[sacw] [ACT] Hacking Into Your Computer Has Been Privatized

[Harsh Kapoor]

FYI
Harsh Kapoor
---------------------

International Herald Tribune
Paris, Wednesday, February 2, 2000
Hacking Into Your Computer Has Been Privatized
By David Ignatius The Washington PostWASHINGTON - So you
think your computer communications are safe and secure? Experts in the
security business confide that most computer networks are wide open to
attack by dedicated hackers.
Want to break into one of Switzerland's most famous private banks and
look at its accounts? Not a problem.
Want to break into the computer of a key government agency of a big
European country and read messages tasking its security officers? Not a
problem.
Want to crack corporate networks and read the e-mail traffic? Not a
problem. In fact, that is so easy that it isdone routinely.
We are not talking here about electronic intercepts by the U.S. National
Security Agency or black-bag jobs by the CIA. These operations are
conducted by the growing global network of private security consultants,
using sophisticated hacking tools.
An example of the hackers' tool kit is something called a ''packet
sniffer.'' Once the hacker gains access to electronic transmissions passing
through a computer network (which is not as hard as you might think), the
sniffer allows him to read the electronic bundles of information - those
little 1s and 0s streaming over the Net - and translate them into readable
computer files. An apprentice hacker can download the software needed for a
packet sniffer from one of many sites on the Net.
What is happening, in effect, is the privatization of some of the most
powerful tools traditionally used by intelligence agencies, which allow
them to overhear our conversationsand read our mail.
The new privateers are mostly former spies and law enforcement officers,
from Washington to Paris to Moscow to Canberra, who are out now and
offering their skills on the open market. They are working with former
colleagues and liaison contacts around the world, and with the hacker
underground, to get the information they need. ''The Cold War is over,''
explains one member of this private security brotherhood. ''People in
police and security services are just trying to make money.''
One ripe source of information is the hundreds of agents overseas who
were dumped by the CIA in the budget cuts of the mid-1990s. Many of them
are free-lancing now.
If you want access to this network, you can start by contacting one of
the high-powered Washington or New York law firms. They will contact a
private security firm, which will contact a consultant, who will contact
another consultant, who will work with hackers, cops, second-story artists
- whoever is needed to get the job done.
Typically, the person who initiates a request for information at one end
of the chain has no idea who actually obtains it, or what methods were
used. The sources are shielded by what are known in the spy world as
''cut-outs.''
If you saw the 1998 movie ''Ronin,'' you have an idea of how the security
brotherhood works. The Ronin are modern-day equivalents of samurai warriors
who have been decommissioned after a war and are wandering the landscape
looking for work. The movie's plot is fanciful, but the portrait it draws
of a fraternity of ex-spooks for hire is quite accurate.
Companies which want to protect themselves against these electronic
attacks should consider investing in counterintelligence. An example of
what is available comes from Michael L. Puldy, who heads IBM's Emergency
Response Service. He runs a group of about 100 people worldwide who help
IBM clients clean up the damage from electronic break-ins and try to
prevent them from happening in the first place.
Mr. Puldy says companies are much more vulnerable to electronic attack
than they realize. They may think they are protected by so-called ''fire
walls'' that screen who gets into the network. But if the fire wall
software is installed right out of the box, it usually contains default
passwords and other trapdoors that allow smart hackers to get in.
Mr. Puldy's group mainly does electronic ''perimeter checks,'' looking
for holes in a company's network, along with installing ''intrusion
detection monitors'' which sense when a hacker is trying to break in.
IBM also offers a more aggressive ''Ethical Hacking Service,'' which for
a fee will break into your system and show just how vulnerable it is. Mr.
Puldy says IBM's ethical hackers can penetrate more than 75 percent of the
systems they attack. Once inside, they can find password files, break into
the corporate e-mail server and read everyone's mail, and sometimes even
get into the CEO's hard drive.
Packet sniffers are the enemy. Mr. Puldy says cable modems are especially
vulnerable, because it is easy to read the other computers on a
neighborhood cable loop. ''If you're on the neighborhood ring, you can put
a sniffer on the cable and watch everything I do on my computer - stock
trades, passwords, e-mails, everything.''
It is harder to crack ''digital subscriber line'' or DSL technology that
is used to provide high-speed connections over telephone lines - but not
impossible. ''Given enough time and effort, you can break into anything you
want to,'' Mr. Puldy says.
Civil libertarians still focus on privacy threats from government, but
they are way behind the time. Like everything else in the global economy,
snooping has been privatized.