By Leslie Walker
Washington Post Staff Writer
Thursday, January 13, 2000; Page E01
Someone hacked your Web site and is lurking behind that "firewall" that was supposed to block intruders. Who ya gonna call?
Many companies are opting to bypass the FBI when they detect a hacker attack, fearing the kind of publicity that hit Internet music retailer CD Universe this week after a hacker e-mailed news organizations to brag that he had stolen credit-card numbers. While CD Universe called the FBI within an hour of receiving an e-mail extortion threat, other companies make their first panicked call to the equivalent of digital Ghostbusters – private security consultants steeped in the eerie world of hackerdom.
Indeed, the e-security industry is being turbocharged by the rise of electronic commerce and computer hackers. A new breed of security firms is being born, and many are hiring "hacker trackers" to go mouse-to-mouse with intruders. A digital arms race is underway between hackers, who are developing tools to make computer break-ins push-button easy, and the software industry, which is frantically working on tools to thwart them.
"The CD Universe incident was the tip of the iceberg," said Mike Higgins, president of Para-Protect Inc., a start-up firm in Alexandria that sells security services to companies. "There are many more incidents that go unreported because companies know that telling the FBI is like telling the whole world."
Security risks to the nation's vital computer networks are growing so fast that government and private industry are scrambling to address them. President Clinton last week proposed $91 million in new federal spending to protect computer networks and create a Federal Cyber Service that would enlist college students in the anti-hacker wars. Attorney General Janet Reno chimed in with a call this week for a national anti-cybercrime network that would function around the clock.
At Para-Protect and another local company, ICSA.net in Reston, small armies of "white hat" hackers are fighting the wars 24 hours a day. Para-Protect's 45 employees and ICSA.net's 100 include computer whizzes who join underground hacker groups to gain access to secret Web sites and to monitor hackers.
One Boston security firm that formed last week, AtStake Inc., even hired eight notorious hackers known for developing hacking tools. Members of the cadre, known as "the Lopht," claim their mission has always been to expose, not exploit, security flaws. Now they hope to get paid for helping banks, brokers and Web stores foil digital thieves.
"Who knows how hackers operate better than these guys?" said AtStake founder Ted Julian. He raised $10 million from venture capitalists on the theory that electronic security is becoming more strategic to companies in the era of e-commerce, because the degree of openness and speed of communication between a company's computers and its suppliers can make or break a business.
"The way most companies have approached security is broken," Julian said. "The goal of security used to be to lock down systems and keep people out; the goal now has to be to make everything as open as possible."
With openness comes risk, which is growing exponentially as companies move critical functions online. The Internet, after all, is a public collection of computer networks. Hooking any company's computers up to it creates potential entry points for hackers to worm their way behind the company's Web site and steal information – even money – from internal databases. Experts say credit-card numbers are almost never stolen in transit online – even the CD Universe theft probably occurred on its internal computer network – and the most serious thefts often involve an intruder who may spend months watching a company's network before acting.
The Web site is generally a company's most exposed doorway, and hackers take delight in passing through. In the past two weeks alone, Lloyd's of London and Microsoft's Taiwanese operation announced that their Web sites had been hacked by intruders. London-based VirginNet, an Internet service provider, issued nearly 200,000 new passwords to customers last week because a hacker stole the original ones.
Last Saturday, intrusions were logged at more than 40 Web sites by a popular anti-hacking e-mail list. Especially troubling were reports of a new kind of Internet attack: domain-name hijackings. Hackers readdressed the domain names, or Internet addresses, of half a dozen big Web sites over the weekend so no one could access them on the Internet. The attack knocked faculty e-mail out of commission for days at Emory University.
Carnegie Mellon University's Computer Emergency Response Team has tracked hacking for 11 years and says about half the 30 incident reports it receives daily involve intrusions. All told, it logged more than 8,000 incidents last year.
"We think hacking incidents are tripling or quadrupling every year, and the risk of viruses is doubling," said Peter Tippett, chief technology officer for ICSA.net.
One factor fueling the hacking is free online distribution of simple attack tools, making it easy for people who don't even know computer programming to break into Web sites. "These tools truly are down to point, click and attack," Higgins said.
In his office, Higgins demonstrated graphical tools with command menus that seemed as easy to operate as Microsoft Word or Excel. "Shadow Advantis Administrator" probes a target Web site to see which "ports," or doors, on a computer might be open. It identifies vulnerabilities any target computer might have. Hackers then use Internet "scanner" programs to probe thousands of computers looking for openings. They download software with names such as "WebCrack 3.0" to crack weak passwords and "Back Orifice 2000" to install "Trojan horses" that can launch crippling attacks later.
To counteract the threats, experts say, companies must understand that security requires far more vigilance than before. Companies must monitor the arms race almost daily to keep their defenses current against the latest attack tools. Mindful that the threats will worsen as high-speed Internet access spreads through cable lines and digital subscriber phone lines, researchers in computer labs are developing software agents to mimic the human immune system by automatically detecting and defeating invaders. Commercial implementation, however, remains far away.
Meanwhile, software companies are releasing tools aimed at consumers and small businesses. Symantec Corp. this week released "Norton Internet Security 2000," which is the company's first foray beyond virus and content control filters: It also lets people create "personal firewalls" around their computers to detect any unauthorized probes that might come in over the telephone or cable lines they use to connect to the Internet.
Send e-mail to Leslie Walker at email@example.com.
© 2000 The Washington Post Company