he computer sitting on your desk can do many things. It can calculate long tables of numbers in a flash, call up electronic libraries of information for a report, keep track of meetings for years to come and connect you with millions of people via that web of computer networks called the Internet. It can send messages across the hall or around the world and provide the latest news 24 hours a day. It can even check spelling.
But increasingly, that computer and thousands of others like it throughout the federal government are also becoming the tools of possible catastrophe. Since 1990, hackers--computer-savvy individuals with malicious intent-have used the same chips and bytes that help executives work more efficiently to alter government data files, install pornographic pictures on government computer systems, collect security passwords and disrupt military research operations.
Computer attacks are becoming costly as well as dangerous. In March, the Computer Security Institute, a San Francisco-based association of information security professionals, reported that three-quarters of the 563 U.S. corporations, government agencies, financial institutions and universities it surveyed lost a total of $100 million last year because of computer break-ins. Defense Department computer systems may have experienced as many as 250,000 attacks in 1995, the most recent year for which figures are available, according to the Defense Information Systems Agency (DISA). Those attacks were successful 65 percent of the time, DISA estimates.
Guided Weapons
Federal officials are so concerned about the threat hacker attacks pose to both government and private computer systems that former CIA Director John M. Deutch told the Senate Governmental Affairs permanent subcommittee on investigations last year that "the electron is the ultimate precision-guided weapon." If that characterization sounds a little far-fetched, consider the following incidents:
- In December 1994, hackers attacking the U.S. Naval Academy's computer systems deleted the master back-up file from one system, blocked access for authorized users to another system, tampered with 12,000 passwords and compromised a main router, the electronic equivalent of computer system's arteries. "At a minimum," the General Accounting Office reported in May 1996, "the attacks caused considerable disruptions to the Academy's ability to process and store sensitive information."
- During 1995 and 1996, a hacker from Argentina used Internet connections to break into computers at the Naval Research Laboratory, NASA and Los Alamos National Laboratory, as well as other Defense Department sites. According to the GAO, the systems contained "sensitive research information, such as aircraft design, radar technology, and satellite engineering, that is ultimately used in wea-pons and command and control systems."
- Dutch hackers who pillaged computer files at 34 U.S. military sites in the months leading up to the Gulf War offered the information to Iraqi leaders, a former Energy Department official said in March. The hackers not only learned the exact locations of U.S. troops and the types of weapons they had, but also gained information about the capability of the Patriot missile and the movement of American warships, Eugene Schultz, the former head of computer security at Energy, told a London newspaper.
- A hacker who broke into and defaced the Air Force site on the World Wide Web, the multimedia corner of the Internet, late in December forced the temporary closure of 80 Web sites that carried, among other things, information on Gulf War illnesses.
Malicious hackers don't just target the DoD, however. They've also broken into sites belonging to the Justice Department and the CIA. The attack on the CIA site occurred in late September, just hours after the Senate passed a bill aimed at hindering computer crime. Secure files were never in danger, the agency said, because the Web site isn't connected to any internal CIA files. But the hackers caused more than a little disturbance by adding obscenities, changing the name of the agency to the "Central Stupidity Agency" and reworking electronic links so readers who clicked on them would be whisked off to hackers' Web sites and the Playboy magazine site.
NASA's home page has also been become a favorite site for hackers, who've attacked it at least three times in the last 18 months. The culprits in the first two attacks left pornographic pictures, radical political screeds and a statement decrying the commercialization of the Internet. The most recent NASA hack occurred only two months ago, when a Delaware teen-ager altered the Web site for the agency's Marshall Space Flight Center in Huntsville, Ala., and left this message: "We own you. Oh, what a tangled web we weave, when we practice to deceive." The hacker added that the site's managers were "extremely stupid." He is under investigation by the computer crimes division of NASA's Office of the Inspector General.
Security Worsens
Not everyone who's unusually adept at computer programming is a hacker. Many computer users who like to spend time roaming the Internet would never consider doing electronic harm to a government agency or private corporation, technology experts say. In a new book, however, David H. Freedman and Charles C. Mann explain how, over a period of five years, "Phantomd," an emotionally disturbed teen-ager from Portland, Ore., hacked several hundred-and possibly several thousand-of the most secure computer systems in the nation, including those of nuclear weapons laboratories, Fortune 100 companies and classified military sites.
"Most computer experts agree that during this decade, Internet security has gotten worse," Freedman and Mann write in At Large, published in June by Simon & Schuster. "Much of society seems to be rushing onto the Internet, but the long-secret escapade of Phantomd demonstrates how easily people can roam unconstrained on the information superhighway and, if they have a mind to, do overwhelming damage."
Most of that damage can be done with tools that are ridiculously simple to use, in technological terms. In fact, many of the weapons in the malicious hacker's arsenal are everyday devices used on the Internet.
Take passwords, for example. Lots of people use the same password for all their computerized accounts, from their office computer to the ATM account at their bank to their home security systems. It's not unusual for office workers to use the word "password" to enter their office networks, computer security experts say. A hacker who's patient enough to try several hundred obvious passwords is bound to get lucky on most large systems. And if he's not patient, a password-guessing software program will automatically try every word in its dictionary-like database until it chances upon the right code.
If the hacker is adept at computer programming, he can construct a "sniffer" program that will monitor all the traffic on a particular network and record the first few keystrokes of each log-on session, where the user types in an account name and a password. By installing sniffers on the major arteries of the Internet in fall 1992, for example, Phantomd accumulated hundreds of thousands of passwords for military and government networks and commercial systems, Freedman and Mann say.
"IP spoofing" is also a popular way of gaining unauthorized access into a computer system. The hacker forges the address-called the IP for "Internet Protocol"-of a message sent over the Internet so it appears to come from a computer attached to an internal network. If the main network computer is persuaded that the hacker's computer belongs to the network, and there is no internal network security system, the main computer will send the hacker data without further question.
And if none of these methods works, there's always the tried-and-true ploy called "hijacking" a password. The hacker simply waits for someone at a computer station to get up and leave-for a cup of coffee, say-without exiting the program he's working on and turning off his machine. This trick is a favorite among college students who share huge multi-user university systems.
Getting into a computer system is the hard part, technology experts say. Once inside, a skilled hacker can rifle through data files, establish a phony account that will give him instant access on return visits, and set up an electronic tool kit that can tinker with the system's inner workings even if he is not around.
The hacker might infect the system with a computer virus that will replicate itself and erase important files. He could install a "logic bomb," a program hidden deep in the main computer and set to activate at some point in the future, destroying data. He could even replace entire software programs with a "Trojan horse," a set of files that look just like the real software but are empty.
And if the hacker isn't a programming wizard? He could log on to the Internet and download a software program called Security Administrator Tool for Analyzing Networks, or Satan, that probes computer systems for weaknesses and holes. If Satan is not available, there's always a set of programs called RootKit that automatically takes over a computer and installs a sniffer.
Information Warfare
The danger of hacker attacks is being taken seriously, even at the highest levels of the federal government. In January, a task force of the Defense Science Board, a high-powered Pentagon advisory group, warned that that "an electronic Pearl Harbor" is just around the corner unless "extraordinary action" is taken immediately to improve computer security in both government and private sector networks. The report recommended that the Defense Department spend $3 billion over the next five years to strengthen the Pentagon's telecommunications and computer systems, and establish centers at the National Security Agency and DISA to study the potential causes of and responses to all-out hacker attacks the Defense Department terms "information warfare." The board also suggested creating a team of electronic security experts to stage attacks on critical government information systems to test their security.
A high-level government-industry group called the President's Commission on Critical Infrastructure Protection is also studying the gamut of computer-attack scenarios. It's scheduled to make a report to the White House in early October.
"Technology has created a wonderful interconnected world, but each connection creates new exposures and risks," Robert T. Marsh, a retired Air Force general and former chairman of Thiokol Corp. who heads the commission, said in a speech this spring. Government and private computer networks "are becoming increasingly vulnerable to vandalism, theft, malicious hackers, criminals and unscrupulous competitors. The Internet contains hacker sites with instructions on how to do the job. Our [computer] infrastructures are constantly in danger from people intent on penetrating and disrupting them-and all they need is a PC and a modem."
NEXT STORY: Transformation of Quality Efforts