attack and its normal channels of communication are flooded
with bogus requests for service. In a denial of service attack,
multiple servers are remotely commanded to flood a particular Web
site with so much traffic that it is rendered inaccessible to legitimate
to Stefan Savage, computer science professor at UC San Diego and
cofounder of the Internet security company Asta Networks, there
are at least 4,000 denial of service attacks each week. Not all
of these attacks result in severe damages but they certainly take
up time, money and effort to combat.
And no system is immune from these attacks. The American mecca for
computer security, matters, The Computer Emergency Response Team
Coordination Center ("CERT") at Carnegie-Mellon University
itself was hit severely earlier this year. It was flooded with millions
of simultaneous data requests. Result: it was impossible to access
the Web site for 24 hours. These sorts of attacks happen almost
daily to major Web sites. In 2001, the FBI's Web site was hit. Microsoft's
Web site was hit last year, cutting it off from legitimate users
for more than 24 hours by two attacks. White-house.gov is the subject
of frequent attacks.
Spending money to create a more secure system is inevitable. Spending
on computer security is predicted to grow from $13.5 billion this
year to $31.8 billion in 2005. The message is plain that computer
security is serious business and does not come cheaply.
Building a safe system takes planning and money. There is an inevitable
tradeoff between security and economy. Because the benefits are
not so readily visible, businesses are sometimes loathe to spend
money on security.
Mike Dillon, director of professional services at Quest, analogizes
the computer security to an insurance policy, saying "while
no business will knowingly underinsure, there is a tendency to pay
lip service to computer security, then to spend less and get less.
Often companies will want to 'go cheap' but they are playing with
Better to build a safe system. According to Dillon, the first step
in securing your network from unwanted access is to have a workable
network security plan in place. The plan should be based on the
sensitivity of the data being secured. If your staff doesn't have
the expertise to create such a plan, then you can hire local consultants
to help you create it.
Minimum is firewall and intrusion detection, along with some means
to also detect anomalous activity within your own system uploading
to the Internet. Separate functions, access and software. Maintain
the integrity of passwords and other "human-related" security
Not many companies have the expertise or time to do what Patrick
Tully of Mindset Software in Sacramento did in response to an attack.
In 2001, Mindset's hard drives were being used as a cyber-parking
lot by a group of rap music distributors. Mindset took matters into
its own hands, traced the originator of this cyber-squatting ploy,
contacted them directly, and mentioned the word "FBI".
The music distributors apologized and offered free copies of their
music as penance.
A firewall is a mechanism for protecting a corporate network from
external communications systems such as the Internet. A firewall
typically consists of a PC or Unix machine containing two network
interface cards (NICs) and running a special firewall program. One
network card is connected to the company's private LAN, and the
other is connected to the Internet. The machine acts as a barrier
through which all information passing between the two networks must
travel. The firewall software analyzes each packet of information
passing between the two and rejects it if it does not conform to
a pre-configured rule.
File Transfer Protocol. The method by which files can be transferred
over a TCP/IP network. Anonymous FTP is the system which allows
transfer of files over the Internet where the user receiving the
files need not have a valid account name and password on the system
being accessed. He does, though, only have access to files which
have been designated as available to anonymous FTP users by the
Security Administration Tool for Analyzing Networks. Written by
Dan Farmer and Wietse Venema and released on 5 April, 1995. SATAN
is, in many ways, the forerunner of today's intrusion detection
products. It probes systems looking for vulnerabilities. It works
by telnetting to one port after another of the victim computer.
It determines what program (daemon) is running on each port, and
determines whether that daemon has a vulnerability that can be exploited.
SATAN can be used by system administrators to audit their own system
security, or it may just as easily be used by a hacker to break
into someone else's computer. Toward the end of 1996, Dan Farmer
used SATAN to survey the security of 2,200 of "the most interesting
sites - banks and credit unions, some US federal computers, newspapers
and some pure online Internet commerce systems." Farmer found
that "over 60 percent could be broken or destroyed (ie, all
network functionality deleted or removed)." Furthermore, "no
attempt was made to hide the survey, but only three sites out of
more than 2,000 contacted me to inquire what was going on when I
performed the unauthorized survey - that's a bit over one in one
thousand questioning my activity."
A program that monitors network traffic. Sniffers are used to capture
data transmitted on a network.
[from "Monty Python's Flying Circus"] 1. To crash
a program by overrunning a fixed-size buffer with excessively large
input data. See also buffer overflow, overrun screw, smash the stack.
2. To cause a newsgroup to be flooded with irrelevant or inappropriate
messages. You can spam a newsgroup with as little as one well- (or
ill-) planned message (e.g. asking "What do you think of abortion?"
on soc.women). This is often done with cross-posting (e.g. any message
which is crossposted to alt.rush-limbaugh and alt.poli-tics.homosexuality
will almost inevitably spam both groups). 3. To send many identical
or nearly-identical messages separately to a large number of Usenet
newsgroups. This is one sure way to infuriate nearly everyone on
the Net. The second and third definitions have become much more.