The first thing to know about computer "hackers" is that the term itself is a point of dispute.
Many people who hack into systems without criminal intent proudly label themselves "hackers," and say they're the good guys and the bad guys should be called "crackers" or something else. "Hackers are not evil, malicious people out to damage computer systems and steal passwords. Hackers hate these kind of people," read one e-mail I got after my recent column about virus writers.
Others argue that "hackers" represent both good and bad guys — people who explore and "test" systems for a living or a hobby, as well as those who break into systems to embarrass or rip off companies and people. "Just like in the Wizard of Oz, there can be good witches and bad witches. In the world of hacking, it goes the same way," wrote a reader.
Indeed, all "hackers" aren't criminals. Both good and bad share a common bond and form a highly caffeinated community where the lines get blurred. At several hacker conventions each year, they talk, among other things, about networks compromised, databases mined, or products where they've found holes. Some are like Marc Maiffret, 21, who calls himself "chief hacking officer" at eEye Digital Security in southern California. They begin hacking networks as naive teenagers, learn the ropes and then put it to use as consultants or corporate security czars.
My purpose with this column is to explore the mindset of people who break into systems with malicious intent, and then to offer suggestions on how to protect your own system. These people, predominantly males, represent serious threats to the safety of networks and users. Bob Sullivan, a veteran MSNBC.com reporter who's covered the hacker community for five years, refers to the threatening ones as "computer criminals," "attackers" or "online thugs" — something other than "hacker" to avoid confusion or controversy. I'll follow his lead.
Important things to know about the bad guys:
·    Hackers in general, and computer criminals in particular, love the power of control. "For many, it's more about the thrill of technology than active malice," says Richard Ford, a security expert and former chief technology officer for Cenetec Ventures. "It's a puzzle to solve, a game to play. For some, it's about money, although these seem to be few and far between." Adds Simson Garfinkel, chief technology officer for Sandstorm Enterprises and an author of several books on security: "The bad guys want to control as many machines as possible. The majority are in it for fun. They attack the machines of their enemies and of companies. Yet many who break in for fun graduate to breaking in for monetary gain."
·    They cause the most damage with data theft and fraud. While technology today is generally becoming more secure, breakdowns are continually exploited and the Internet is ballooning so fast that online thugs have new opportunities EVERY time they boot up. According to statistics from Carnegie Mellon University, the number of cyber-security incidents — break-ins, virus attacks, etc. — doubled in 2001 to nearly 53,000. In the first three months of 2002, nearly 27,000 incidents were counted. While viruses remain the most common type of cyber-attack, an FBI/Computer Security Institute survey in April 2002 found those aren't the most damaging. The 500 survey respondents reported a total annual loss of $170.8 million due to theft of proprietary data, $115.7 million due to financial fraud and $50 million due to insider abuse of Internet access, compared to $49.9 million from viruses.
Another recent study cited by The Washington Post found that Internet attacks worldwide were up 28% in the first six months of 2002, with most coming against U.S. technology, financial services and power companies.
·    Many companies allow attackers to get away with it. The same FBI survey cited above found that only 34% of the respondents reported computer breaches to authorities. Many cited fears of potential bad publicity. MSNBC's Sullivan illustrated just how attackers can take advantage of companies in a June story about his e-mail interview with "Zilterio," a noted extortionist whose real identity is a mystery. For more than a year, Zilterio has hacked into financial institutions and online businesses, stealing data and then demanding extortion payments. He claims nine firms have paid him $150,000 in "quiet money." While this claim can't be verified, Zilterio is indeed sought by the FBI for extortion, Sullivan reports.
·    Any business with a Web site is a target. Many of today's online thugs set up scanners to track unprotected Web sites and networks to attack, says Garfinkel, co-author of "Web Security, Privacy and Commerce." Some can scan hundreds or thousands of sites in a matter of seconds. Garfinkel's own site is protected by a firewall that can track how many times it has been scanned by potential intruders. One recent day, he counted 289,000 different scans, including 1,044 by the same would-be attacker. "Once they find a vulnerable site, they set up their attack tools," he says. Adds eEye's Maiffret: "Know that you could be a target. It doesn't matter what business you are in."
·    Attackers will get bolder — with blended threats? That's the fear of Sarah Gordon, senior research fellow at Symantec's security response unit and an expert on the psychology of computer criminals. By "blended threats," she means break-ins combined with virus infections and other methods of destruction, all of which could take down companies' networks in a matter of minutes. Ford agrees. "Massive numbers of systems could be compromised, leading to huge, nationwide outages. Fortunately, we haven't seen this happen. But I do believe it's a matter of when, not if." So much of the software on computers today is similar, he says, so a problem for one computer is likely to be replicated in others. Gordon adds that with mobile phones and other devices connecting networks to the Internet, attackers have more entry points.
So, how can you protect yourself? Here's what the experts say.
1.    Have the best security protection you can afford. I discuss the basics in this story. But companies with sensitive data need to go beyond basics and get intrusion-detection systems and, perhaps, software that pinpoints the vulnerabilities of your system and recommends fixes (see the eEye site for more information). Never get complacent — criminal hackers thrive on penetrating "secure" systems.
2.    Develop your own company's security policy and guidelines. Put it in writing, and make security a companywide effort. Don't let your employees get away with leaking sensitive information — absent-mindedly or otherwise.
3.    Invest in your security personnel. They need tools, training, resources and some authority to make decisions. For many small businesses, managed security services by third-party vendors are the best option, Gordon says.
4.    Report computer breaches, and don't cave in to extortion threats. If you are victimized, authorities should be notified, as embarrassing as it may be to you. If you're confronted by an extortionist, don't automatically assume the criminal has all the info he needs to ruin your business. It may be a prankster testing you. "If you aren't intimidated, there may be nothing he can do," says Sullivan, who hears a lot about these pranks. "Bottom line, know your leverage."
5.    Get up to speed on the proposed Cyber Security Enhancement Act of 2002. This bill, HR 3482, was overwhelmingly passed by the U.S. House of Representatives and is now before the Senate. It allows judges to issue life prison sentences to malicious hackers. It amends the current sentencing guidelines and allows judges to consider intent, violations of privacy rights and the sophistication of the offense, as well as actual loss. This bill may not be perfect, but I believe tougher sentences are needed.
6.    Educate young people on computer morals and ethics. As discussed in my virus writers column, Gordon believes strongly that today's young people need more guidance from parents and teachers on what's right and wrong on a computer. A greater emphasis now may mean fewer computer crimes tomorrow.