The New York Times, March 17, 1997, pp. D1, D7: Go Ahead, Be Paranoid: Hackers Are Out to Get You By Steve Lohr In a chilly, windowless room in a New York suburb, four men are tapping furiously at their laptop computers. Their mission: to crack into the computer system of a major U.S. corporation. Things seem to be going well, for them. "All right, we're through the firewall," announced one bearded hacker. A few moments later, a second practitioner of high-tech mischief pronounced himself pleased by what he saw inside -- a digital picture of vulnerability rendered by the lines of computer code dancing across his screen. "Looks like we can toast it," he said. Charles Palmer, a slender, bearded 40-year-old computer scientist, looked on with pride at the members of his team. Skilled hackers, Palmer noted, are scarce these days, at least ones that he will hire. "It's hard to find good people in this field who do not have criminal records," he explained. Palmer and his team work for IBM, and their brand of computer hacking is legal. Companies pay the IBM squad to attack their computer systems to test how well they can stand up to the increasing assaults by real hackers. The growing ranks of cyber intruders are engaged in everything from snooping around to "parking" pornography and pirated software on unsuspecting corporate machines to computer-assisted fraud and theft. White-hat hackers, like those at IBM, are only one kind of computer- security professional whose skills are much in demand today. Once an arcane specialty, computer security has moved into the mainstream. As companies rush onto the Internet, they benefit from improved communication with customers, suppliers and far-flung employees, but they also take on far greater risk that their corporate computer systems will be breached by outsiders with malicious intent. The dangers of a networked world have created boom times for computer-security consultants, auditors, cryptographers and others. Now they must contend with pushy headhunters as well as hackers. Five years ago, six-figure salaries were rare in the security field. Today it is not uncommon for skilled computer-security veterans to be making $200,000 a year or more. Recognizing a seller's market for computer-security expertise, Wietse Venema has come to the United States, and he's selling. A computer scientist from the University of Eindhoven in the Netherlands, Venema is the co-author of Satan, a sophisticated software program intended to find security flaws in any computer system linked to the Internet. The 45-year-old Dutch researcher is considering offers from IBM and other leading American computer companies. "Many people are interested in my capabilities now," he observed cheerfully. Experts like Venema are suddenly stars because corporations are spending more on computer security. This year, companies worldwide are expected to spend $6.3 billion on security for their computer networks, estimates Dataquest, a market-research firm. Within three years the security price tag is projected to more than double to nearly $12.9 billion -- a figure that is only for services supplied by outside contractors, so it excludes spending on in-house staff, security software or hardware products. The industry in the United States, the world leader in computer security, is composed of hundreds of companies. They run the gamut from large companies with worldwide computer consulting practices, like IBM, Science Applications International Corp. and Perot Systems, and Big Six accounting firms, like Coopers & Lybrand, Ernst & Young and Deloitte & Touche, down to one-man independent consultants, like Seiden. Fueling the surge in computer-security spending is fear. The corporate concerns are heightened with every report of hackers defacing well-known World Wide Web sites, like the recent attacks on the sites of the CIA and the Department of Justice. The FBI says few intrusions into corporate computer systems -- 15 percent at most -- are reported to law-enforcement agencies. But the handful that are reported, like the 1994 case of Russian hackers who tapped into Citibank and made $10 million in illegal fund transfers (all but $400,000 was recovered), tend to cause alarm. "The business is not so much network security as it is network insecurity," noted Alice Murphy, an analyst at Dataquest. "There's so much anxiety out there now." Just how great the threat is to corporate computer systems is a matter of debate. The Internet, observes Peter Neumann, a computer scientist at SRI International, a research group in Menlo Park, Calif., was never really designed to be secure. Once the bailiwick of a small community of researchers, it is starting to be used as a freeway of commerce. "The infrastructure is vulnerable," Neumann said. "From that larger perspective the risks are enormous." Dan Farmer, the co-author of Satan with the Dutch researcher Venema, did a survey of 1,700 corporate and government Web sites late last year and found that more than 60 percent of them had "serious potential security vulnerabilities." Farmer, a programmer at Sun Microsystems Inc., did not break into the computer systems, but he said they were open to attack and often could be severely damaged. (His survey results are posted on the Web.) Yet there is a significant difference, some analysts say, between potential vulnerability and the actual business risk to corporate computer systems. "There is risk, but the threat tends to be vastly overstated," said George Colony, president of Forrester Research Inc., a consulting firm in Cambridge, Mass. Forrester estimates that losses from fraud in Internet commerce are likely to be roughly $1 for every $1,000 of business. To put the matter into perspective, the fraud losses in cellular phone service are $20 for every $1,000, according to Forrester, while the losses on credit-card transactions are nearly $2 for every $1,000 of goods charged. Still, even skeptics, like Forrester's Colony, agree that computer security requires continuous attention. "It is a manageable risk, and it should not deter companies from jumping into Internet commerce," Colony said. "But I also tell our clients that they should think of computer security as a guerrilla war that will last forever." The FBI is treating the battle against computer crime as a long-running campaign. All new agents are now trained in cyberspace investigations as part of the curriculum at the FBI Academy in Quantico, Va. And last year the bureau established three computer-crime squads in San Francisco, New York and Washington, to pursue cybercrime more aggressively. "We're really on the cusp of this becoming a major problem," said James Kallstrom, head of the FBI office in New York. "As more and more of the economy goes digital, there are huge incentives for criminal attacks on American corporations." Computer crime, of course, comes in many forms. An employee with a grudge and access to a company's computer network may well be far more dangerous, and costly, than even the most artful hacker. A survey released two weeks ago by the Computer Security Institute, and conducted on behalf of the FBI's computer-crime unit, estimated computer security losses last year at $100 million -- a total only among some 250 companies and organizations that would place dollar figures on their losses from fraud, theft of trade secrets and other breaches. The criminal hackers have long been engaged in a kind of cat-and-mouse game with law-enforcement agencies and private computer-security experts. And that game is increasingly being played at a higher level, with greater skill and new tools. The cell-phone hackers of the past, who electronically jimmied phones for the thrill and free phone service, have graduated to Web-site hacking. Today there are an estimated 440 hacker bulletin boards, 1,900 Web sites purveying hacking tips and tools, and 30 hacker publications like "Phrack" and "2600: The Hacker Quarterly." There are readily available software programs for hacking tactics like "war dialing," "sniffing" and "fingering" -- all used to exploit security weaknesses in computer systems. "As the stakes become higher, the technical sophistication of the people doing this kind of illegal activity is increasing," said Edward Hart, a senior vice president of Science Applications International. Today there is a brisk illicit market in hacking, according to security experts, with the street price for breaking into a corporate Web site typically in the $8,000-to-$10,000 range. Bonus payments are usually demanded for trade secrets pilfered or damage inflicted on a competitor's computer system. Limiting the risk, and damage, to corporate computer systems is the goal of Palmer and the other security specialists at IBM. The test hacking done by his team is mainly a fact-finding tool, and only one of many. The authorized break-ins by these groups, called "tiger teams," are often more valuable as a marketing tactic than as a research tool. Thick and exhaustive studies of a company's computer security can be met with yawning indifference by top executives, but a break-in gets their attention. Mundane rules, not high-tech wizardry, are crucial to reducing security risks. A robust firewall to filter what electronic traffic gets into a company's computer system is helpful, but it can be a Maginot Line approach to security -- the real weaknesses are elsewhere. To work from home, employees may have dial-up modems at their desks, unprotected by firewalls or even passwords. Employees, security experts warn, must be told to give their passwords to no one; one scam is for hackers to call new employees, pretending to be members of the corporate technology staff doing a check of passwords. Another frequent weakness is simple physical security, watching who goes in or out of the building. These are hectic times for security consultants like IBM's Nick Simicich, a 44-year-old self-taught programmer. He works from his home in Boca Raton, Fla., equipped with powerful computers running Linux, a shareware program that is the operating system of choice for hackers. Mostly, though, Simicich is on the road -- 85 percent of the time, he estimates -- logging perhaps 150,000 air miles a year. Continental, the airline he flies most regularly, invited Simicich to a company parade last year. He proudly calls himself a "paid professional paranoid." His goal, he says, is not to make corporate computer systems immune to hackers. "That's impossible," he explained. "Our real goal is to raise the bar. First, we do want to make it harder for them to break in, so the average hacker moves to an easier target. Second, when they do get in, we want to ensure that the damage is limited." [Sidebars] Dumbest passwords. Do's and Dont's of preventing hack attack. [Photos] Nick Simich. Charles Palmer. [End]