Ron Moritz, senior vice president and chief technical officer at Symantec Corp., tells about a Southern California bank that recently spent 45 days trying to figure out how a blackmailer got into its computer network. Yes, the bank had firewall and antivirus software, but neither were installed on one executive's PC. The hacker had uncovered passwords by using a Trojan horse to record the executive's keystrokes.
This happened to a bank, but did you know that your business-and you personally-can get caught in the crosshairs, too? A couple of data points:
- A June audit of homebased PCs by research firm PC Data found that almost 45 percent of those who log on to the Internet from home still don't use antivirus software.
- IDC estimates that the PCs in nearly 37 million American homes are used for work, ranging from telecommuting and after-hours catching up to running homebased businesses.
Does that work stay at home? No, it's almost always destined for an office PC via a floppy, portable, e-mail or dial-up connection. It doesn't matter to a hacker whether the entry point is the company network, home-office PC or laptop you carry around. And get ready for infiltrations through your PDA, cell phone and interactive TV.
When you think about it, hacking isn't really an attack on computers, but rather on the inattentiveness of the people who use them. We use computing devices everywhere, and they're mostly unprotected-even when they have protective software installed.
For example, the LoveBug virus that hit in May 2000 wasn't that technologically sophisticated, says Michael Erbschloe, vice president of research firm Computer Economics, but it caused almost $7 billion worth of damage to corporate networks in its first five days in the wild. It slid right through company firewalls and simply outran antivirus fixes by leapfrogging across an estimated 55 million computers worldwide in the first 24 hours. How? It seems we humans just can't resist opening an e-mail whose subject line reads "ILOVEYOU."
The Symantec Antivirus Research Center has counted some 48,000 viruses, worms, Trojan horses and other forms of malicious code floating around out there, and the number is increasing by about 1,000 each month. Erbschloe estimates cyberattacks cost companies about $17 billion in ruined PCs and lost productivity in 2000. But that's just a down payment.
Viruses are spawning still other forms of electronic chaos. Hacking has become so widespread, so romanticized and so easy that it no longer requires -programming skills or even much time, says security consultant Jim Weaver, owner of Cyber Resources in Crestview, Florida. Hacking technology now includes field-tested and quasi-automated tools for random acts of sabotage. They can be quickly found on the Web with any search engine, downloaded and wielded by anyone who can use their point-and-click interfaces.
There are still plenty of "über hackers" out there, says Weaver-bright, young programmers looking for a challenge or to find out "how things work." There also are "crackers," skilled people who just want to mess things up. But most hacks come from the half-willing and often unwitting wannabes the hacker elite get to do their heavy lifting.
The serious hackers make the tools available for the disgruntled or just plain venal and package them in that "screw the establishment" ethic that has proved so appealing to not-yet-enfranchised young people for the past several decades. One of the enduring axioms of the Internet is that everything on it should be free, and the fact that any of it has become commercial really rankles some hackers, notes Weaver.
Roman speculates that the people who hacked his MP3 files probably thought they were raiding a corporate Web site-which, of course, is OK under the anything-goes hacker's code.
Hacking is fast becoming the background noise of the Net, and hackers don't aim that carefully. Most victims aren't actually selected, but rather stumbled upon using simple port scanning software that quickly probes a suc-cession of IP addresses for open ports. This is the hack du jour, thanks to the always-on nature of cable and DSL modems in homes. And don't think your intranets, extranets or virtual private networks at work are any more secure. "These things are so easy to [hack] into," says Erbschloe. "There are half a dozen ways." If entry is possible, a more expe-rienced hacker may try to install a program. Popular ones include the Hack "A" Tack Trojan horse, Back Orifice, Brown Orifice and the Qaz worm.
Each of these miniprograms has its own bag of tricks. The harvesting of passwords, financial data and identity information is one possibility. Once infected, a machine can even be turned into a zombie and launched with thousands of others in Denial of Service (DoS) attacks against popular Web sites like Yahoo! and eBay. "The real attacker can sit back and watch the show, because the victims are going to be blamed," says Troy Billington, a network security consultant for Internet service provider KCL.net in Miami.
Über hackers harvest addresses of victims and potential accomplices from Usenet newsgroup postings. They also befriend chat room participants and persuade them to download bugs that are supposed to be something else-MP3 music, porn or PC utilities, says Billington, who operates a popular chat room as well as the DoSHelp.com Web site for DoS victims. And, of course, hacker wannabes who download hacking tools are ready-made patsies.