Inside jobs: Is there a hacker in the next cubicle?
August 13, 1998
by Jonathan Littman
(IDG) -- Just after midnight on January 28, 1998, the e-mail blasted its way to the 400-plus employees of Pixar Animation. It listed the salary of every Pixar employee, from secretaries to executives. Indeed, the only person whose salary was not on the list was the man who seemingly sent the message: CEO Steve Jobs doesn't draw a paycheck.
Pixar, the high-tech company in Richmond, California, responsible for the movie Toy Story, had been hacked. Someone -- not Jobs -- had sent the message using Jobs' return e-mail address (a common trick known as "spoofing"). More seriously, that same person had broken into the company's confidential personnel files. Pixar's managers quickly dispatched a second e-mail, denying that Jobs had sent the first. But the damage was done: The privacy of Pixar's employees had been violated, and they now knew that confidential data critical to their careers could be exposed for all of Pixar's competitors to see.
When most people think about threats to network security, they remember news reports about malicious teenagers breaking into the Pentagon or stealing India's nuclear secrets. But according to the scant available evidence, the culprit in the Pixar case was probably a current or former employee -- making this story a lesson about the security threats facing today's networked businesses. The greatest threat to individual and corporate privacy comes not from outside the gates, but from inside company walls.
Don't believe the hype
This lesson seems to be lost in the steady stream of Congressional hearings and press accounts trumpeting the dangers of hacker or terrorist Internet attacks. The media's obsession with images of teen hackers prowling the Internet distorts the real problem of network security. For one thing, the young hackers who get all the attention aren't a threat to the average business. Some -- such as the two teenagers from Cloverdale, California, who broke into a series of U.S. military sites -- are joyriding. Others -- such as those who hit India's military network shortly after that country tested five nuclear bombs -- ostensibly have political motives. Neither shows any interest in targeting random businesses.
Other hackers have more constructive motives. Many erstwhile pranksters now make a living breaking into their clients' networks, finding security holes that should be closed. And the Boston-based LOpht group, a bunch of responsible hackers turned security consultants, made headlines by telling a Senate subcommittee that they could bring down the Internet in the time it takes to watch a sitcom. They never threatened to demonstrate their prowess; they were just pointing out system vulnerabilities that they hoped would be fixed.
Such hearings have exacerbated the government's case of hackerphobia. The FBI recently claimed that cases of computer-related security breaches have risen by 250 percent in the past two years. Computer security experts and privacy advocates question the content of these reports (most of the "attacks" cited by the bureau might more accurately be classified as "nuisances") and their timing. Deputy Secretary of the Defense John Hamre divulged news of the Pentagon hacks just two days before Janet Reno announced she was seeking $64 million from Congress for an FBI National Infrastructure Protection Center force.
Software vendors stand to profit from all this nervousness. Companies spent $6.9 billion on firewalls and other network security products in 1997, according to Dataquest of San Jose, California; those same analysts say that number will rise to $13.1 billion annually by the year 2000. This has made some companies very rich: When, for example, ISS Group, a maker of intrusion detection software, went public in March, its stock rocketed from an opening price of $16 to $40.75 in its first day of trading.
"People need to look at this with a cool head," says Dave Banisar, staff counsel with the Electronic Privacy Information Center. "There's a great deal of hype, sales promotion, and covert advertising going on here."
The enemy within
The hackers you've read about may not pose a threat to your business, but that doesn't mean your network is safe. In a 1998 survey by the Computer Security Institute, some 70 percent of the organizations polled said that their network defenses had been breached. The crucial detail: About two-thirds of the attacks came from the inside. So when you're evaluating threats to your network, you should ignore the hype and focus on the two likeliest perpetrators: embittered employees and spying competitors who've managed to worm their way inside your doors.
First, your IT people should do a basic risk assessment: What valuable information does your company have, and how much are you willing to pay to protect it? You don't have to be Intel to be at risk. Even small companies have sensitive information that needs to be shielded from prying eyes. The next question: Who would want that information? Start with your competitors. Then add to that list any current or former employees who have both the technical know-how and the motivation.
Once you've figured out who might want to penetrate your network, you have to figure out how they'd go about it. Start by looking at the security measures your company already has in place. According to Patrick Taylor, director of strategic marketing at ISS Group, "most business networks are not very secure" -- despite the myriad tools available.
Naturally, companies buying network security products think they're well protected. But such tools aren't always used properly. Experts note that firewalls may be improperly configured or not allocated a dedicated server. And executives or engineers often ask for special capabilities that create vulnerabilities. "All of a sudden the president doesn't want his Web access filtered, so you remove the Web filtering only for him," says Jeff Moss, director of professional services at Secure Computing, which tests clients' network defenses by attempting to break through them. "Or some engineers want to FTP into a workstation. Next thing you know, you have different rules for different people." Each time you make such exceptions or build new capabilities into the firewall (such as videoconferencing or streaming audio), you risk opening a security hole.
Trust no one
More importantly, these tools can breed complacency. "If a company has a firewall or its Internet connection is separated from the network, it may assume it doesn't have to worry," says Steven Lee, a security consultant for Verio Northwest, a national Internet service provider. Or as Mark Graff, a security architect at Sun Microsystems, puts it, "In terms of threats to an enterprise's security, most losses occur inside the company. The model where we put a moat outside to keep the bad guys out is not very useful."
"It's much tougher to break into a company [from the outside]," says Secure Computing's Moss. If disgruntled employees or unscrupulous competitors want to hack into your network, chances are they'll do it from the inside. Moss describes one case in which a company reaped "an information bounty" by planting a summer intern in a rival's office. Another security firm recently cracked the loan files of a major bank by sneaking in at night with the cleaning crew and installing keystroke monitoring tools on the bank's PCs. Verio's Lee recalls one company he worked with in which half the people who knew the passwords for core business routers were contract employees.
A more common tactic, "packet sniffing," involves surreptitiously embedding a program in a victim's network to grab passwords as they are sent across the network. "Someone might bring a laptop to work, plug it into the net, and have it out of the way in a bag where you wouldn't see it," says Moss. Traitorous techies can also install a sniffer on a desktop PC, run it during the workday, copy the resulting log files back to disk, and analyze these at home. The best defense against packet sniffers: Use switched hubs to divide your network into small segments, reducing the sniffer's potential catch.
Another big risk: those friendly folks preparing your business's computers for the 21st century. Warns Moss, "A lot of companies will fix your year 2000 problem and steal all your corporate data for one low, low price." The solution? Hire two companies you know and trust; have one company write the software, and the other test it with your data.
Companies often focus so narrowly on data and applications that they overlook the dangers of e-mail. As intellectual property and trade secrets become increasingly important, ill-considered e-mail messages can present a serious hazard to your company's health. "People send things as attachments to e-mail that have no business going out of the company," says trade-secret theft expert Joan Feldman, president of Computer Forensics. Feldman recommends carefully limiting the number of recipients of e-mail concerning sensitive subjects such as competitive strategies and product announcements.
Even personalized e-mail services from Yahoo, Microsoft, or Excite can compromise security if they are used for business purposes. "If you know someone's user name, there are programs to guess passwords," says Moss. "Nobody logs these password attempts, so you can just keep cracking away." Even worse, many people use a single password for all their many accounts. If a hacker steals your Yahoo password, for example, and it's the same one you use to log on at work, that hacker has just gained entry to your network. The obvious solution: Vary your passwords.
Hardware, too, can be a risk. Sun Microsystems, for example, considers unauthorized modems so dangerous that an employee found with one is liable to be fired the same day. But Sun's Graff says that many big companies with strong firewalls overlook a more serious threat: huge banks of dial-in modems used to connect remote employees to the company network. "Some large companies have thousands of dial-in modems that have no security at all," says Graff -- no password, authentication, or any other defenses. "You just dial the number and get a prompt."
Electronic eavesdroppers can also attack from an angle that computer-centric folks often overlook: the phone system. Hackers routinely crack the voice-mail box of a company's computer security official in order to monitor any ongoing investigations. At many large companies, an employee's phone number also serves as his or her universal communication number. Hackers are capable of parlaying a phone call to that number (known in hacker circles as "social engineering") into access to the whole phone network.
Establishing dependable network security isn't like following a recipe for brownies. "A lot of people think you can buy a firewall, install it, and be done with it," says Moss. But in order for firewalls and other security tools to work correctly, the person setting them up must understand how networks work -- and the ways in which they can be compromised. Moss warns that you can't just "have the person who knows the most [about computers] read the manual and do the job."
The best solution for many companies--especially those that don't have an IS department and those that are venturing into e-commerce -- is to outsource security. Even large companies have decided that hiring experts makes more sense than relying on the in-house alternative. For example, Playboy Enterprises, PeopleSoft, and 20th Century Fox have all used a company called Pilot Network Services of Alameda, California. Pilot offers a "dynamic" firewall, using its own experts to constantly update the system's defenses. Fox used Pilot to run the enormously popular Titanic Web site. All three companies say they've experienced no security problems since teaming up with Pilot.
Would outside experts have helped in the Pixar case? It's difficult to say. After the company traced the intrusion back to a local ISP, the trail went cold. Though the ISP's electronic records pinpointed by name the user of the ISP services associated with the offending e-mail, that user turned out to be a computer rental bureau, and the culprit could have been anyone who happened to pay for computer time. It's the final lesson of the Pixar case: Better to prevent someone from hacking your network in the first place, because catching them after the fact--and repairing the damage--may not be an option.
The usual suspect
On the surface he seems the perfect employee -- a self-starter with entrepreneurial skills who works easily without supervision. But beware: He's just the sort to steal your corporate secrets.
Deny him the raise or the credit he thinks he deserves, and he may strike out on his own--with some of your files. "Disgruntled employees need to be observed closely," says Joan Feldman, president of Computer Forensics in Seattle. "I've seen cases where employees will rationalize theft."
Furthermore, after years of downsizing, "people are more apt to circumvent the rules," according to Scott Wilcox, managing director of the San Francisco office of Kroll Associates, an international corporate investigations and management consulting firm. "Loyalties have broken down."
Kroll looks for pressure points -- the financial and emotional crunch of a divorce, the threat of a gambling debt, the specter of substance abuse. A sudden increase in secretiveness or erratic behavior may also signal trouble, says Wilcox, though he confesses that "too often you find people you can't read."
The standard profile has been "the 40- to 50-year-old white male who feels as if the company got rich off of his efforts," notes Wilcox. But in today's high-tech companies, he says, "It could be the 27-year-old working insane hours who doesn't feel his contribution is being recognized properly." Wilcox adds that a generous stock option policy may be the best insurance.
Besides instituting rigorous physical and computer security, Kroll recommends drawing up strict confidentiality and nondisclosure contracts. Bonding--indemnifying yourself against losses caused by the bonded employee--is another approach. "If you're letting people handle tens of thousands of dollars, you usually ask for some bond on those people," notes Computer Forensics' Feldman. "Here, you usually have a collection of midlevel managers with the key to nearly everything you own, especially if you're in the business of creating intellectual property. Do you do a background check on them? Do you ask them to be bonded?"
Few companies bond their employees, but many now run background checks. Christine Beck is a private investigator in Seattle. Her firm, C.D. Beck and Associates, runs felony background checks on many new hires at a major software maker. "The stuff that people don't disclose and don't think you'll find is pretty amazing," says Beck.
But in the high-pressure, tight-security world of high-tech, Beck notes, companies aren't just worried about someone stealing secrets: "They don't need somebody going postal." Feldman recalls a case where someone walked out of a company after encrypting everyone's password. The employee wanted to be paid to return the information and didn't understand that this was extortion. "When they are holding the life and heart of your company," says Feldman, "they can be pretty disruptive."
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.