A survey puts the cost to UK industry of computer security breaches at £1.1 billion and some say that it is higher. It seems the hacker is not dead yet and computer managers need to be alert. By Jane Bird.
When microcomputers first became widely available in the early 1980s they brought with them another phenomenon that was not so welcome - the computer hacker. Armed with a PC costing just a few hundred pounds, and a modem to dial remote computers over the telephone line, hackers could penetrate company databases, steal customer information, corrupt files and divert payments to their own private accounts.
This high-tech hobby attracted a large following among introverted young men who found communicating with remote computers more enjoyable than human interaction. The Hackers Handbook, published in 1985, immediately became a best-seller. To keep in touch with each other, the hackers formed electronic clubs, so-called "bulletin boards", on which they posted lists of passwords and tips for how to penetrate corporate computers.
The matter came to a head when two young hackers, Steve Gold and Robert Schifreen, were arrested for penetrating the Duke of Edinburgh's Prestel electronic mailbox. They were charged with forgery and fined £1,750 at Southwark Crown Court. Gold and Schifreen, who had sneaked in to dozens of company databases, said they did it to draw attention to lax security. The ease with which they had browsed through vase databanks of company confidential files showed that organisations were failing to take security seriously. They were running the risk of their files falling into rivals' hands, and their data being corrupted or destroyed - a potentially crippling event.
The two were acquitted on appeal, and in the past few years hacking has fallen from the headlines. Publicly, companies say that it is no longer a threat - victims keep incidents secret to avoid embarrassment and prevent further sabotage. In a survey of computer security breaches in the UK, conducted by the National Computing Centre (NCC) earlier this year, there was not a single major computer fraud reported by the financial and business services sector, the most obvious targets. But hacking has not gone away, it has merely become part of a much bigger security nightmare for the computer-based companies of the 1990s, many of whom could not survive more than a few days, if not hours, without their computers.
Computer security breaches cost UK industry an annual £1.1 billion, according to the NCC survey. The price of hardware breaches - power failure, fire, flood, theft of equipment or sabotage, for example - it put at £576 million. Software damage including hacking, viruses, diverting payments or electronic eavesdropping, is estimated at £530 million. The greatest number of incidents were caused by power failure, hardware theft, viruses and software containing bugs.
The research covered accidental and deliberate security breaches experienced by 900 organisations. A sharp rise in security breaches during the past two years is one of its most disturbing findings, according to Tom Parker, principal security consultant for ICL, which co-funded the research. Although the survey covers the past five years, 90% of the reported incidents occurred in the last 18 months. "Even allowing for the fact that people are more likely to remember events that happened recently, this clearly indicates the problem is on the increase," says Parker.
Moreover, it is malicious, rather than accidental damage, that is most noticeably on the increase. Although accidental incidences account for 50% of the survey, there is a greater likelihood that they will be detected, Parker points out. This trend also suggests soaring costs for security breaches - malicious damage tends to be much more expensive than that caused by human error. Hacking incidents cost an average £23,000, and fraudulent input of invoices £14,000, whereas expenses incurred by loading bug-ridden software generally amount to around £6,000.
There are now far more doors and windows to tempt the hackers and the fraudsters in because of the spread of PCs and microcomputer networks. It is fairly easy to see why they are tempted - the risks are low and the rewards potentially enormous. Parker points out: "If somebody went into a bank with a gun in their hand they might get away with £50,000, but if they were caught they'd get 10 to 15 years in prison. The computer hacker might steal twice that amount. If he is caught he probably gets a golden handshake in return for promising not to tell."
The NCC's £50 million estimate for the cost of computer fraud is low, Parker believes. "Nobody in finance or business services reported a loss of more than £60,000, although that is the top target sector for computer fraud. It could be that companies are taking extra care, or this result may merely reflect a poor detection rate." But the most likely explanation, he believes, is that organisations choose not to report such events.
His view is shared by Martin Samociuk, a high-tech detective who has been tracking hackers for more than a decade. Samociuk has investigated three attempts to divert payments through computer fraud in the past year, each valued at £50 million to £60 million. "Any organisation with a treasury operation or high value money movements is increasingly the target of sophisticated criminal gangs," he says. "Not just banks, commercial organisations, too."
Diverting payments is a common tactic. A healthcare organisation surveyed discovered that money was being stolen by contract staff who intercepted invoices and changed the name of the payee. They were caught and charged for £40,000, but the organisation believes the losses might be considerably higher.
The biggest security threat comes from within - the survey found that 75% of security breaches are perpetrated by insiders. Often the offenders are disaffected employees or those with an alcohol or gambling addiction. they may also be coerced from outside. Criminals like using insiders to help because they can divert larger payments more quickly by using electronic systems.
A builders' merchant turned from healthy profit to loss a year after computerising its stock controls. In return for bribes, a storeman who was manning the trade counter keyed in low prices for cash sales. Providing he restored the original prices immediately, no one noticed. the computer was only programmed to match goods and cash correctly at the instant of sale, and not to log price alterations. The truth emerged too late to save the business.
One method of tackling the problem is to get employees from different departments to cross-check each other's work, a technique employed by the Bank of Finland. Peter Mobsby, the Bank's assistant general manager, says: "Hackers are not so much of a problem for us because only a few corporate customers can dial in. But we are conscious of the possibility of attacks from within." He has implemented a system of segregated duties and system passwords based on who needs to know what - an individual cannot be judge an jury. Everyone's work is checked by someone from a different department. However, Mobsby admits that this does not protect against collusion. He also has a camera in the computer room that watches who comes in and what they do all day. "It is an eye on the wall that never sleeps," he says.
The biggest source of data theft identified by the NCC survey is stolen hardware. Unlike company mainframes, PCs and portables are easily removed. Their data often goes with them, as an unfortunate army officer discovered when he found the Gulf battle plans had been stolen with a laptop computer left in the boot of his car. Even where backups have been taken, these are often kept on floppy disks close to the machine, and get stolen too.
But there is a rather more sinister form of data theft - electronic eavesdropping. Terminals emit electromagnetic radiation which is quite easy to pick up from a van parked outside a building equipped with £200 worth of special listening equipment. The eavesdropper can tune into individual machines to discover passwords an customer account details while victims remain totally unaware of what is happening. Parker was surprised that virtually no incidences of electronic eavesdropping were reported in the NCC survey. "This seems very odd as it is one of the easiest technical attacks at the moment. It might not be very high gain, but it is zero risk. There is no offence you can be arrested for."
Theft of money or data may not be the criminal's goal - many are bent on data sabotage, says Chris Hook, an NCC security consultant. This can be far more disruptive. "Unlike somebody stealing a PC or setting it on fire, when software is damage you can't see what has happened. It may be impossible to tell which files are affected and which not."
Software viruses are the most common and destructive forms of data sabotage. They are introduced by hacking or by loading a contaminated disk. So-called Trojan Horses or electronic time-bombs send their forces secretly into your computer where they can hide for long periods of time before being activated by dates or internal computer events. Current varieties give computer managers sleepless nights before each Friday 13 or anniversary of Michaelangelo's birth-date. Some viruses cause one major system failure or hard disk crash, others nibble away at data almost imperceptibly. By the time you notice anything is wrong, recovery may be almost impossible.
A major petrochemical company surveyed suffered a severe disruption and had to spend £50,000 recovering from a virus attack on its corporate and departmental systems. Viruses are becoming extremely sophisticated technically, warns Parker. As computers become increasingly standardised, virus writers can hit a much bigger population of users with each program. "Viruses will be written for more and more environments and will pop up on all the widely available systems. It is going to happen more and get much worse," Parker reckons.
Improved encryption will make new viruses much harder to detect. At the moment, users who suspect they may have been attacked, or merely want to ward off future infection, can buy vaccination programs which look for key patterns on new disks when they are first used. For example, they might seek out the message of the "stoned" virus, which displays the text "Legalise marijuana, you have been stoned." If such a message is detected, the disk is rejected without being loaded onto the host machine. But new viruses hide themselves by scrambling their contents.
More than half the respondents in the NCC's survey did not have any contingency plan in place. Many organisations don't even realise what it costs them, says the NCC's Hook. "One of the worrying things about the survey was that so few organisations had actually tried to cost the overall loss in hard cash."
Brian Collins, a partner with KPMG, the management consultancy, advised IT users to go through their entire business and work out what the impact on them would be if information, computer equipment or staff was lost. "Consider how sensitive the information is. Could it be used by another organisation to its benefit or your detriment. What would be the consequence of competitors obtaining your discounted price list that the salesman is carrying around on his portable? Try to visualise the impact of a major power cut on your computer operations." One financial institution wrote off £2 million for a two-hour power failure. Calculating these costs helps determine how much to spend on a security policy. The average is 1-5% of an IT budget, but one supermarket chain spends 15%.
An IT security strategy need not be expensive. It could just be a case of logging off at lunchtime and locking your office door. Robert Schifreen, poacher turned gamekeeper who now runs a security consultancy, advises: "Forget modems, mainframes and hackers. The world has moved on. Managers need to bear in mind that they have an awful lot of information stored on PCs around their company, most probably not protected. All the data-thief Needs to do is walk into the managing director's office during the lunch hour, and nobody knows he did it." Even an outsider, with his sleeves rolled up and a sandwich under his arm is like to get through all but the most alert security desks, Schifreen reckons.
Another cheap tactic is regularly to alter passwords and not to post them up in public places. One IT manager used to stick the PIN number for the computer room door above the handle. The number was regularly changed and he said it was the only way he could be sure everyone knew the latest code.
Even the computer criminals forget how easily passwords are cracked. Such an error helped the police identify Joseph Popp as perpetrator of one of the worse viruses yet - the Aids blackmail disk sent to 20,000 computers users in December 1989. No sooner had the unfortunate recipients loaded it than the disk planted a bug and demanded a $189 "licence fee" for a vaccination disk. The fact that Popp used his own name as a password was a crucial piece of evidence for the prosecution.
But do not rely too heavily on passwords. There are widely-available programs that unscramble them. Some organisations have their dial-up systems arranged so that the computer calls back the callers. Even these are not impregnable to the hackers who are the spiritual heirs of the phone-freaks of the 1970s.
To avoid viruses clear of free programs and shun bootlegged software. Don't assume your virus detection program is foolproof, warns Parker, "It can only protect against known viruses, you might be the unlucky person who gets the first of a new variety." Users must get into the habit of far better disk management, running check routines every time files are changed, Parker says.
Another stratagem is to lock the disk drives of individual PCs on a network, insisting that all software is loaded by a central computer, a method currently being employed at Heathrow Airport. Martin Rossetti, IT customer services manager at Heathrow, says a secure system is vital to Heathrow's business image. "We handle a large amount of confidential data from the Civil Aviation Authority, customs and the airlines. It is crucial that we show integrity and professionalism."
Chemical Bank and Manufacturers Hanover are applying a rather more futuristic solution to IT security, especially for foreign exchange transactions. They are making the machines into smart criminal catchers, training the computers to look for unusual or suspicious trading patterns. Machines can spot dubious behaviour in money lending, or unusual spending activity among credit card holders. They can even identify quirks that an organisation is not expecting to find, helping to highlight money being laundered through accounts, or individuals handling abnormally large sums. They can also identify hackers, who, just like rapists and murders, tend to favour certain times of day or trusted routines to perpetrate their crimes. Hackers like to leave a signature or hallmark which computers can be taught to identify.
Some say the threat from hackers is grossly exaggerated. Fire, flood or power cuts, are far more damaging, says Peter Sommer, author of The Hackers' Handbook. "These may appear to be relatively trivial but have a huge effect on the business. There is still lots of building going on in the City and workmen are putting shovels through telecoms lines all the time. If there is a dealing room on the other end, the effect can be extremely serious."
But Samociuk is convinced that this is a misdirection of energy. "Most people have disaster recovery, but neglect a contingency plan for fraud, hacking and system sabotage. Yet we see far more of these than we do accidental damage," he says. Computer managers must maintain constant vigilance - the hacker is not dead yet.