Computer crime

Nation's Business, Nov, 1997 by Tim McCollum

The attack was swift and precise -- the stuff of a Hollywood suspense film.

Early in 1995, hackers used the Internet to invade the small network of computers operated by an unsuspecting and seemingly unlikely victim, Net Daemons Associates Inc. (NDA), based in Woburn, Mass.

The five-year-old company helps firms manage their computer networks and uses its own network to facilitate Internet and other communications among its employees and clients.

The hackers who invaded the company installed a program on NDA's network that enabled them to record users' passwords and to roam the network freely.

The invaders stashed files containing identification codes for cellular phones, gathered sensitive information on NDA and its business customers, and then launched similar attacks on those companies and other firms.

Jennifer Lawton, NDA's chief executive, says she learned of the unlawful activity only when her Internet-service called to inform her of the attack. She immediately began scouring her network for signs of intrusion.

Within 48 hours, Lawton, Chris Caldwell, the firm's co-founder, and their technicians uncovered how the NDA system had been compromised, and they initiated action to prevent further damage, including the installation of software to prevent the hackers from logging on to the network again.

Then NDA called in the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, which helps companies investigate computer-security incidents. Technicians at NDA worked with the response team, the U.S. Secret Service, and several Internet-service providers to trace the hackers' path across the Internet based on a usage profile pieced together from NDA's network-access logs.

By following this electronic trail, the Secret Service was able to collar a ring of suspects. They were convicted of using networks connected to Internet sites to hide and exchange pilfered cell-phone codes.

"They were kind of like Hansel Gretel," Lawton says of the hackers. "They left lots of crumbs for us to follow."

Attacks such as the one at NDA are not expected to happen to network-savvy companies such as Lawton's. She says she knew the importance of protecting NDA's network and the risks involved if she did not. Nonetheless, as the head of a small firm, she didn't want to pay the $20,000 or so that it would have cost for the hardware and software that might have staved off the attack.

"It was a relatively new time for the Internet," Lawton says. "So there still was a sense that you may not need protection if you're small and people don't know who you are."

But the age of electronic innocence is long past. In fact, the NDA incident provides chilling evidence that any company -- regardless of its size or computer savvy -- can be a victim of high-tech crime.

Companies increasingly are falling prey to hackers, computer thieves, software viruses, and, in particular, unauthorized and often illegal activities by their own employees. In fact, chances are that sooner or later most companies will become victims of high-tech crime.

Early this year the FBI commissioned a nationwide survey of U.S. companies of all sizes on the subject of computer security. The survey was conducted for the FBI by the Computer Security Institute (CSI), a security-research organization in San Francisco.

Among the survey's findings:

* Seventy-five percent of the 563 companies that responded said they had been victimized by computer-related crime in the preceding year.

* Fifty-nine percent of the victimized companies could place a dollar figure on their losses; the average per company was $401,600.

* Forty-nine percent of the respondents reported unauthorized use of their computer systems.

The problematic nature of unauthorized computer use by employees and intruders alike is confirmed by another survey, of 1,225 subscribers to Infosecurity News, a computer-security newsletter published in Framingham, Mass. The survey was conducted this year by Wilton, Conn.-based accounting and management consulting firm Deloitte & Touche. It found that security risks are increasing even though companies are taking greater steps to protect themselves.

Safeware, a computer-insurance firm in Columbus, Ohio, estimates that in 1996, U.S. businesses lost $1.4 billion to thefts of computers alone.

Yet such hardware thefts represent the bulk of only one kind of computer crime -- the kind that companies ultimately discover. In many instances, companies are never aware that they are victims because the stolen information is never missed, says Scott Charney, chief of the U.S. Justice Department's section on computer crime and intellectual property.

Worse still, says Charney, many companies are reluctant to report computer crimes to the police, fearing damage to their reputation and loss of business if customers, investors, and competitors find out about a security breach. As a result, he says, police rarely catch high-tech criminals, and cases with a happy ending like NDA's are rare.

"Small businesses that become heavily reliant on computers will have the same problem that large businesses have" with computer crimes, says Charney. "To the extent that some of their information is [commercially] valuable, they also [face] serious risk" that it could be stolen.