When a German hackers? club blew open Microsoft?s ActiveX on national TV by switching money from one bank account to another, the thorny issue of Internet security was instantly catapulted to the top of the IT agenda.
Dr Ross Anderson, lecturer in computer security and cryptography at Cambridge University, claims: ?The hackers did it to prove that if you run Java or ActiveX applets on your machine, you?ve left your pants down and your door unlocked.?
Days later, mischievous hackers caused the US software goliath further embarrassment. They used a rogue ActiveX component to transfer a distracted surfer enjoying a program generating real-time pornography to another server, running up a huge phone bill.
These recent stunts are the latest in a long line of pranks by hackers intent on demonstrating their own cleverness, while leaving major corporations with large quantities of egg on their face.
According to John Austen, director of Computer Crime Consultants and ex-head of Scotland Yard?s computer crime unit, embarrassment is the major danger facing corporate UK as a result of cyber attacks. He cites the following examples.
On 16 August last year, a hacker broke into the home page of the US Justice Department. The intruder inserted a new page with pictures of Adolf Hitler, a naked Jennifer Aniston from the TV show Friends and a background of swastikas.
The CIA was similarly compromised when Swedish hackers broke into its site and changed its name to the Central Stupidity Agency. The infiltrators also replaced the usual press releases with ?news from space? and ?nude girls?.
The most publicised incidents appear mindlessly childish ? the Swedish hackers were all aged between 16 and 20 ? and technically straightforward to carry out. Indeed, the code for creating a denial of service is readily available on the Internet via hacker magazines such as ?2600? and ?Phrack?.
Incidentally, the publishers of the e-zines defend their decision to print details of the vandalising code on the grounds that they are simply exposing loopholes in the architecture of the Internet, thereby forcing IT managers to make their systems more secure.
?I could sit down tomorrow and write an applet that just sits on your system and does nothing until you log on to your company?s intranet. It would ask you to re-enter your password, and it?s then instantly into the company system. It is very easy to do,? says Neil Barrett, ex-hacker and author of the recently published book Digital Crime ? Policing The Cybernation.
But if the Net is so insecure, why hasn?t there been the equivalent of the Great Train Robbery online? Where is the modern-day Ronnie Biggs and his digital super-criminals? And why haven?t businesses brought rivals to their knees through cyber attacks?
?Cyber attacks on businesses are phenomenally under-reported,? explains Barrett. ?It?s a vicious circle. Companies don?t believe the police can do anything about it, so the attacks don?t get recorded. This means that law enforcement agencies can?t get the funding for the extra resources they need to police the Cybernation.?
According to Barrett, unauthorised infiltration is already the fastest growing computer-related crime in the US, with most of it centred on industrial espionage. Pentagon sources back Barrett?s claim. Indeed, the Pentagon?s computers, which contain non-classified, but still sensitive, data were attacked about 250,000 times in 1995 alone. In 160,000 of these cases, hackers successfully penetrated the systems.
Given that military computer networks are regarded as the best protected in the world, this doesn?t bode well for the millions of commercial systems which are, by comparison, easy prey for the professional hacker.
A Senate sub-committee last year clai-med that hackers cost businesses worldwide an estimated $800m through break-ins to computer systems at banks, hospitals and other large businesses.
The most spectacular reports surfaced, courtesy of the Sunday Times, last summer. The paper claimed that gangs of cyber-terrorists had bagged up to #400m from online attacks on banks, broking firms and investment houses in London and New York.
The systems were penetrated using ?logic bombs? ? software viruses that can be executed remotely. First, the blackmailers proved they could crash bank networks and destroy data. They then sent their demands online, and the banks agreed to pay the blackmailers, transferring the money electronically to overseas accounts. The American National Security Agency (NSA) confirmed it was investigating four specific cases:
l January 6, 1993: trading was brought to a standstill at a broking house after a blackmail threat and subsequent computer crash. A ransom of #10m was paid into an account in Zurich.
l January 14, 1993: a blue-chip bank paid out #12.5m after receiving blackmail threats.
l January 29, 1993: a broking house paid #10m in ransom after similar threats.
l March 17 1995: a defence firm paid #10m in ransom.
In each case, the companies chose to succumb to the blackmailers? demands, anxious that publicity from such attacks could damage consumer confidence in the security of their systems.
?One of the most common things to go wrong within banks is they do not have the internal political will to design a policy at executive level that reflects the fact that their electronic bytes are worth protecting,? claims Winn Schwartau, a leading information security expert and author of Information Warfare: Chaos On The Information Superhighway. ?Customer confidence, the stock market ? they are all going to start worrying about the integrity of that particular financial institution,? he adds.
In his book, Schwartau offers this stark assessment of the information security threats faced by banks and other companies: ?At some point, if not already, you will be the victim of information warfare? Your company will become a designated target of information warfare. If not today, then definitely tomorrow. You will be hit.?
But, as yet, there is little evidence that companies are doing anything to address the issue. A recent study of Fortune 500 companies shows that half allow their business partners to access their intranet, even though most of the IT managers admit that the Internet technology involved is not sufficiently secure.
?There is even greater ignorance among both IT managers and police when it comes to reacting to an attack,? says ex-hacker Barrett.
He adds: ?If your system has been broken into, it?s a natural reaction to start playing around to find out what damage has been done. There are hundreds of cases where the evidence instantly gets destroyed ? even backing up can cause problems. Police and IT managers need to be trained in the forensic examination of computers.?
Beating the system: how the digital criminal attacks
The most common attack on business, and by far the easiest to implement, is service denial. Although regarded with disdain by professional hackers, denial of service is favoured by criminals.
The assailant programs a computer to continuously send phoney authentication messages to the targeted server, keeping it constantly busy and locking out legitimate users. In some businesses lack of access to a resource at a critical moment can be extremely damaging, even life-threatening.
Such attacks often follow this pattern: a denial attack occurs; a ransom demand is made; when a payment is made the denial is reversed. Recent victims include Panix, a New York-based Internet service provider and the New York Times on US election night. Ransoms were not paid in either case.
Hacking is different. Hackers try to penetrate a victim?s computer with a view to carrying out one or more of the following illicit acts: stealing information or goods; finding out credit card details; altering bank account details; issuing fraudulent communications; or extorting money on the threat of damaging Web pages. Recent victims include several UK banks, the Labour Party, the US Justice Department and the CIA.
How to protect yourself against the hackers
There are many computer security specialists advising IT users on the ways and means of protecting systems from hostile penetration ? particularly via the Internet. But most experts agree that there is no such thing as perfect security. So, when the inevitable happens, what should you do? Neil Barrett, ex-hacker and author of Digital Crime ? Policing The Cybernation (pictured right), has compiled a series of dos and don?ts:
l If you suspect that a hacker has infiltrated your system, DON?T blindly work through the system, opening files to ensure that the contents are still intact.
l DO make a record of file and directory access/modification times before examining the contents. These times are an important forensic record of the hacker?s activity.
l DO make a hard copy of any audit logs, log-in records, file access/modification times ? and DO sign these and lock them away in a secure environment. Again, these could be evidence in a subsequent legal case.
l DO provide an easy way for users to report their suspicions of computer break-ins, but DON?T castigate them for false alarms.
l DON?T ignore any hacking incident just because you think there is nothing you can do about it ? DO report them to the police. Computer hacking is a criminal offence, so help the police find the evidence that allows them to capture, prosecute and punish the criminals.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition