Computer crime in the UK has doubled every year during the past decade and has cost businesses millions of pounds. So how are they rooting out the raiders?
Steven Bellovin is paid to think like a computer hacker. As head of network security at AT and T, his job is to prowl around the telecom giant's labyrinthine electronic corridors looking for hidden doors and windows through which invisible imposters might sneak. It is not an idle pastime - AT and T is subject to a serious hacking incident at least once a week. 'Extremely serious attacks happen once a month,' says Bellovin. The damage such intruders can inflict ranges from corruption, theft or destruction of data to the planting of computer viruses or diverting of funds.
Bellovin's task is to anticipate the hackers' moves and the technical weapons they might deploy, so that AT and T's defences can be effective against new forms of attack. It is a challenging job because hackers vary their tactics and update their armoury as rapidly as the viruses they plant can mutate. Most of them are socially inadequate young males, but what they lack in social skills, they make up for in malicious action. Donning pseudonyms such as Dark Invader, Byte Ripper and Captain Zap, their goal is to rule the global data superhighways of the future.
So when Bellovin spotted a hacker on AT and T's computer system in January 1991 he decided he would monitor the imposter's activities instead of shutting him out. The hacker had broken in via Internet, the world's largest computer network, which links approximately 20 million users worldwide. Pioneered by universities, it was designed to give as many people as possible free access to information. Hence its vulnerability to abuse by hackers. Internet is increasingly used by companies, financial institutions and government departments to exchange information, place orders and, in some cases, make payments.
For the next four months, the hacker, known as 'Berferd', used AT and T's computer as a springboard to attack numerous other organisations on Internet. The culmination came on 1 May, when he assaulted some 300 computers in one night, including ministries and military sites. By then, Bellovin knew the identity of the caller, but nothing could be done because at that time hacking was legal in the Netherlands, where the hacker lived. Within a few days, AT and T's lawyers decided to shut Berferd out, fearing that the company would be accused of harbouring hackers. But the Dutch authorities let him continue for a further year until their own machines were attacked.
Bellovin was shocked by Berferd's huge arsenal. But it came as little surprise to detective inspector John Austen, who set up the computer crime unit at New Scotland Yard 10 years ago. Computer crime in the UK, including hacking, has doubled every year during the past decade, says Austen. A recent DTI survey of 832 UK businesses found that security lapses have cost £1.2 billion since 1992. Some 57% of respondents reported incidents involving 'logic' security - software viruses or hacking - compared with 35% in 1992. The cost of the average security breakdown rocketed from an average of £2,000 to £9,000, with the single most costly incident a £1.2 million fraud in an insurance company.
Much of the growth in computer crime is due to increased use of networks which multiply the number of potential entry points. 'As more and more companies join computer networks they are becoming increasingly vulnerable to hacker attack,' says Bellovin. Some hackers are just casual snoopers who simply cause a nuisance. But most want to secure a back door so that they can get back into the machine - the equivalent of digging a tunnel from the inside out. 'If they think they have been detected, they'll frequently wipe all your files to destroy any incriminating traces they may have left behind.' Networks also provide a highly effective communications channel for hackers to exchange information about penetrating systems. Victims of hacking tend to think that they have had bad luck and it won't happen again, says Gaetano Gangemi, director of secure systems at Wang, the US office systems supplier. 'But once the original perpetrator has had a good look round, he will often post details of his attack on an electronic bulletin board. At this point the victim experiences an exponential increase in the number of onslaughts.'
The obvious attacks are often the least damaging because victims can respond fast. More insidious are the secret visitors who leave no trail. One of the biggest shocks to Bellovin was that when he reported the activities of Berferd to the 300 organisations that had been hit, only two or three had been aware of the incident.
Austen's casebook catalogues everything from the fairly harmless browser, the equivalent of someone who peeks through windows and tries doorknobs, to international gangs of criminals who steal data, destroy systems and divert funds. Industrial espionage is a common motive for computer crime, he says. 'This may involve the theft of customer lists, sales know-how, or R and D plans.' The perpetrators range from individual employees who take data and sell it on to third parties, to international gangs of information traders and launderers, says Austen.
Organised criminals have been exploiting the potential of computer networks since the 1980s, when a group of West German hackers was persuaded by the KGB to penetrate government, military and commercial databases. The information was then downloaded to the eastern bloc.
Often the goal of organised hackers is to divert funds. A team in Switzerland hacked into the bank account of a wealthy individual to discover details of how his money was transferred and then defrauded him of £1 million.
Many cases of computer fraud involve insiders who use hacking techniques in combination with other inside information. In a recent case in north London a man planted a bugging and transmitter device while working on a short-term contract for a small oil company. He also cloned a plastic card that gave access to the computer room. Then he and a partner rented a flat opposite the company offices, within the 2,000 metre transmitter range of the bug. The pair captured all the passwords used on the system and re-entered the premises with the card at night. They then copied details of all the company's customers, distribution outlets, prices and grades of oil, and attempted to sell the information to rival companies. They also set up a purchase account and stole £400,000 by creating false invoices.
Many such cases go unreported even to the police because organisations are terrified about the consequences of lost credibility should the security breach become known.
But according to Austen, industrial espionage is almost a more significant problem than the diverting of funds. 'We've had cases involving all types of information, especially the results of R and D tests for new products ranging from cars to washing machine powder. 'There are people who actually advertise that they can gain information about others,' says Austen. 'These people call themselves information traders or information brokers and advertise that for payment they will obtain information about international companies, institutions and individuals.' They operate alone or in teams, and often exploit networks such as Internet. Some specialise in the loopholes of specific hardware and software products, others focus on the fast-growing breed of open systems that are designed for easier computer communications but also increase the opportunities for hackers.
Martin Samociuk, joint managing director of London-based Network Security Management, a computer fraud consultancy, cites a UK shipping company that paid a hacker to penetrate a rival company's databases to steal competitive information including business strategy, customer lists and tariff details. 'The hacker was hired by a manager and the company subsequently claimed that it had been unaware of the source of the information,' Samociuk says.
Computer viruses are another invisible menace. These are programs that can cripple or destroy computer data. The most virulent strains can now mutate in billions of ways to escape detection and render themselves immune to software 'vaccines'. Sometimes they can lurk undetected inside a victim's system for months. They are triggered by a predetermined event such as the anniversary of Michelangelo's birthdate, or the next Friday 13th. Other viruses gnaw away imperceptibly at data, until, by the time the victim realises something is wrong, huge tracts of information may be unusable. Recently, Austen has begun to encounter a new virus known as Pathogen, which disables keyboards and destroys data. 'We don't want to create too much panic about it because incidences are fairly rare at the moment, but these cases are a great nuisance to users.'
According to IBM, there are currently some 2,000 viruses in circulation, and the incidence rate is roughly two per 1,000 PCs each year. Large companies can probably cope because most viruses will not occur on business critical systems, says IBM's Mark Drew, a computer security consultant. But small companies are very vulnerable. 'If they have only a few machines the chances are that they will all be critical to the operation of the business. Their first incident could well be the 'biggy' that everyone assumes can't happen to them.' Surprisingly, many organisations still do not take the problems of computer security seriously. Four out of five respondents to a recent DTI survey on breaches of security experienced at least one security breach over the past two years, yet only half of them had a plan to deal with the aftershock. Even organisations that have known security losses are often unwilling to spend what it would cost to make them secure, says Gangemi. 'Their attitude is that they just want to be seen to be taking due diligence, though they know it won't solve the problem.' To raise awareness and provide guidance on how to thwart the hackers, Bellovin has just co-written Firewalls and Internet Security: Repelling the Wily Hacker, to be published in the UK in July. One danger is that people are using machines designed before the days of networking when security needs were simpler, he says. 'For example, lots of organisations don't monitor the number of failed password attempts. Hackers need to be stopped at the front door.'
Passwords are one of the weakest points in most security systems. Hackers can set up their machines to trawl dictionaries of foreign languages all through the night until they find a legitimate password. Bellovin recommends never choosing real words or variations of names, birthdates, or those of relatives and friends. Passwords should comprise mixed letters, numbers and punctuation marks in an oddball sequence of no fewer than eight characters. Even better are one-off passwords because they also protect against the risk of wire-tapping. Bellovin carries a digital bleeper that emits a unique password every time he wants to access the computer.
More care should be taken over recruitment, says Samociuk. Many young people are now much more proficient in computer techniques than their bosses, because of the prevalence of computers in schools. 'Companies are still being naive about who they hire and are not taking care to check out peoples' backgrounds,' says Samociuk.
There are also numerous technical weapons for defence. Some 350 companies sell computer security products ranging from virus vaccines to disk encryption systems that ensure disks cannot be read by unauthorised personnel, even if they are stolen. 'Disks are so small and pocketable that you'd never have a chance if you depended on people not walking out with them,' says Gangemi.
But beware of depending on security devices alone. Tom Parker, principal consultant, ICL Secure Systems, says: 'It is easy to take two very good secure products and put them together and discover you've got no security at all.' People make the mistake of treating security in a mechanical way, says Parker. 'They think it's just a case of putting passwords on the system and pinning up a few notices or introducing some procedures.' They don't test them out, keep them up to date, or make sure that they are being obeyed.
Security precautions should be second nature to all employees. It is surprising how much information hackers can get over the phone by posing as telecoms engineers or by searching through rubbish bins to find useful data for helping log on to machines.
If you do spot hackers you should stop them in their tracks immediately because you don't know what damage they'll do if they suspect they're being watched, advises Bellovin. He does not recommend a Berferd-style surveillance operation. 'We had the luxury of the equipment, experience and staff to do it.' Once your system has been penetrated, you should also get a decontamination expert to inspect it for backdoors and booby traps left behind by the hacker.
Finally, beware of the growing band of hackers who have turned respectable by setting themselves up as security consultants. Some are legitimate. But as Bellovin puts it: 'The worry is that they are not truly reformed and that they can't be trusted to keep your secrets.' Some are even suspected of being double agents engaged in espionage. Good security involves fathoming the minds of hackers. And it definitely involves not inviting them in at the front door.'.