Modern Thieves Prefer Computers to Guns
Online crime is seldom reported, hard to detect 
Jon Swartz, Chronicle Staff Writer

          Hundreds of millions of dollars worth of top- secret information is being electronically pilfered over
          the Internet from banks, corporations and the federal government -- and many are helpless to stop it. 

          In many cases, companies are contracting computer hackers to filch product designs and sensitive
          marketing information from rivals. And shadowy, Byzantine organizations straight out of a Robert
          Ludlum potboiler are paying for illegal information that often is resold overseas. 

                             More high-tech info at New Media News 

          Authorities have no idea how big the problem really is because the transactions take place in
          cyberspace. According to the FBI, 85 percent to 97 percent of online intrusions go undetected. 

          ``If I want to steal money, a computer is a much better tool than a handgun,'' Daniel Geer, director of
          engineering for Open Market in Cambridge, Mass., told a House subcommittee briefing on computer
          security last week. ``It would take me a long time to get $10 million with a handgun.'' 

          In one prominent case, virtual intruders last summer breached the internal network of Interactive
          Television Technologies, the creators of a set-top TV device that lets consumers cruise the Web, and
          stole secrets for the project the company claims were worth an estimated $250 million. The
          flummoxed company has since disappeared. 

          In some instances, companies bent on thievery try to enlist hackers to do the job for them. One young
          computer whiz said a company offered him $250 last summer at a computer trade show in Las Vegas
          to steal secrets from a competitor's Web site. He refused. 

          The man said the company approached him and several other hackers because it wanted illegal
          access to its rivals' list of customers and product prices. 

          Security experts said the attacks underscore the fragile nature of the Internet, which an estimated 50
          million Americans use for e-mail, research, entertainment and shopping. 

          ``There's no security on the Internet. . . . If we're going to go to digital commerce on the Internet, a lot
          of things are going to have to change,'' said Peter Neumann, an expert in computer security at SRI
          International, a Menlo Park research firm. ``The Internet isn't ready for prime time.'' 

          The eruption of electronic burglary comes just as cyberspace is starting to become a major artery for
          commerce. Financial transactions over the Internet are expected to leapfrog $1 billion in 1997,
          heightening paranoia among corporations and consumers about lax security, industry watchers said. 

          PUBLICITY SCARE 

          Electronic thieves are finding it easier to break into computer networks and steal money and valuable
          secrets partly because companies refuse to report breaches in their security in order to avoid negative
          publicity and embarrassment. 

          ``Financial institutions don't go to law enforcement out of fear that they'll scare off customers,'' UCLA
          professor Jahan Moreh said. ``Who wants to do business with a company whose unstable network
          security is being splashed across the front page?'' 

          When Citibank came clean a few years ago and admitted it had lost $10 million to Russian hackers,
          some top customers bolted the venerable New York company. 

          ``The only way (hackers) get caught is if they cross some threshold,'' Geer said. ``They start out
          stealing $1,000 a day and figure they can get away with $2,000 a day, and then they get greedy and
          hit some figure which sets off alarm bells.'' 

          The Internet's strength has always been that it is open to the world. Now, however, ``It's also an
          open door to the world's hackers,'' said Don Marx, a former CIA employee who is president of
          GlobalKey, a security-software company in Colorado Springs, Colo. 

          In an alarming number of instances, that door leads straight to the federal government. Authorities
          estimate there were 250,000 known intrusions into government networks last year. 

          In turn, the government's preoccupation with cybertheft has fostered a cottage industry of backroom
          offices and super-secret agencies with names such as ``office for cyber warfare'' and ``FBI's Threat
          Assessment Center.'' Sort of an Internet version of ``The X- Files.'' 

          SWELL OF VIRTUAL CRIME 

          Last October, President Clinton signed into law the Economic Espionage Act of 1996, which makes
          it a federal crime to steal trade secrets. Violators face up to 15 years in prison and a $10 million fine.
          Previously, such acts were state crimes. 

          The legislation was prompted by evidence of an alarming growth in cybertheft: 

          -- American businesses said they lose more than $100 million a year in computer-related thefts, a
          survey by the Computer Security Institute of San Francisco revealed last month. 

          -- Half of 44 U.S. banks polled by Grant Thornton LLP, a Chicago consulting firm, said they are
          ``very concerned'' that computer hackers illegally could access their intranet sites and steal customer
          files. Two-thirds said security for online transactions was a major concern. 

          -- Three-fourths of 1,320 companies conceded they lost money in part because of breaches in their
          security systems, according to a survey by computer magazine InformationWeek and Ernst & Young
          LLP. 

          The virtual crime has turned hacking into a profitable business for some. That hasn't always been the
          case. Hacking originated in the 1970s as a hobby for techno geeks, including the likes of Steve Jobs
          and Steve Wozniak -- who later co- founded Apple Computer -- to gain access to high-level
          computer technology they normally could not afford. 

          Armed with only a PC and modem, they employed techniques such as cracking passwords with a
          software program called a ``demon dialer,'' and ``social engineering,'' in which the hacker poses as a
          company employee, to gain access to private information. 

          But that has changed in the 1980s and '90s, with the advent of complex corporate computer
          networks and the Internet. A growing number of hackers now are turning their skills toward stealing
          money and top-level secrets. 

          THE WEAKEST LINKS 

          Professional hackers aren't the only danger, however. ``The threats can come from an unsecured
          Internet connection, a malicious attack by a disgruntled employee, the loss of a laptop with critical
          information, the complexity of the Net, industrial espionage or just plain carelessness,'' said Scott
          Ramsey, director of information security at Ernst & Young. 

          ``Companies are spending more money on sophisticated computer hardware, but they often fail to
          devote attention to safeguarding information systems, equipment and the people who use it,'' Ramsey
          said. 

          In fact, the weak link in corporate information security are workers, who either leak data intentionally
          or unwittingly fork it over to industrial spies. 

          ``The biggest problem, by far, is employees stealing information internally,'' said Ira Winkler, a former
          intelligence analyst who is director of technology at National Computer Security Association in
          Severna Park, Md. ``Companies are making a lot of investments in the Internet, but most have
          minimal security. That's tough to stop.'' 

          TRACKING THE HACK 

          So what can companies do to fend off online intruders? 

          A swelling number of firms are turning to companies that specialize in so-called firewalls, technology
          to block unwanted visitors; encrypted software that scrambles information; and greater awareness
          among employees. 

          Sales at security-software companies such as Pretty Good Privacy in Redwood Shores; GlobalKey;
          Security Dynamics in Cambridge, Mass.; RSA Data Security in Redwood City; Open Horizon in San
          Francisco; Trusted Information Systems in Glenwood, Md.; and 3SI of Denver are flourishing. 

          Many companies simply turn to hackers to safeguard their systems. Geoff Mulligan, a high-profile
          hacker in the 1970s, is senior security engineer at Sun Microsystems. 


          CYBERTHEFT AT A GLANCE 

          -- History -- Hacking started in the 1970s as a hobby for techno enthusiasts to gain access to
          expensive computer technology. With the advent of vast corporate computer networks and the
          Internet in the 1980s and '90s, it has turned into an illegal money-making venture for some. 

          -- Equipment -- The ``tools'' of the hacking trade include a personal computer, a modem -- and a lot
          of nerve. 

          -- Methods -- There are several techniques to cracking a computer system. One of the most common
          combines deciphering a system's password with the aid of a software program called a ``demon
          dialer.'' Another technique is ``social engineering,'' in which the hacker cons information out of an
          unsuspecting employee at the targeted company. There's also ``dumpster diving,'' in which the hacker
          sifts through a company's dumpster at night to find valuable information. 

          -- The toll -- American businesses said they lose hundreds of millions of dollars a year in
          computer-related thefts. There were 250,000 known intrusions into government networks last year.