In March, Richard Pryce of Kingsbury, North London, pleaded guilty to 12 offences of gaining unauthorised access to computer systems under the Computer Misuse Act 1990.

At the age of 16, Pryce hacked into several systems, including those of the US Air Force, using a #750 home PC.

Pryce was fined #1,200, but repairing the breach in its security systems cost the US Air Force an estimated #200,000.

Pryce's motivation was simple curiosity - plus the desire to impress his contemporaries. "It was more of a challenge really, going somewhere I wasn't meant to. If you set out to get in somewhere and you succeed, other hackers are impressed," Pryce admitted to the Guardian.

Pryce gained the knowledge required to break into US military computers over 200 times by cruising the popular bulletin boards that feature sections aimed at hackers. From these, he acquired the necessary "sniffer" program which was used to capture data from a genuinely authorised user of a restricted system.

"Those places were a lot easier to get into than university computers in England," said Pryce. "I was surprised at how easy it was."

The Pentagon's systems, which hold non-classified but sensitive data, were attacked 250,000 times in 1995.

"Hackers have stolen and destroyed sensitive data and software," Jack Brock, a director with the US General Accounting Office was reported as saying in the Financial Times.

"They have installed back doors into computer systems which allow them to surreptitiously regain entry. They have crashed entire systems and networks," he added.

It is fair to say that most hackers are more likely to prefer to attack sites such as defence and financial systems than the Lan operated by a small UK engineering company. Yet the increasing adoption of remote access and Intranets are just two trends which are making networking professionals nervous about unauthorised access to their company's sensitive data.

With this in mind, Network News contacted one hacker over the Internet for his views. It was relatively easy to do: go to a bulletin board which advertises a section for hackers, join in one of the chatlines - and lurk. The conversation went like this:

NN: Can hackers comment openly about their activities?

Hacker: Are you serious with these questions?

NN: Yes, I'm serious. What requests you normally get from business organisations? Do they pay you to try to break into their systems? Perhaps they pay you to look at their security and recommend changes?

Hacker: Yes, I do all of the above ...

NN: Would you admit to retrieving information from some owner who would have preferred to keep it secure?

Hacker: Perhaps not.

NN: Do you know anything about the threat from Internet Explorer, which Microsoft had to fix?

Hacker: There are plenty of public accounts of MSIE vulnerabilities: see the Web at http://www.geek-girl.com/bugtraq/search.html and search for "MSIE".

NN: Which products do you feel are secure, and which could leak like a sieve?

Hacker: Well, free software is often the best stuff around. The code is freely available and modifiable by anyone. SSH and qmail are perfect examples. As far as operating systems go, OpenBSD, a completely free Unix variant, is probably the most secure C2-level Unix available today.

Compare that with HPUX, Solaris, or AIX - all of which are peppered with holes and cost a lot of money. Don't even ask me about Windows NT; it's as insecure as anything else.

For more information on this see Phrack Magazine at: http://www.fc.net/phrack (issues 48 and 50) and http://www.l0pht.com/advisories.html.

Hacker signs off with a quote from The Usual Suspects: "The greatest trick the devil ever pulled was convincing the world he didn't exist".

Those truly concerned about hackers are turning to the hackers themselves for advice. Organisations are paying people such as Dr Neil Barrett - who learned to hack into systems when he was a computer science student - to try breaking into sensitive corporate networks.

Dr Barrett is now a senior security consultant specialising in Internet/Intranet technology at Bull Information Systems, and the author of Digital Crime (see box below). Dr Barrett gave Network News his tips on network security.

1 Determine which systems are sensitive, and from whom they are to be protected. Firewalls can be used to protect internal systems - but try to use a variety of firewalls to decrease dependencies.

2 For the data resources on those systems, establish tripwires: crytographic checksums, for instance, that allow alterations to a file to be detected quickly and an alarm to be raised.

3 Ensure that systems are backed-up frequently and, crucially, that they can be restored from that backup. Maintain a clean-state for each system: free of viruses, Trojan horses, and so on.

4 Establish and maintain strict control over user identities and passwords - the password is the only way of establishing precisely who did what to which system; this could be vital if any damage results in a prosecution.

5 Continually monitor and update these controls and audit procedures, changing them to reflect changes in personnel, systems and data sensitivity.

Constantly review the security alerts posted on the broader Web by CERT et al, so that you can keep a step ahead of your opposition.

BOOK REVIEW - Crime online

Dr Neil Barrett, author of Digital Crime, talks about the difficulties of policing cybercrooks.

"The majority of security breaches result from poor operation of security measures by users, rather than hackers. As yet there is no well understood and universally accepted mechanism for handling (digital) crimes, in terms of seizing, reading and analysing the contents of an individual's PC.

"For the police and the courts, the greatest problems centre on the difficulties of sourcing evidence ... computer forensic evidence has proved a steadily growing impediment in the prosecution of even the simplest fraud cases.

"There have, though, been several successful and well-publicised prosecutions of illegal acts, such as the dissemination of computer viruses or of paedophiliac material, leading to a useful collection of case law and precedent. It's a game of cat and mouse: the digital crook seeks out a loophole, and the security administrators try to ensure that every loophole has been blocked.

"Technology can be applied as easily by the criminal as it can by the authorities, but often the criminal has the greater resource, skill and desire to profit from that technology." Digital Crime: Policing the Cybernation, is published by Kogan Page, ISBN 0-7494-2097-9.

Dr Barrett has also written Thirty Minutes to Master the Internet and Advertising on the Internet, and is currently researching a book on the risks of electronic commerce.

IN THE NEWS - Hack attack

- 23 APRIL 1997 Fear of fraud sparks users of the London Stock Exchange's paperless settlement system, Crest, to call for a return to the paper-based system, less than a month after the #35m system went live.

- 17 APRIL 1997 An underworld plan to steal #800m from UK cash machines was foiled because the bank data was encrypted in non-repudiation code; even if it was broken once it would have to be cracked for each transaction. Industry experts said only a supercomputer could crack the code.

- 13 FEBRUARY 1997 Hackers are reported to be using servers at Southampton University to circulate threatening emails around the world. The emails, headed Naughty Robot, claim to have secured the individual's addresses, phone and credit card numbers, and instruct recipients to cancel credit cards, claiming their security has been breached.

- 23 JANUARY 1997 Academics at Princeton University have devised a radical method of breaching security on the Net, by using Web spoofing techniques. All transfers pass through the attacker's machine, allowing him or her to steal or tamper with any data transferred, or to send false data under the victim's identity.

- 17 OCTOBER 1996 A survey of 136 operational hackers by hardware and services reseller Computacenter has found most hackers believe that gaining illegal access to computer systems is commonplace and getting easier.