Hacking into the mind of a hacker The first thing to know about computer "hackers" is that the term itself is a point of dispute. Many people who hack into systems without criminal intent proudly label themselves "hackers," and say they're the good guys and the bad guys should be called "crackers" or something else. "Hackers are not evil, malicious people out to damage computer systems and steal passwords. Hackers hate these kind of people," read one e-mail I got after I wrote a column about virus writers. Others argue that "hackers" represent both good and bad guys — people who explore and "test" systems for a living or a hobby, as well as those who break into systems to embarrass or rip off companies and people. "Just like in the Wizard of Oz, there can be good witches and bad witches. In the world of hacking, it goes the same way," wrote a reader. Indeed, all "hackers" aren't criminals. Both good and bad share a common bond and form a highly caffeinated community where the lines get blurred. At several hacker conventions each year, they talk, among other things, about networks compromised, databases mined, or products where they've found holes. Some are like twenty-something Marc Maiffret, who calls himself "chief hacking officer" at eEye Digital Security in southern California. They begin hacking networks as naive teenagers, learn the ropes and then put it to use as consultants or corporate security czars. My purpose with this column is to explore the mindset of people who break into systems with malicious intent, and then to offer suggestions on how to protect your own system. These people, predominantly males, represent serious threats to the safety of networks and users. Bob Sullivan, a veteran MSNBC.com reporter who's covered the hacker community since 1997, refers to the threatening ones as "computer criminals," "attackers" or "online thugs" — something other than "hacker" to avoid confusion or controversy. I'll follow his lead. Important things to know about the bad guys: 1. Hackers in general, and computer criminals in particular, love the power of control. "For many, it's more about the thrill of technology than active malice," says Richard Ford, a security expert and former chief technology officer for Cenetec Ventures. "It's a puzzle to solve, a game to play. For some, it's about money, although these seem to be few and far between." Adds Simson Garfinkel, a computer security researcher and the author of several books on security: "The bad guys want to control as many machines as possible. The majority are in it for fun. They attack the machines of their enemies and of companies. Yet many who break in for fun graduate to breaking in for monetary gain." 2. They cause the most damage with data theft and fraud. While technology today is generally becoming more secure, breakdowns are continually exploited and the Internet is ballooning so fast that online thugs have new opportunities EVERY time they boot up. According to statistics from Carnegie Mellon University's CERT Coordination Center, the number of cyber-security incidents — break-ins, virus attacks, etc. — ballooned in 2003 to nearly 138,000, up from 82,000 the previous year. While viruses remain the most common type of cyber-attack, the FBI/Computer Security Institute annual survey in 2003 found those aren't the most damaging. The 530 survey respondents reported a total annual loss of $70.1 million due to theft of proprietary data, and $65.6 million due to denial of service, compared to $27.3 million from viruses. 3. Many companies allow attackers to get away with it. The same FBI survey cited above found that only 50% of the respondents reported computer breaches to authorities. Many cited fears of potential bad publicity. MSNBC's Sullivan illustrated just how attackers can take advantage of companies in a 2002 story about his e-mail interview with "Zilterio," a noted extortionist whose real identity is a mystery. For more than a year, Zilterio hacked into financial institutions and online businesses, stealing data and then demanding extortion payments. He claimed nine firms paid him $150,000 in "quiet money." While this claim couldn't be verified, Zilterio is indeed being sought by the FBI for extortion, Sullivan reported. 4. Any business with a Web site is a target. Many of today's online thugs use scanners to track unprotected Web sites and networks to attack, says Garfinkel, co-author of "Web Security, Privacy and Commerce." Some can scan hundreds or thousands of sites in a matter of seconds. Garfinkel's own site is protected by a firewall that can track how many times it has been scanned by potential intruders. One particular day, he counted 289,000 different scans, including 1,044 by the same would-be attacker. "Once they find a vulnerable site, they set up their attack tools," he says. Adds eEye's Maiffret: "Know that you could be a target. It doesn't matter what business you are in." 5. Attackers will get bolder — with blended threats? That's the fear of Sarah Gordon, senior research fellow at Symantec's security response unit and an expert on the psychology of computer criminals. By "blended threats," she means break-ins combined with virus infections and other methods of destruction, all of which could take down companies' networks in a matter of minutes. Ford agrees. "Massive numbers of systems could be compromised, leading to huge, nationwide outages. Fortunately, we haven't seen this happen. But I do believe it's a matter of when, not if." So much of the software on computers today is similar, he says, so a problem for one computer is likely to be replicated in others. Gordon adds that with mobile phones and other devices connecting networks to the Internet, attackers have more entry points. So, how can you protect yourself? Here's what the experts say. Have the best security protection you can afford. Companies with sensitive data need to go beyond basics of antivirus and firewall protection and get intrusion-detection systems and, perhaps, software that pinpoints the vulnerabilities of your system and recommends fixes (see www.eeye.com for more information). Never get complacent — criminal hackers thrive on penetrating "secure" systems. Develop your own company's security policy and guidelines. Put it in writing, and make security a companywide effort. Don't let your employees get away with leaking sensitive information — absent-mindedly or otherwise. Invest in your security personnel. They need tools, training, resources and some authority to make decisions. For many small businesses, managed security services by third-party vendors are the best option, Gordon says. Report computer breaches, and don't cave in to extortion threats. If you are victimized, authorities should be notified, as embarrassing as it may be to you. If you're confronted by an extortionist, don't automatically assume the criminal has all the info he needs to ruin your business. It may be a prankster testing you. "If you aren't intimidated, there may be nothing he can do," says Sullivan, who hears a lot about these pranks. "Bottom line, know your leverage." Educate young people on computer morals and ethics. Gordon believes strongly that today's young people need more guidance from parents and teachers on what's right and wrong on a computer. A greater emphasis now may mean fewer computer crimes tomorrow.