Copyright 1993 IDG Communications, Inc. InfoWorld December 13, 1993 Hackers and cyberpunks have received a lot of attention lately. From the Los Angeles Times to Newsweek, from the famous WarGames movie to the detailed exploits of Robert Morris, the Internet worm creator. Exposes of the computer underground are terrifying many individuals into a deep computer phobia. The perception is that bands of angry, antisocial adolescents are waiting in the wings to wreak havoc on the nation's nuclear arsenal, monetary supply, and space programs. The reality is that there is a far greater information security risk from the administrative assistant whose insurance premium was bumped and wages frozen than from any Legion of Doom member. In retailing, the greatest proportion of larceny occurs among internal employees. The same goes for IS and others who have access to information systems. The users who have privileges within accounting systems, databases, and confidential records are more apt to err or sabotage the system than a rogue hacker. Assuming that the network manager or MIS director has implemented sufficient security procedures and protocols (nonpublished dial-in numbers, adequate levels of password protection, delayed modem pickup, enforcement of good passwords, and timely password changes), for a vast majority of organizations, the threat of a hacker getting into the LAN is insignificant. It is the quiet end-user lurking in the inside who has the greatest potential for destruction. For those who still have a fear of the cyberpunk, it is crucial to realize that the cyberpunk is interested in a few, select establishments. Organizations such as MITRE, NASA, FDIC, DOD, Blue Cross, SRI, Chemical Bank, and TRW are far more fascinating and alluring than the standard businesses that have no far-reaching impact. Would you spend 12 hours attempting to penetrate the 10-user archaic LAN at Irving Tire & Auto? Most ordinary business LANs such as Irving Tire have nothing more than megabytes of boring memos, monotonous reports, and dull databases. No self-respecting hacker would spend an entire evening rummaging through such systems. There is simply no reward for the hacker in doing such. For the vast majority of American businesses that are not part of the Fortune 500 or defense contractors, the fear of a hacker is simply more hype than PAGE 64 InfoWorld, December 13, 1993 reality. The real danger is perceiving the hype as reality. If an MIS staff spends its time chasing the nonexistent hacker, the real internal security breach will only continue to spread. That is one trojan horse that even the best security software couldn't identify. Two critical and effective proactive measures in any info-security system are the distribution of a clear and understandable information systems policy manual and the separation of duties among staff. Telltale signs, such as key technical or financial staff members who never take vacations or reject any concept of cross-training or promotion, are indicators that some time of indiscretion may be occurring. Cross-training and separation of duties are key steps to take to curtail any info-security predicament. It is far more glamorous and exciting to chase a hacker across three continents with the NSA and Interpol at your side than to discipline a disgruntled data entry clerk on the seventh floor. Yet it must be realized that there is only one Clifford Stoll but thousands of perturbed employees and breaches that need to be mended. As soon as the hype is discarded and the dreams of being another James Bond are abandoned, one may finally tackle the real info-security issues. But until then, the losses mount and the breach grows and grows. Copyright 1994 The Times-Picayune Publishing Co. The Times-Picayune January 12, 1994 Wednesday, THIRD In today's high-tech world, even small businesses have elaborate, computerized phone systems. Now the Better Business Bureau is warning of an increase in phone scams using these complex systems. The BBB says the scams, which can run up thousands of dollars of long-distance telephone charges, are frequently the work of prison inmates who use various methods to gain access to an outside company's telephone lines in order to place the unauthorized calls. In one scenario, the BBB says, an inmate calls the company, claiming to be a new employee who does not have an access code and needs an outside line. Once this information is given and he has an open line, the scam operator, many of whom are skilled computer hackers, are free to place calls across the country and world. The company is unaware that anything is wrong until it receives an exceptionally high phone bill. In many cases, the businesses must pay for these calls, the BBB says. The bureau advises businesses to understand all the capabilities of their elaborate phone systems by checking with the vendors who sold the equipment. Any vendor should be able to describe the fraud-defense features of its system, the BBB says. Lighter recalled: In one of the worst marketing ideas of 1993, the New York Lighter Company Inc. manufactured disposable cigarette lighters decorated with troll designs. Now the company is recalling 24,000 of its "Good Time Troll" lighters because they may tempt children to play with them. The lighters sold for $3 each at convenience stores nationwide from January through July 1993. Owners of the lighters can call the company at 1-800-6262-4732 to receive special pre-paid packaging and instructions for returning the lighters. The company will send free gifts to consumers who return the lighters. Casablanca fan recall: Casablanca Fan Co. is recalling about 3,264,000 ceiling fans, manufactured from 1981 through 1993. The fans, which sold for $200 to $2,500, can separate from the canopies on which they are mounted and fall, possibly injuring bystanders. PAGE 163 The Times-Picayune, January 12, 1994 In addition, falling fans may expose wires that pose electric shock hazards. The company has received at least 50 reports of fans falling from ceiling mountings. The recalled fans can be identified by looking at the metal nameplates on the exterior of every Casablanca fan. A recalled fan will have "Casablanca" on the nameplate. Also, the second letter of the serial number on the name plate will be A,B,C,O,P,R,S,T,U,V,W,X or Y. Casablanca has designed a retrofit part to be installed by the consumer to prevent the fan from falling from its mounting. For more information or to get the free kit, call 1-800-390-3131. The company says consumers should stop using the fans and prevent anyone from walking, standing or sitting below them. If a fan falls, the circuit in which it is connected should be turned off. If you have a question or problem, write to The People Helper at The Times-Picayune, 3800 Howard Ave., New Orleans, La. 70140, or call 821-1727. Consumer complaints about mail-order companies or local businesses must be in writing and should include copies, not originals, of the necessary documentation. Copyright 1994 The Times-Picayune Publishing Co. The Times-Picayune January 12, 1994 Wednesday, THIRD In today's high-tech world, even small businesses have elaborate, computerized phone systems. Now the Better Business Bureau is warning of an increase in phone scams using these complex systems. The BBB says the scams, which can run up thousands of dollars of long-distance telephone charges, are frequently the work of prison inmates who use various methods to gain access to an outside company's telephone lines in order to place the unauthorized calls. In one scenario, the BBB says, an inmate calls the company, claiming to be a new employee who does not have an access code and needs an outside line. Once this information is given and he has an open line, the scam operator, many of whom are skilled computer hackers, are free to place calls across the country and world. The company is unaware that anything is wrong until it receives an exceptionally high phone bill. In many cases, the businesses must pay for these calls, the BBB says. The bureau advises businesses to understand all the capabilities of their elaborate phone systems by checking with the vendors who sold the equipment. Any vendor should be able to describe the fraud-defense features of its system, the BBB says. Lighter recalled: In one of the worst marketing ideas of 1993, the New York Lighter Company Inc. manufactured disposable cigarette lighters decorated with troll designs. Now the company is recalling 24,000 of its "Good Time Troll" lighters because they may tempt children to play with them. The lighters sold for $3 each at convenience stores nationwide from January through July 1993. Owners of the lighters can call the company at 1-800-6262-4732 to receive special pre-paid packaging and instructions for returning the lighters. The company will send free gifts to consumers who return the lighters. Casablanca fan recall: Casablanca Fan Co. is recalling about 3,264,000 ceiling fans, manufactured from 1981 through 1993. The fans, which sold for $200 to $2,500, can separate from the canopies on which they are mounted and fall, possibly injuring bystanders. PAGE 165 The Times-Picayune, January 12, 1994 In addition, falling fans may expose wires that pose electric shock hazards. The company has received at least 50 reports of fans falling from ceiling mountings. The recalled fans can be identified by looking at the metal nameplates on the exterior of every Casablanca fan. A recalled fan will have "Casablanca" on the nameplate. Also, the second letter of the serial number on the name plate will be A,B,C,O,P,R,S,T,U,V,W,X or Y. Casablanca has designed a retrofit part to be installed by the consumer to prevent the fan from falling from its mounting. For more information or to get the free kit, call 1-800-390-3131. The company says consumers should stop using the fans and prevent anyone from walking, standing or sitting below them. If a fan falls, the circuit in which it is connected should be turned off. If you have a question or problem, write to The People Helper at The Times-Picayune, 3800 Howard Ave., New Orleans, La. 70140, or call 821-1727. Consumer complaints about mail-order companies or local businesses must be in writing and should include copies, not originals, of the necessary documentation. Copyright 1994 Toronto Star Newspapers, Ltd. The Toronto Star January 11, 1994, Tuesday, FINAL EDITION An Oshawa-area youth has been charged with defrauding the cellular telephone network run by Rogers Cantel Inc. of $ 500,000 worth of long-distance telephone calls. The alleged theft took place last spring and fall, Cantel's director of fraud and security, Clive Woodrow, said in an interview yesterday. The suspect cannot be identified because he was less than 17 years old at the time charges were laid. The suspect allegedly charged long-distance calls to Cantel customers' phone numbers by using a computer to gain illegal access to their voice mailboxes and changing the greetings, Woodrow said. The greetings were then apparently used to approve calls billed to the Cantel customers' numbers, Woodrow said. A small number of customers were affected, he said. Some $ 200,000 worth of the calls were made to a single Cantel phone number over a 17-day period, he said. Cantel blames Bell Canada's new automated long-distance billing service and is locked in a dispute with Bell over which firm should shoulder the bulk of the losses. Since the alleged theft, Cantel has begun offering customers a service that prevents their cellular telephones from accepting third-party bills, he said. Long-distance fraud costs North American firms an estimated $ 2 billion a year, telecommunications consultant Ian Angus said. Much is conducted by computer hackers who gain illegal access to telephone networks by figuring out how to break the access codes. Copyright 1993 Forbes, Inc. Forbes September 13, 1993 Hackers warn they'll either be working for you or against you. Can you believe anything they say? SCOTT CHASIN is a young man working in what some people insist will be one of the growth jobs of the 1990s -- cracking and entering computer systems. He has remarkable qualifications, only some don't appear on his resume. A member of the Legion of Doom hacker group -- notorious for penetrating and disrupting telephone company systems -- Chasin, while never convicted, has had his brushes with the law. He now works full-time managing personal computer networks for Amoco in Houston. Chasin claims that since his Legion of Doom days he hasn't done anything illegal. However, he still spends several hours a night exploring the computer underground. "I want to keep my hand in what's going on," he explains. "The technology changes incredibly fast." Chasin has good reason to stay on top of his game: He moonlights as a computer security consultant, he says, paid by clients to safeguard their computers from people . . . like he used to be. Hackers are generally an annoyance to the business world, burrowing into corporate databases and leaving taunts -- or worse. In 1992 alone, U.S. companies were struck with more than $ 2 billion in unauthorized phone bills, according to Telecommunications Advisors, Inc. Now, however, a more pragmatic population of hackers is moving into its 20s and 30s. Like most people in that age group, they are looking for a little job security. Many, like Chasin and the self-proclaimed dean of hackers, Ian Murphy, say they intend to find it in the corporate world, preferably in a position that takes advantage of their unique skills. Whether as industrial spies or as computer security consultants, hackers say they are entering the work force to do good. Then again, they may be lying. Beats slinging hash at McDonald's There are a number of ways hackers can make money from their trade, and they seem to be exploring all of them. "These kids don't want to give up hacking to sling hash at a McDonald's" notes Gail Thackary, a deputy attorney for Maricopa County, Ariz., who became a well-known hacker-buster with the Philadelphia PAGE 83 Forbes, September 13, 1993 district attorney's office in the mid-1980s. Some hackers hope to become software vendors, selling polished versions of programs they swap among themselves. One hacker, known as Video Vindicator, is preparing to distribute a program that scrambles confidential data files -- from marketing databases to a bookie's accounting records -- making them unreadable without the appropriate passwordlike code. A second program will help identify cellular phone transmission frequencies, a product, he notes, that will be of interest to drug dealers and other dubious characters looking for untappable phone lines. "I'm hoping to make a couple of million the first year," he says, without a trace of irony. Fraud is another way to make hacking pay. Stealing credit card numbers from credit bureaus and other sources has long been a hacker mainstay. But as credit bureaus grow more adept at protecting card numbers and hackers' appetites for equipment and cushy lifestyles grow, other, more lucrative crimes are becoming attractive. Tapping into bank networks and electronically hijacking money is one increasingly popular undertaking. Counterfeiting money and negotiable securities with high-tech photocopying systems is another. "We're seeing the merging of criminal computer activity with more traditional criminal activity," says special agent John Lewis of the Secret Service, which along with the FBI investigates computer fraud. Many hackers and some security professionals insist that companies have hired hackers to go after competitors. "It's absolutely true, and I know it from first-hand experience," says John O'Leary, director of education for the Computer Security Institute, San Francisco. "I can't say I've seen a contract, but I know of a company that has hired a hacker to break in." The Secret Service's Lewis and supervisory special agent for the FBI's Economic Crime Unit, Harold Hendershot, both say the threat may be a real one. "Hackers have probably been hired for this," says Hendershot. Competitive intelligence consultants comprise one rumored source of employment for industrial spy-hackers. These small firms are hired by larger companies to snoop out data on competitors, ostensibly via computer searches of publicly accessible databases and other legitimate sources. But by all accounts, some of these companies are hired on a no-questions-asked basis with the understanding that they'll do whatever it takes to get the goods. "Competitive intelligence companies are all sleazy; they're brokers for thieves," says Gary Johnson, senior investigator with the Harris County district attorney's office in Houston, who is experienced in hacker cases. He says managers could be buying information stolen by hackers without knowing it or being only dimly aware of the situation. Hackers looking for employment opportunities can supposedly turn to the hacker-operated computer bulletin board services. These services are located throughout the United States and abroad, and are accessible by anyone with a computer and modem. Although most of the material posted on the hacker boards is juvenile blather about sex, computer games and societal ills, many of these boards have "elite" sections that can be entered only by proving one's hacking expertise via quizzes, references or phone interviews. It may be here that hackers get down to business. PAGE 84 Forbes, September 13, 1993 "If I want information on XYZ Corp., all I have to do is post a note offering to swap a 359-megabyte hard drive in exchange," says Jim Kates, vice-president of Stamford, Conn.-based Janus, a computer security firm. Kates has learned how to bluff his way onto the elite boards and says he sees notes like that "all the time." But none of the dozens of hackers, computer security consultants, corporate information systems managers or law enforcement agents specializing in computer crime who were interviewed for this article could provide any verifiable evidence of hacker espionage. The larger, more established security consultants -- typically attached to Big Six accounting firms since their services grew out of financial auditing practices -- downplay the threat. "The mythical overseas hacker going after companies isn't a big problem," says Alan James, manager of information technology assurance services for Coopers & Lybrand in Los Angeles. "Generally speaking, employees accidentally deleting files is a bigger problem." Harry DeMaio, national marketing director of information protection services for Deloitte & Touche, Wilton, Conn., contends that his clients are much more concerned about the accessibility and accuracy of their data than they are about competitors getting their hands on it. "Defense contractors, credit bureaus, and toy and cosmetics manufacturers worry about the confidentiality of their data," he says. "But for most companies it's almost a negligible issue." Hackers maintain that computer security professionals dismiss the threat of hired hackers either because they don't realize what's going on in the computer underground, or because they know they can't protect against it. To do so, they claim, you need to have been a hacker yourself. Jekyll or Hyde? Switching from malicious hacker to hackers' nemesis is a more natural transition then may at first seem likely. "It's almost a rite of passage to first be convicted of some computer crime and then try to find work as a computer security consultant," says Michael Alexander, editor-in-chief of Info-Security News, a bimonthly magazine for the computer security industry. Although few hackers are known to have made it as security consultants, those who dream of being rewarded for shutting down their colleagues can find a role model of sorts in Ian Murphy. Captain Zap, as Murphy is known on the hacker bulletin boards, first won a name for himself with his 1981 bust for, among other things, breaking into the White House's computers. Murphy claims to be hired on a regular basis to carry out various computer security chores for corporations. Most notably, he performs penetration tests, in which he attempts to break into clients' computers to identify their vulnerabilities to hacker attack. To get his hands on passwords and other computer documentation, he routinely sifts through dumpsters outside his clients' buildings, he claims, even going so far as to physically break into facilities, as he says he did at United Airlines' Saddlebrook, N.J., reservation center. Needless to say, getting paid to break into a company's computers without risk of arrest is a hacker's fantasy, and Murphy loves to lord it over other hackers. "I'm the only hacker on the planet who's doing this sort of thing," he says. Adding to his hubris, People magazine ran a flattering profile of him, PAGE 85 Forbes, September 13, 1993 and the computer industry trade magazine Information Week put Murphy on the cover, unquestioningly reporting his self-described exploits and his claimed earnings of up to $ 500,000 a year. (Murphy repeatedly telephoned to push for the cover slot of this supplement.) Murphy is a playfully obnoxious, pudgy 36-year-old who lives with his parents in their Philadelphia home. His phone conversations are punctuated by shouting matches with his mother, who becomes particularly riled when her son risks electrocution by staying on the phone during thunderstorms. (A budding romance with his Federal Express delivery-woman has kept the twice-divorced digital swashbuckler out of the home as of late.) At times, Murphy seems to have a little trouble separating fantasy from reality. He rants about building battery-powered devices that will wipe out all nearby electronic chips with a massive electromagnetic pulse. He says his company, IAM/Secure Data Systems, is being taken public. He brags about a lucrative book deal that never quite materializes. Murphy also refuses to provide the names of corporations on whose behalf he has supposedly hacked, claiming he is bound by nondisclosure agreements. He did participate in a Peat, Marwick & Mitchell-run penetration test fo the Philadelphia Savings Fund Society (now defunct) in 1986. "Ian performed in a satisfactory way," says a former partner of Peat, Marwick (not Peat Marwick KPMG). "But we kept a very close eye on him." The "backdoor" trick If Murphy is a role model, it is only for the dishonest hacker who is unsuitable for security work, fumes prosecutor Thackary. Rumor has it that Murphy has on occasion sent companies unsolicited information about other hackers along with a bill. "All that proves is that he's willing to sell out his friends in the underground," she says. (Murphy denies such marketing tactics and insists he doesn't turn in other hackers.) Not surprisingly, other law enforcement figures who have dedicated their careers to shutting down hackers are less than charmed by the notion of hiring exhackers to provide security. "Have you ever met one of these kids face-to-face? They're nerds," says Harris County's Johnson. "Even the mob wouldn't trust them." But Johnson and Thackary's reaction to Murphy and his fellow hacker/consultants is mild compared to those of computer security professionals. When Scott Chasin and some of his Legion of Doom pals, including well-known hacker Chris Goggans, started up a Houston security consulting firm called Comsec in 1991, they were excoriated in articles and letters published in the computer trade press. Chasin claims one prominent security professional promised to call all of Comsec's prospective clients to warn them off. "How would you feel if some young guy who knew all the tricks was entering your line of work?" Among the tricks hackers use to gain access to a company's computers is leaving a "backdoor" to the system -- a program or password that allows them to get back in at a latter time. "What happens if your relationship with a hacker sours?" asks the Computer Security Institute's O'Leary. "Now you've got somebody who has the keys to the kingdom and the motivation to do nasty things." Hackers never truly reform, contends Thackary, especially when they hope to trade on their expertise. "If they're going to get good information from the underground on behalf of their clients, they have to be doing something in return," she says, such as providing information about their employers. Although hackers don't deny keeping their hands in the game, they claim there PAGE 86 Forbes, September 13, 1993 is not conflict. "You don't bite the hand that feeds you," Murphy says. Such promises, though, smack of extortion: Hire me or I may rip you off. And not all hackers adhere to even this dubious guarantee. Harris County's Johnson uncovered a scam in which hackers searched out local corporations whose dial-in computer systems were protected by easily guessable passwords. They would leave a harmless virus on the system, contact the company to warn it about a virus that was "going around" and then offer a free security evaluation. If a company bit, the hackers would use the evaluation as a cover to gain access to all of the company's systems and then insert backdoors for later systems raiding. Clueless "Ken dolls" Ex-hackers concede their ethics aren't exactly mainstream, but insist they are a company's best bet. Conventional security consultants, they say, are simply clueless about how to defend against hackers. "The Big Six accounting firms send over people dressed to the nines like Ken dolls, with degrees in accounting and psychology, and they're generally incompetent," sneers Murphy. "While I'm jumping into dumpsters, they're presenting a report that highly recommends locking the door to the data center." Chasin is equally contemptuous of the industry, claiming that one speaker at a security industry seminar spent several minutes explaining to the audience of computer security heads how to load software from a disk into a computer. "I just sat there thinking, 'No wonder it was so easy when we were hacking,'" he says. But not all computer security professionals are gray-suit auditor types. A short, slightly balding man in his 40s with a friendly, soft-spoken air, Peter Goldis is the establishment's answer to hackers. He travels around the world breaking into clients' computer systems for $ 6,000 to $ 75,000. The jobs are often arranged by Coopers & Lybrand, among others, for whom he is a subcontractor. He carries with him a loose-leaf binder filled with short programs he has written to bypass the various security procedures implemented on mainframes. One program, entitled "Get Another User's Password in a Top Secret Shop," comprises 16 surprisingly simple lines, such as "LA 1,PARMS," that cause the computer to spit out the passwords of employees who are authorized to control all the machine's operations. By entering one of these passwords, Goldis can roam unimpeded throughout the corporate cyberspace. Sometimes the job takes 20 minutes, other times a few days. Goldis says 56 of his 60 penetration tests have been successful, and those that have failed were retests for clients that had previously implemented his suggested security fixes. The ease with which he customarily breaks into systems often shocks his clients. "I was hired by a corporation in Australia, and within a few hours I was far enough into their accounting system to start cutting checks," he recalls. Janus' Jim Kates also performs penetration testing, as do most of the Big Six firms and even IBM, if pushed. Though mainstream security professionals tend to downplay penetration testing as gimmicky, they point out that because legitimate professional can do the job, there's no need to even consider hiring a hacker. "Why hire a Chris Goggans when you can hire a Peter Goldis?" asks InfoSecurity News' Alexander. But it's not clear that Peter Goldis or any other mainstream penetration testers can really simulate a serious hacker attack. Password cracking is, of PAGE 87 Forbes, September 13, 1993 course, where hackers shine. Murphy says he has snuck into executives' offices after hours dressed as a custodian and prowled through countless trash cans. Video Vindicator claims he and other hackers have a program that can automatically break passwords on some systems within 30 minutes by trying every word in the dictionary at a rate of 10,000 words per second. Goldis and other security professionals concede that hackers are adept at breaking through password security. But they claim companies can't learn much from the experience because some employees will always be careless about keeping their passwords secret and there will always be ways to sneak into buildings. Goldis adds that hackers are most skilled at breaching security on PCs and Unix-based systems, while corporations' most vital data resides on mainframes. But Murphy, Chasin and other hackers insist they can show companies how to make themselves invulnerable to password-prowling hackers. In addition, they say mainframe expertise can be gleaned from readily available sources. Goldis has himself picked up many of his best tricks from software manuals that companies were about to discard. At any rate, hackers probably need not worry about mastering mainframes. Corporations are moving at breakneck speed toward PC- and Unix-based systems in the form of client/server architectures, which may place professionals like Goldis and Kates at a disadvantage. Goldis says he's studying the subject. If hackers to have an edge, why don't more companies hire them to provide penetration testing or other security services? Actually, say many hackers, they do -- they just won't admit it. Besides being generally reluctant to discuss security problems, corporate computer security managers recognize that there is nothing to gain, and a lot to lose, by admitting that they hire hackers. Michigan Bell was inundated with negative publicity when word leaked out in 1989 that it had hired hacker John Maxfield as a security consultant. The company now can't put enough distance between itself and the incident. "It was a poorly conceived idea by one of my ex-bosses," says Craig Granger, current director of computer security for the phone company. (The ex-boss is now an ex-employee, Granger adds.) And when Chasin and friends formed Comsec (which closed its doors last year), Computerworld, a trade publication, quoted Norman Sutton, a computer manager at high-tech manufacturer Leemah Datacom, as liking the idea of learning from hackers. Now Sutton refuses to discuss the issue, except to state that he never employed Comsec or any other hackers. In any case, companies may be hiring hackers without realizing it. "I'm not sure I would present my credentials as a hacker if I were applying for a job," says Video Vindicator. Scott Chasin didn't; his boss at Amoco found out his promising young hiree was a nationally known hacker only when he saw Chasin on NBC's "Dateline" breaking into the network's computers. According to Chasin, his boss was "tickled." Computer security managers at Exxon might wonder exactly which possibilities were tickling him. WHY THE THREAT IS GROWING Companies now have more reason than ever before to fear hacker espionage, thanks to a number of trends. Among them: * GLOBALIZATION The pressures of international competition have spawned the best-known recent cases of industrial espionage. Earlier this year the CIA warned 49 U.S. defense contractors that the French government was preparing to spy on them, prompting the Pentagon to ask Hughes Aircraft, Lockheed and other aerospace companies not to participate in the Paris Air Show. And four giant PAGE 88 Forbes, September 13, 1993 Japanese corporations reportedly bought secret Star Wars computer code in 1990 from a scientist at a hightech defense contractor in California. Multinational hacking is already part of the picture. German hackers are known to have attacked NASA databases, and law enforcement officials believe corporations are fair game. "If I were a developing Eastern European pharmaceutical company and I wanted a base of information," says Secret Service special agent John Lewis, "my choices would be to launch a lab program to develop it or to go somewhere it already existed. One way would be through computer intrusion." Harold Hendershop, supervisory special agent for the FBI's Economic Crime Unit, notes that Sweden-based hacker group the Dream Team (best known for cracking copy protection on commercial and game software and then distributing the programs on bulletin boards) is becoming increasingly brazen. Other hackers say the Dream Team has also begun to engage in corporate espionage; Hendershot doesn't rule out that possibility. * THE MOVE TO CLIENT/SERVER ARCHITECTURES Companies have traditionally kept most of their data either on mainframes, which can be guarded with security software, or on stand-alone PCs, which usually can't be accessed from the outside. But as client/server architectures become increasingly popular, both barriers are removed. Servers, which act as data hubs for groups of PCs, typically run the Unix operating system -- notorious for its lack of mainframe-style security features and a particular favorite of hackers, many of whom learned their trade on the Unix-based systems popular at high schools and universities. What's more, servers often provide dial-in ports; if a hacker reaches such a server, he or she would be able to access the attached PCs. * HACKERS' STEEP LEARNING CURVE Law enforcement agents all agree that hacker's obsession with sharing information via bulletin boards makes them better able to stay abreast of the latest tricks of the trade and corporate vulnerabilities than their adversaries. "Hackers use open communications as a weapon against us," says Jim Kates, vice-president of Stamford, Conn.-based computer security firm Janus. "Those of us in security don't like to talk about what we find out." TIGHTENING YOUR SECURITY Companies tend to rely heavily on password security to prevent their computer data from falling into the wrong hands, but hackers are adept at guessing or stealing passwords. Some additional, often overlooked, ways to protect systems include the following: * TURN PCs AND SERVERS OFF AT NIGHT People often let their machines run 24 hours a day, making them prime targets for after-hours hackers if the machines have modems or are connected to servers with dial-in ports. * INSTALL DIAL-BACK PROTECTION These devices allow modems to receive calls but remain connected only long enough for a caller to enter a password. The device then hangs up an calls the employee back at a preapproved phone number. To gain access to a system with dial-back protection, a hacker would have to be at a location with an approved phone number or reprogram the dial-back device with his or her own number -- a difficult task. * DISTRIBUTE ELECTRONIC AUTHENTICATORS TO EMPLOYEES WHO REQUIRE DIAL-IN ACCESS These card-deck-sized devices generate new passwords every few seconds in sync with a device attached to the dial-in system; all an employee has to do is type in the password displayed by the authenticator. Even the cleverest and luckiest hacker usually requires at least several hundred tries to correctly guess a password; the authenticator demands that you get it right the first time. And because the password is constantly changing, it can't be given out or stolen. * IF A COMPANY MUST RELY ON PASSWORDS, IT SHOULD ENCOURAGE EMPLOYEES TO SELECT PAGE 89 Forbes, September 13, 1993 THEM AS FOLLOWS Settle on a familiar phase, such as "Down and out in Beverly Hills"; then list the first letter of each word, capitalizing just one of them; finally, add a number to it. The resulting password -- something like "daoiBh6" -- is easy to remember but difficult to guess, even for hackers equipped with automated password guessers that try every word in the dictionary forwards and backwards. * RUN CONFIDENTIAL DATA FILES THROUGH ENCRYPTION SOFTWARE THAT STORES THEM IN SCRAMBLED FORM Although this doesn't make files any harder for hackers to steal, they won't be able to make sense of them if they do. THE PROS AND CONS OF HIRING HACKERS PROS * Hackers will usually know the latest tricks other hackers are using to break into systems and thus will be able to suggest ways to foil them. * Hackers may be able to pick up advance notice of hacker attacks via underground contacts or hacker bulletin boards. * Unlike conventional computer security professionals, hackers are particularly adept at dealing with PCs and Unix-based servers, which are increasingly where the action is. * Hackers can provide penetration tests as realistic as clients are likely to want. * Top-notch hackers can offer complete security evaluations -- including remedies -- for a fraction of the cost of a Big Six accounting firm. CONS * Reformed hackers may not be completely reformed. Whether from habit or paranoia, they could be tempted to leave "backdoors" in your systems that would allow them to break in at a later date. Consequently, if your relationship sours or they grow weary of being corporate players, your systems are sitting ducks. Alternatively, hired hackers may offer information about your systems to their cohorts in exchange for other information. * Hackers don't like to turn in other hackers. A hired hacker might help prevent a hacker attack but leave the attacker free to pry again. * Hackers usually don't have enough assets to make lawsuits worthwhile, nor is it likely they will be insured or bonded. Thus, companies shafted by hired hackers are left little recourse for compensation. * Most hackers don't know how to fit into the corporate scene. They may offend managers and other employees with arrogant and juvenile attitudes. And they might take it upon themselves to perform various acts of simulated theft or sabotage, ostensibly to raise awareness but needlessly inconveniencing and even frightening people in the process. Copyright 1993 Newspaper Publishing PLC The Independent August 13, 1993, Friday IN A BLUSTERY Dutch field, four metres below sea level and miles from anywhere, a man from the CIA was preaching last week to an audience of anarchists, hippies and computer security consultants. Around them, hundreds of tents communed electronically with the rest of the world through telephone cable and sticky tape. Stories of global mayhem and local area networks mixed with Hendrix and Kraftwerk: ''Hacking at the End of the Universe'', the Hack-Tic computer club's 1993 Summer Congress, was underway. The call to attend went out earlier this year across the Internet, the giant computer network which links academia, industry and individuals across the world. The intended recipients were those who inhabit the shadier areas of that network. Hackers, techno-anarchists and communications junkies were all specifically invited, as were the more esoteric ''warez dudes'' - software pirates - and ''phone phreaks'' - who make free telephone calls without the aid of 0800 numbers. But anyone who got the message could come and security experts, police officers and others were made welcome. Between 500 and 1,000 members of this most improbable mix of people turned up from across Europe and the Americas. Spotty youths from Nottingham, interested in swapping numbers and tales of adolescent vandalism; slightly odd professional programmers; balding Dutch hackers in their thirties and forties, more interested in international public access data communications than online credit card fraud; corporate Americans in smart casuals and official haircuts, on expenses; long-haired goths in black leather, on grass. A hallmark of the event was the male-to-female ratio: running at roughly 100:1, it did not bode well for the demise of the anorak. Even so, there was some evidence of the emergence of a hacker chic, with one of the few women sporting jewellery made from watch parts and hair decoration courtesy of an eviscerated floppy disk. Efforts were made to address this problem: there were lectures in social engineering: ''the skill of manipulating people within bureaucracies'', according to the congress programme. This started with the basic theory that to get people's trust you had to smile and be pleasant and, if you were going to lie, you had to be consistent. PAGE 96 The Independent, August 13, 1993 More advanced material was quoted from How to Win Friends and Influence People. ''It was really teaching introverted hackers how to be normal human beings and get themselves laid,'' an English attendee called John said approvingly. Although English was the lingua franca, discussions blew up in three or four languages at once - when you are arguing about Unix and Ethernet it scarcely matters whether you are all speaking the same tongue. Names were optional. Once your 100 guilder ( pounds 36) entrance fee had been paid, a computer took your picture and printed it out on a badge; no further identification was required. There were two main strands to the event and by rights neither should have worked. The technical side was a thing of wonder - a high-speed datalink to the Internet ran into a catholic collection of elderly hardware in a barn. PCs, Macs and Acorn Archimedes machines were linked to a vintage Sun workstation and thence out to the ''Intertent'', the ''first local area network installed in a field'' according to the organisers. Strands of telephone cables snaked from tent to tent, across trees and down paths, providing those who had brought their own computers with a free Internet connection. For some this was enough - one group of English hackers was content to stay under canvas for the entire three days, communicating with their fellow cyberpunks entirely through electronic mail. The random nature of the wiring and the unhealthy generator which powered the whole exercise made this a haphazard affair; at times, only one call in five could get through. If anything, the social side for those who left their tents was even more unlikely. For once, the idea of a global community seemed to work: litter was picked up, toilets cleaned and hands freely lent whenever the need arose. There were about 120 computers on site, many of them exquisitely portable, yet not one theft was reported. Dutch common sense and amiability pervaded the event. Each day, four or five lectures, workshops or round-table discussions took place, ranging from computer art and law to radio networks and using digital telephone exchanges in inventive ways. The impromptu workshops were as interesting to many as the scheduled events. Someone would sit down at a terminal and tap away for a few moments; a nugget of information would attract a gaggle of hackers who would gather around, scribbling in notebooks. Then they would break up and rush back to their tents, eager to try out the latest discovery. One of the stars of the official show was Robert D Steele, ex-US Marine officer and ex-CIA operative, who wandered around the site in a green Chairman Mao cap with a Red Star badge. He turned up as part of his campaign to persuade the US Government to spend a quarter of the CIA's budget on developing and supporting a public-access database filled with as much encyclopedic information as possible. His thesis, that the CIA does not know what data to gather and loses it anyway, was popular; the surreal aspects of watching him give a talk with a flipchart to a marqueeful of sundry hackers were heightened by the knowledge that he had given much the same lecture to large US defence companies and been funded as a result. PAGE 97 The Independent, August 13, 1993 By bringing together the computer underground and mainstream, he contended, there would be a valuable cross-fertilisation of ideas. ''But the CIA are bastards!'' yelled one young Dutch hacker from the back of the room. ''Look at the Bay of Pigs! If we take their money away and put them out of business they'll hunt us down and kill us!'. This mixture of paranoia and idealism was reminiscent of the hippy Sixties, as was the sharp anarchist commercialism that characterised the T-shirts, magazines and stickers on sale next to the beer and Jolt double-caffinated cola. One T-shirt's design was the complete circuit diagram for a ''blue box'', an illegal device for making free telephone calls, another proudly advertised a US hacking group with their slogan ''Indict The Very Best!''. Grand ideas were in the air along with the occasional puff of hash smoke and the chatter of cellphone radio scanners. In UK such a motley bunch of travellers would be shown the gate before they had unpacked their modems. Their image of themselves is of an international elite, unbounded by borders or irksome local rules; when someone who would have trouble getting served in a pub with a ''No Travellers'' sign can demonstrate his home-made secure radio data network - every bit as good as commercial products - it is hard not to see their point. Like the hardware hackers of the Seventies who built the first personal computer, these new-age cyberpunks and digital crusties are pushing technology into the public arena as hard as they can. Rupert Goodwins is a technical editor of PC Magazine. Copyright 1993 American Lawyer Newspapers Group, Inc. The Connecticut Law Tribune August 9, 1993 You've probably never thought about how secure your computer systems are. But if your office is like many, it is possible for even rookie "crackers" (people who break into computer systems) to read electronic files, alter data or destroy files altogether. And they don't need high-tech equipment or sophistication to do it. Here are nine basic ways to protect yourself. 1. Lock and key. The most obvious but perhaps most dangerous cracker is someone who physically walks into your office and leaves with a computer, a few floppy disks or an external hard drive. He or she has instant access to all the information stored therein, and all the time in the world to find ways around whatever security software you might have installed. Though it is easy to lock up computers, either by bolting them to the desk or, preferably, using strong cables and metal locks, many offices neglect to do so. Keys should be accessible only to the system administrators or other people who might need to move the machines. The most critical computers can even be wired to an alarm. Portable laptop and notebook computers are obviously easy targets -- but then again, so is a briefcase. Portable computers should never be left alone in places where one wouldn't leave a briefcase. As a precaution, users should be trained to save their files on floppy disks rather than on the portables' hard drives (if the files are not too big to fit on a floppy) -- that way, even if the machine itself is stolen, the data is secure. Floppy disks should be locked in secure containers and kept out of sight. Information that users have erased from floppy disks is easily recoverable using a number of common software programs, so disks that are no longer being used should be shredded or burned. (Any written records and magnetic media that contain security information should also be destroyed -- "dumpster diving" is a popular method of gaining computer passwords and other security information.) Any stolen hardware that is recovered should be checked thoroughly; the thief could have both altered data files and modified programs to break security. An example: A former systems administrator at a large law firm says that on a system he once recovered, he found a new program that would have recorded the passwords of the users and sent them via modem to the cracker who set the program up. 2. Be wary of outsiders. Just spending time in your office offers able crackers opportunities to break into your system. They can "shoulder surf" PAGE 99 The Connecticut Law Tribune, August 9, 1993 passwords by furtively watching authorized users log on to the system, for example, or peer through internal glass walls at users' keyboards. (Determined crackers will even try crawling through air ducts.) The lesson is: Don't let outsiders get a good look at your operations. Try to have in-house, trusted staff members perform as many computer-related activities as possible. If a system has to be sent out for service, remove all its confidential files. Obviously, you will need outsiders for certain tasks, but choose consultants and service companies carefully. If you hire temporary employees and need to give them system access, delete their passwords as soon as they are gone -- and ask full-time employees who worked with or near the temps to change theirs. 3. Network cables can be trouble. Networks, with their multiple workstations and tangle of wiring, create additional security problems. A former systems administrator at a large New York firm tells of a break-in in the mid-eighties: During a check of the firm's systems, a computer staffer found a workstation in the rafters that was hooked up to the network and was "snarfing all the [data] and sending [it] to an outside number," the administrator recalls. "Near as they could tell, it had been there for at least six months." Fearing the loss of their jobs, the administrator says, the information systems department decided not to tell firm management about the leak; instead, they quietly dismantled the workstation, and after that checked the systems regularly. Network cables that are hung from the ceiling -- the method of choice at many firms -- can be easily tapped or disabled. In a secure network, cables run though shielded electrical pipes, and the hubs (places where wiring comes together), file servers (large data storage drives), and modems -- the easiest places for a network to be infiltrated -- are placed behind locked doors and are checked regularly for signs of tampering. Firms for whom security is particularly important should consider using fiber optic cables, which are much more difficult to tap than standard wiring (though they are at least twice as expensive). 4. Modems are vulnerable. Network modems are particularly popular break-in places; because they are designed to serve as gateways to outside users, they are vulnerable to intruders. It is essential to prevent unauthorized users from logging on to the network from a remote location. The best deterrent is a callback modem. With this, a user calls the network (via a modem on a portable computer) and enters his or her login name and password. The answering modem, back at the office, then hangs up, finds the telephone number that corresponds to the person's login name, and calls the user's computer back. The system can be modified by the system administrator for lawyers who are traveling so they can call into the network from their hotel rooms. Finding the network's modem number is a good part of breaking into the system, so experienced crackers will often dial all the numbers assigned to the building or office, noting which ones are answered with a standard modem carrier signal (a high-pitched long beep). To short-circuit this infiltration method, consider a silent modem, which does not signal that a connection has been made until the login process has actually begun. And for the highest security needs, considering creating a "firewall" system -- one that looks and acts like the system the cracker is trying to get into, but that contains no useful information (Authorized users use special logins and commands to access the real system.) Firewalls are expensive to build, but they are considered the most PAGE 100 The Connecticut Law Tribune, August 9, 1993 reliable method of modem protection. 5. Eavesdroppers are out there. Every electronic machine, from a typewriter to a computer screen, emits electromagnetic radiation. Eavesdroppers, using unsophisticated, homemade devices -- built for as little as $ 300 from parts available at any electronics store -- can intercept and decipher signals from computer monitors through walls and windows, from as far away as a van parked across the street. Vendors at computer security shows sometimes demonstrate this by intercepting signals emanating from competitors' computers. In the 1950s the U.S. government established a program, called TEMPEST, to develop standards for technology that would contain or suppress signal emanations from electronic equipment to minimize the risk of eavesdropping. (Those standards are classified.) TEMPEST equipment, which is manufactured by about 50 companies -- including International Business Machines Corporation, Digital Equipment Corporation and UNISYS Corporation -- can only be sold to American companies for use in the United States, NATO signatory countries and a few other friendly nations such as Canada and Australia. TEMPEST products are generally about 80 percent more expensive than their nonshielded relatives, weigh more and take up more space. 6. Password protection. Most systems are set up so that doing almost anything requires a password. But a simple password can be cracked fairly quickly, using computer programs that try all the most common passwords -- words (in any language), names, numbers and simple variations of those, as well as a couple of thousand common nonsensical words. A good password contains both letters and numbers and is long -- a three-character password can be broken by a computer in less than an hour, while an eight-character password would take an average of 45 years, even with a powerful computer. Avoid writing passwords down, especially on a desk or terminal, but if you must, do not identify it as such or indicate what system it is for. Passwords should never be entered while others are watching, and should never be sent anywhere via electronic mail. (One infamous cracker set up a system that scanned an entire network's e-mail for the word "password," then copied those message to a special file for later perusal.) Users should never share their passwords, even with secretaries or other support staff. And all users should change their password regularly, whether they think they have been compromised or not. 7. Use encryption. Encryption programs -- with which original information is transformed into what appears to be random, unintelligible character strings -- are another basic method for keeping data safe. Using a special password or "key," the user can reconstruct the original file in just a few seconds. This method is extremely effective: Even if computers, disks or hard drives are stolen, the thief will probably not be able to figure out what is in the files. There are a multitude of programs that will encrypt individual files, files created with a particular program, entire hard drives and disks, or even entire networks. Encryption is particularly useful -- indeed, even necessary -- for electronic mail, particularly when messages are being sent outside your own office's e-mail system. 8. Beware of dangerous insiders. The most important security aspect of any computer system is the people that are working on it. According to Computer Security Basics, published by O'Reilly & Associates, Inc., 80 percent of all security break-ins are by fully authorized users who abuse their system PAGE 101 The Connecticut Law Tribune, August 9, 1993 access. A disgruntled employee may seek revenge by disrupting operations; a gullible employee may be coerced into revealing passwords or data; an unscrupulous employee may take bribes. But the most dangerous insider is the user who is untrained in security matters -- or who is too lazy to follow the security rules. The best preventive measure is a well-trained computer staff, one that can detect and head off security problems before they occur. The system administrator plays a big role in enforcing system security. If that person is inexperienced or improperly trained, he or she may leave holes in your security, or may fail to recognize symptoms of breached security. The information systems director and firm management should set out a computer security policy in writing, and every employee should read it and sign a notice saying they understand it and agree to abide by it. People who are careless about locking up disks or protecting passwords should be reminded of the firm's policy. And users should have access only to the systems and files they actually need. When an employee leaves the company, his or her access to the system should be removed immediately; the employee should be reminded in an exit interview to keep system security information confidential. 9. Plug your leaks aggressively. If a system is cracked, there are a few steps that should be taken. First, the leak should be plugged. If the in-house computer staff cannot figure out how it happened, the firm should hire an outside security expert immediately. When the cracker is discovered, he or she should be prosecuted. Several federal laws prohibit cracking, and most states have also outlawed such acts. According to Computer Underground Digest, most computer crime goes unreported because companies are wary of admitting publicly that they have security problems. Copyright 1993 The Times Mirror Company Los Angeles Times July 5, 1993, Monday, Home Edition Among the many consequences of the personal computer over the last dozen years has been a staggering growth in computer crime, made easier by the proliferation of terminals at home. Included in this category is illegal hacking -- using a computer and a telephone line to break into remote mainframes for mischief or malfeasance, usually the work of young men motivated by a desire to beat the system and show that it can be done. From time to time, the computer underground has made it into the news, by cracking into and wandering around the computers of NASA and NORAD or by setting loose a computer virus that crippled the Internet, a network of computer networks. More often, these computer capers have been played out less conspicuously, though they have captured the continuing attention of law-enforcement agencies around the world. Paul Mungo and Bryan Clough flesh out many details of computer crime and computer criminals in "Approaching Zero," a book that argues that no electronic information held by banks, universities or government agencies is safe. Mungo, a science writer, and Clough, a British expert on computer security who advises New Scotland Yard, provide details of how various computer crimes have been carried out and offer descriptions of the perpetrators. "That some young men find computing a substitute for sexual activity is probably incontrovertible," the authors assert -- without any supporting evidence. Despite such spicy claims, the book is somehow flat. It's not as if this is the first time these stories have been told. Some are new but many are familiar, and the overall effect is decidedly old hat. Clifford Stoll gave chapter and verse of one hacker's activities in "The Cuckoo's Egg" (Doubleday, 1989); Steven Levy covered the landscape in "Hackers" (Doubleday, 1984), and Katie Hafner and John Markoff provided an excellent PAGE 106 Los Angeles Times, July 5, 1993 description in "Cyberpunk" (Simon & Schuster, 1991). Although there are other hackers and new stories -- including much about computer viruses in Bulgaria, of all places -- there does not seem to be enough that's new to justify another book. To be sure, Mungo and Clough add interesting details and observations. They argue that computer viruses were over-hyped for years before their threat became as serious as the hypists would have you believe. They assert that this hyping was largely the work of people trying to sell anti-virus software. But eventually, they concede, dire warnings about viruses came true. After spending many pages deriding the prophets of doom, Mungo and Clough eventually join the bandwagon. "As the world population of computer viruses grows exponentially," they say, "so does the potential for real disaster. . . . A virus let loose in a hospital computer could harm vital records and might result in patients receiving the wrong dosages of medicine; workers could suffer job losses in virus-ravaged businesses; dangerous emissions could be released from nuclear power plants if the controlling computers were compromises and so on." They also make a factual error about public knowledge of computer viruses, asserting that the first press report on the subject probably appeared in February, 1987, in the magazine Computers & Security. In fact, Discover magazine published a long report on computer viruses in November, 1984. Mungo and Clough have adopted an annoying practice of recounting long, detailed stories of various computer crimes and then ending by saying that the alleged victim of the alleged crime denies that it ever took place. For example, they say that the breakdown of the AT&T long-distance system in January, 1990, could have been caused by a computer bomb planted in the system, and they describe how that could have occurred. They note that AT&T had received a threat of a computer bomb a short time before. But after telling the story, they say, "There is absolutely no proof that it was a computer bomb, and AT&T's final, official explanation remains that the shutdown was caused by an errant piece of software." Then there is a long story about two young hackers who used a complicated scheme and a Swiss bank account to filch more than $130,000 from Citibank. After recounting this tale, the authors write, "You can believe this story or not, as you wish. Certainly Citibank doesn't believe a word of it; it has consistently denied that anything resembling the events described above have ever happened. . . ." But you should never let the facts get in the way of a good story. PAGE 107 Copyright 1993 The Times Mirror Company Los Angeles Times July 5, 1993, Monday, Home Edition Among the many consequences of the personal computer over the last dozen years has been a staggering growth in computer crime, made easier by the proliferation of terminals at home. Included in this category is illegal hacking -- using a computer and a telephone line to break into remote mainframes for mischief or malfeasance, usually the work of young men motivated by a desire to beat the system and show that it can be done. From time to time, the computer underground has made it into the news, by cracking into and wandering around the computers of NASA and NORAD or by setting loose a computer virus that crippled the Internet, a network of computer networks. More often, these computer capers have been played out less conspicuously, though they have captured the continuing attention of law-enforcement agencies around the world. Paul Mungo and Bryan Clough flesh out many details of computer crime and computer criminals in "Approaching Zero," a book that argues that no electronic information held by banks, universities or government agencies is safe. Mungo, a science writer, and Clough, a British expert on computer security who advises New Scotland Yard, provide details of how various computer crimes have been carried out and offer descriptions of the perpetrators. "That some young men find computing a substitute for sexual activity is probably incontrovertible," the authors assert -- without any supporting evidence. Despite such spicy claims, the book is somehow flat. It's not as if this is the first time these stories have been told. Some are new but many are familiar, and the overall effect is decidedly old hat. Clifford Stoll gave chapter and verse of one hacker's activities in "The Cuckoo's Egg" (Doubleday, 1989); Steven Levy covered the landscape in "Hackers" (Doubleday, 1984), and Katie Hafner and John Markoff provided an excellent PAGE 106 Los Angeles Times, July 5, 1993 description in "Cyberpunk" (Simon & Schuster, 1991). Although there are other hackers and new stories -- including much about computer viruses in Bulgaria, of all places -- there does not seem to be enough that's new to justify another book. To be sure, Mungo and Clough add interesting details and observations. They argue that computer viruses were over-hyped for years before their threat became as serious as the hypists would have you believe. They assert that this hyping was largely the work of people trying to sell anti-virus software. But eventually, they concede, dire warnings about viruses came true. After spending many pages deriding the prophets of doom, Mungo and Clough eventually join the bandwagon. "As the world population of computer viruses grows exponentially," they say, "so does the potential for real disaster. . . . A virus let loose in a hospital computer could harm vital records and might result in patients receiving the wrong dosages of medicine; workers could suffer job losses in virus-ravaged businesses; dangerous emissions could be released from nuclear power plants if the controlling computers were compromises and so on." They also make a factual error about public knowledge of computer viruses, asserting that the first press report on the subject probably appeared in February, 1987, in the magazine Computers & Security. In fact, Discover magazine published a long report on computer viruses in November, 1984. Mungo and Clough have adopted an annoying practice of recounting long, detailed stories of various computer crimes and then ending by saying that the alleged victim of the alleged crime denies that it ever took place. For example, they say that the breakdown of the AT&T long-distance system in January, 1990, could have been caused by a computer bomb planted in the system, and they describe how that could have occurred. They note that AT&T had received a threat of a computer bomb a short time before. But after telling the story, they say, "There is absolutely no proof that it was a computer bomb, and AT&T's final, official explanation remains that the shutdown was caused by an errant piece of software." Then there is a long story about two young hackers who used a complicated scheme and a Swiss bank account to filch more than $130,000 from Citibank. After recounting this tale, the authors write, "You can believe this story or not, as you wish. Certainly Citibank doesn't believe a word of it; it has consistently denied that anything resembling the events described above have ever happened. . . ." But you should never let the facts get in the way of a good story. PAGE 107 Copyright 1993 The Times Mirror Company Los Angeles Times June 19, 1993, Saturday, Home Edition For more than a year, computer virus programs that can wreak havoc with computer systems throughout the world were made available by a U.S. government agency to anyone with a home computer and a modem, officials acknowledged this week. At least 1,000 computer users called a Treasury Department telephone number, spokesmen said, and had access to the virus codes by tapping into the Treasury's Automated Information System bulletin board before it was muzzled last month. The bulletin board, run by a security branch of the Bureau of Public Debt in Parkersburg, W. Va., is aimed at professionals whose job it is to combat such malicious destroyers of computer files as "The Internet Worm," "Satan's Little Helper" and "Dark Avenger's Mutation Engine." But nothing blocked anyone else from gaining access to the information. Before the practice was challenged by anonymous whistle-blowers, the bulletin board offered "recompilable disassembled virus source code" -- that is, programs manipulated to reveal their inner workings. The board also made available hundreds of "hackers' tools" -- the cybernetic equivalent of safecracking aids. They included "password cracker" software -- various programs that generate huge volumes of letters and numbers until they find the combination that a computer is programmed to recognize as authorizing access to its contents -- and "war dialers," which call a vast array of telephone numbers and record those hooked to a computer. The information was intended to educate computer security personnel, according to Treasury spokesmen. "Until you understand how penetration is done, you can't secure your system," said Kim Clancy, the bulletin board's operator. But with this information, relative amateurs could create new viruses, according to software writers. "I am dismayed that this type of activity is being condoned by an American governmental agency. I am extremely disturbed by the thought that my tax money is being used for what I consider unethical, immoral and possibly illegal activities," wrote an anonymous whistle-blower quoted in Risks Forum, a PAGE 109 Los Angeles Times, June 19, 1993 Silicon Valley-based electronic "magazine" where debate has raged on the issue since it surfaced last month. "That's like leaving a loaded gun around and people saying: 'It's not my fault if someone picks it up and shoots himself in the head with it,' " said Paul Ferguson, a computer consultant upset by the Treasury Department's practices. Treasury officials have little idea who has dialed up the bulletin board and what has been copied out of it, spokesman Peter Hollenbach said. Hence it is impossible to judge if any damage has been done. Hollenbach and some computer professionals minimize the risk, saying the software on the bulletin board was acquired through the computer underground in the first place, and thus has always been available to miscreants with sufficient contacts, tenacity and skill. "Hackers don't go to the Department of Treasury to get their hacking tools," Clancy said. The Treasury Department became enmeshed in this controversy because it is one of the most intense users of computers in the federal government. All the billions of dollars of Treasury securities are handled, through the Bureau of Public Debt, on computer networks, Hollenbach said. Copyright 1994 Reuters, Limited January 19, 1994, Wednesday, BC cycle Attorney General Janet Reno urged U.S. attorneys Wednesday to crack down on street violence, seeking maximum prison time for career criminals. "Many people estimate that 10 percent of the criminals commit 40 percent of the crime," she told a U.S. Attorneys' National Conference. "We need to identify those 10 percent in your communities, those violent career criminals, and working with local prosecutors ... (get) the longest possible sentence that will be a sentence actually served. "If we can take them to federal court and get them off our streets, let's do it in every possible way we can." She urged each of the U.S. attorneys from across the country to undertake violent crime initiatives, appointing specialists or combining with other U.S. attorneys in a region to carry out programs to get violent criminals off streets. If local police or city prosecutors have taken an effective lead, follow them and don't worry about who gets credit, she told the federal prosecuting attorneys. "We need to develop a plan to use all of our resources," she said. Reno said prosecution of all other kinds of crime remained as important as ever, listing everything from organized crime and drug smuggling to problems on Indian reservations. She also said technology crime, including young computer hackers disrupting major corporations for fun, will reshape U.S. attorneys' future case loads. Copyright 1994 American Lawyer Media, L.P. The Recorder January 18, 1994, Tuesday A Menlo Park man awaiting trial in San Jose federal court, in the first espionage case against an alleged computer hacker, will be transferred to Los Angeles to stand trial first on separate charges, a government prosecutor said. Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession of a computer tape containing classified military information, will face charges in Los Angeles that he used his hacking skills to rig radio call-in contests. Meanwhile, a government appeal of a recent ruling in the espionage case is pending in the Ninth Circuit U.S. Court of Appeals. U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released on his own recognizance at a Friday bail hearing. The government two weeks ago appealed a ruling by Whyte suppressing evidence taken in 1988 from computer tapes found in a Menlo Park storage locker rented by Poulsen. Whyte found police had conducted a warrantless search of the facility. A dispute over whether the suppression ruling knocked out a key espionage charge was not resolved at Friday's hearing. But Whyte said that it appeared that the tape on which the spying charge was based has come from the storage locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said that lose of the espionage charge has essentially gutted the government's case against Poulsen. But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape containing classified Air Force information came from a subsequent search of that he may seek a separate evidentiary hearing on the issue, if the government appeal is unsuccessful. Poulsen faces up to 85 years in prison in convicted on all charges in the Northern California case and up to 100 years and $ 4 million in fines in the Los Angeles case. Copyright 1994 American Lawyer Media, L.P. The Recorder January 18, 1994, Tuesday A Menlo Park man awaiting trial in San Jose federal court, in the first espionage case against an alleged computer hacker, will be transferred to Los Angeles to stand trial first on separate charges, a government prosecutor said. Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession of a computer tape containing classified military information, will face charges in Los Angeles that he used his hacking skills to rig radio call-in contests. Meanwhile, a government appeal of a recent ruling in the espionage case is pending in the Ninth Circuit U.S. Court of Appeals. U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released on his own recognizance at a Friday bail hearing. The government two weeks ago appealed a ruling by Whyte suppressing evidence taken in 1988 from computer tapes found in a Menlo Park storage locker rented by Poulsen. Whyte found police had conducted a warrantless search of the facility. A dispute over whether the suppression ruling knocked out a key espionage charge was not resolved at Friday's hearing. But Whyte said that it appeared that the tape on which the spying charge was based has come from the storage locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said that lose of the espionage charge has essentially gutted the government's case against Poulsen. But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape containing classified Air Force information came from a subsequent search of that he may seek a separate evidentiary hearing on the issue, if the government appeal is unsuccessful. Poulsen faces up to 85 years in prison in convicted on all charges in the Northern California case and up to 100 years and $ 4 million in fines in the Los Angeles case. Copyright 1993 McGraw-Hill, Inc. LAN Times August 9, 1993 Should electronic bulletin boards -- either legitimate or underground -- be allowed to post and disseminate virus source code? That question is generating heated debate, from the halls of Congress to the deepest recesses of the hacker underground. It was touched off in May when an anonymous message was posted on the Risks Digest, an electronic BBS in the Silicon Valley. The author was upset that the U.S. Department of the Treasury's Bureau of Public Debt Automated Information System (AIS) BBS, which carries security-related information and is available to the general public, was posting a broad range of virus source code. The writer also complained about Kim Clancy, manager of AIS Security and an AIS BBS sysop. "I am extremely disturbed by the thought that my tax money is being used for what I consider unethical, immoral, and possibly illegal activities," the anonymous poster wrote. Clancy is a highly respected security administrator who has amassed a wealth of sources in both the legitimate security community and the hacker underground. As a result of her hacker contacts, groups like Phalcon/Skism have shared the tricks of their trade and even helped to disinfect the AIS BBS when it was invaded by a virus. CEASE AND DESIST. After the anonymous message sparked an anti-virus protest, Clancy's superiors directed her to remove all hacker files from the AIS BBS. These included virus source code and information on how to break into computers, networks, and PBXes. However, Clancy was not subjected to any disciplinary action. "I was targeted by a self-elitist international group," Clancy said. "The only thing they're hurting is the legitimate community of security professionals." BIG NEWS. The debate became very public when The Washington Post ran a front-page article on June 19, 1993. Rep. Ed Markey, chairman of the House Subcommittee on Telecommunications and Finance, then wrote to Lloyd Bentsen, secretary of the Department of the Treasury, asking for "the rationale behind making such potentially harmful information generally available." PAGE 103 LAN Times, August 9, 1993 Vesselin Vladimirov Bontchev, who heads the Virus Test Center of the University of Hamburg, Germany, threw in his two cents: "I am Bulgarian, and my country is known as the home of many productive virus writers," Bontchev said. "But at least our government has never officially distributed viruses." As the debate raged on, everyone chose a side. Clancy and her supporters believe that the public's right to know far outweighs the "slim" chance that virus source code posted on a legitimate BBS will end up in the wrong hands. The opposition is just as righteous, taking the position that writing, posting, or disseminating any type of hacker files or virus source code should be outlawed. OLDIES, BUT GOODIES. Experts say there are well over 2,000 viruses in existence today. However, 90 percent of the damage is caused by the same five to 10 viruses. "Oldies," such as Jerusalem B and the Stoned virus, are still primary sources of infection. A recent four-month online survey by the Computer Security BBS found that 64 percent of the respondents had experienced a computer virus attack in the past 12 months. Half of the infections were classified as minimal, but not everyone escaped unscathed. Six percent of the virus victims reported losses of more than $ 100,000 and said it took them more than three days to recover. While the number of viruses has increased, the technology behind viruses has advanced very little. "Most of today's viruses are variations on the handful of originals or can be traced to a virus-generation toolkit," said GarbageHeap (GHeap), a member of the Phalcon/Skism group of virus writers and hackers that runs the 40Hex underground virus BBS. According to GHeap, most of today's network administrators have effective anti-virus procedures in place. "In the early days of viruses -- in the late 1980s and up until 1991 -- it took network administrators a while to detect them and then disinfect their networks," he said. "Nowadays, there's an anti-virus package out for almost every virus you can think of." PUBLIC SERVICE. As Clancy sees it, she was only performing a public service. "If BBSes like the Computer Security BBS and the AIS didn't post virus source code or hacking programs, then only malicious hackers would have access to them," she said. "The legitimate security professionals would be left out in the cold." Clancy and other security BBS sysops contend that high-level hackers don't need to access legitimate BBSes, since virus source code and hacking tools are readily available in the hacker underground. "Some types of information may pose a risk if abused," said Jim Thomas, a sociology professor at DeKalb Northern Illinois University who, along with Gordon Meyers, runs the Computer Underground Digest, a BBS. "But in an open democracy, the potential for abuse has been neither a necessary nor a PAGE 104 LAN Times, August 9, 1993 sufficient justification to silence those with whom we disagree." Bill Strouse, president of Stoney River Networks, a Novell gold reseller in Sunnyvale, Calif., agrees -- so strongly that he is taking up where Clancy and the AIS BBS were forced to leave off. "We are going to move all of the virus-commented source-code files, such as 40Hex, onto the Ring of Fire BBS," Strouse said. "The anti-virus community can pick on me all they want, but they can't censor me. I'm not doing anything illegal, and I'm not government-owned and sponsored." Strouse, who heads up the Silicon Valley chapter of NetWare Users International (NUI), runs the Ring of Fire BBS, which is devoted to NetWare and legal issues. "The real irony behind all this hype about the AIS BBS was that the virus code Clancy posted couldn't have been downloaded and used to infect networks," Strouse said. "She had removed the replication portion of the source code." Unlike the AIS BBS, Ring Of Fire is not wide-open to the public. Members of any NUI branch get unlimited free access; nonmembers pay $ 25 per year for up to 90 minutes of access per day and unlimited downloads. To get into the Computer Security area of Ring of Fire, would-be users have to specifically request access and have their identities, affiliations, and telephone numbers verified by Strouse. Additionally, first-time callers get access to only three public file areas and are limited to 20 minutes. "We have no intention of putting a loaded gun into the hands of an unsuspecting user," Strouse said. "What we're doing is giving people the diagrams and blueprints of virus code and hacker files so they have the necessary tools and information to secure their networks." The Ring of Fire BBS number is (408) 739-8753; the ComSec BBS number is (415) 495-4642. Copyright 1993 Report From Japan, Inc. (A Yomiuri News Service) Report From Japan December 21, 1993 The number of reports of computer viruses increased again in November, hitting a total of 92 cases, including three viruses reported for the first time in Japan. The figure was 54 greater than that for last November, and the total for the January-November period was by 550 cases from last year's 229, to a total of 779. According to a report released Dec. 20 by the Information-Technology Promotion Agency (IPA), the number of different viruses reported in November was 19. Three of the viruses were reported for the first time in Japan. The most common infection routes were through floppy discs brought from overseas, accounting for 45 percent of the cases. However, in about 46 percent of the cases, the infection routes could not be determined. It is also important to properly secure hardware as well as floppy discs, the IPA warned. The number of computer virus damage reports peaked in August and September at 120 cases. Although virus reports declined to 81 in October, they increased again in November. The IPA has received 1,103 reports of computer virus damage since April 1990, when the reporting system was established by the International Trade and Industry Ministry. Copyright 1993 National Thrift News, Inc. National Mortgage News December 20, 1993 The Office of Thrift Supervision has sent out warnings to its member institutions not to have unprotected data exchange with strangers --- one in particular. The OTS was advised by the FBI that banks and thrifts in Pennsylvania, New Jersey, Maryland, and Kentucky have recently received computer disks in the mail from a person identifying himself as Master Fard Muhammed. When the institutions loaded the disks into their computers a powerful computer virus infected all the systems connected to that local area computer network. The virus, which authorities described as "not easily detectable by normal screening programs" caused an unspecified amount of data on the institution's computers to become unreadable. "Should any department in your institution receive one of these packages in the mail, we recommend that the diskette not be inserted in any personal computer and that the FBI be notified," John Robinson, OTS regional director advised members. Authorities say they no idea what the motive for the prank may be, but in the past couple of years both Federal and state authorities have passed strict laws against what some term high-tech terrorism. Copyright 1993 Southam Inc. Calgary Herald December 16, 1993, Thursday, FINAL EDITION While businesses and executives are increasingly dependent on computers, computer criminals have become increasingly more sophisticated. Viruses, computer hackers, stolen equipment, tampering with data, illegal data transfer and desktop forgery are just a few of the computer-related crimes that have emerged in the high-tech age, said Wendi Harvey of the Council of Better Business Bureaus, based in Arlington, Va. While computer theft has grown, so have non-property related crimes such as designing software "viruses" that crash systems and the illegal use of data bases by computer hackers. Other common crimes involve employees or repair technicians tampering with data and theft by data transfer and desktop forgery. Computer theft and fraud might seem like problems that apply only to businesses, but many of those businesses pass the costs on to consumers as higher prices for their goods and services. So many firms now have policies and security programs to protect their computer systems. International Business Machines Corp.'s research and development laboratory in Boca Raton, Fla., has installed anti-virus computer software and it periodically checks them for viruses, said Alan Macher, IBM spokesman. In November of 1989, two employees at IBM in Boca Raton stole computer parts worth $ 1.8 million, one of the biggest thefts in the company's history. They were arrested when they tried to sell the stolen chips in Florida. Boca Research Inc., a computer modem manufacturer in Boca Raton, has had problems with the computer virus Michelangelo. A computer virus lies dormant until something triggers it, such as a date on the computer clock. Then the virus can wipe out all the computer's data. Michelangelo was activated on the artist's birthdate, March 6, in 1992. Gail Blackburn, Boca Research's company spokeswoman, said she lost all her data when the virus invaded her computer. Since then, the company has installed anti-virus software, said Larry Steffann, vice- president of planning and development. The company also does not permit employees to bring their own software to work. A lot of viruses are spread through personnel software that employees install on their business machines. PAGE 38 Copyright 1993 Predicasts, a Division of Ziff Communications Co. DataTrends Publications, Inc Report on IBM December 15, 1993 IBM (Yorktown Heights, N.Y.) said last week it is now shipping an enhanced version of its IBM AntiVirus products, including protection for Novell NetWare LAN servers. IBM AntiVirus version 1.04 provides comprehensive "install-and-forget" automatic protection against computer virus attacks in DOS, Windows, OS/2 and Novell NetWare computing environments. IBM AntiVirus for NetWare uses the same state-of-the-art detection technology used throughout IBM AntiVirus products. It detects well over 2,000 known viruses as well as many viruses that have yet to be written, while virtually eliminating the false alarms that plague many other anti-virus products. Real-time scanning enables the LAN server to protect itself immediately if a virus on a client PC is found trying to infect the LAN server. LAN administrators also can scan selected volumes on demand, or schedule a scan for particular times on selected days. If a virus is found, customized messages can be sent to the affected user and administrators, and any infected files can be locked to prevent the infection from spreading. IBM AntiVirus for NetWare is designed to have minimal impact on LAN server performance. Its automatic priority adjustment keeps the additional load to less than four percent for typical servers. Single copies of IBM AntiVirus for DOS, Windows and OS/2 systems are available for $29.95 by calling (800) 551-3579. Copyright 1993 DataTrends Publications, Inc. Copyright 1993 The Daily Telegraph plc The Daily Telegraph December 13, 1993, Monday THERE have been 9,181 computer "disasters" in Britain over the past three years, according to the Survive! club of computer managers specialising in disaster recovery. A disaster is defined as inability to use a computer causing at least L10,000 of corporate damage, but excluding fraud. The largest individual case was the spectacular public fiasco of the Stock Exchange's Taurus system, which was aborted after years of fruitless work. That caused a loss of up to L400m, according to Survive! calculations. The biggest category of loss was theft, accounting for 37pc of cases. The stealing of desk-top computers is "reaching epidemic proportions". Almost 21pc of the cases were caused by viruses, though other recent reports have said most of these attacks were relatively benign and did not cause major damage. But Survive! reckons there is each year a 6pc chance of an organisation catching a computer virus, with the recovery costing between L10,000 and L250,000. The Institution of Analysts & Programmers reckons the virus danger is grossly exaggerated but half its members have at some stage encountered one. Most of the damage was done by just nine viruses, the commonest being one called Form. According to Survive! malicious damage accounted for nearly 9pc of the disasters it found. Many of these were in the form of "time bombs"-hidden program routine that causes damage to data at a pre-set time-and there are over 100 prosecutions pending. But there were also some terrorist bombs. After that, in descending order, came hardware faults, hacking, environment (power problems, air conditioning failure), software (Taurus comes into this category), and communications. Human error, negligence, natural disasters, water damage from cracked pipes and the like, and fire caused under 41/2pc of the instances between them. Statistics are notoriously mendacious but soon it will be possible to compare these figures with ones produced by the government. A national survey of 10,000 companies aims to identify the extent of computer security breaches over the past two years and the effect on business. Its findings are expected in early 1994. The survey will also invite organisations which have been hit to tell the rest of the world. A similar survey of computer security in 1991 found more than half of businesses had suffered from security problems, at a cost of Ll.1 billion a year. THE Data Protection Registrar has explained his view of the meaning of particular phrases used in enforcement notices, in particular about "residence", "family membership" and "name matching". The rules do not allow the extraction of personal information simply by reference to current or previous address. They also prevent the inclusion of information about any other individual who lives or has lived at the same address as the subject of the search. Copyright 1993 Business Wire, Inc. Business Wire December 8, 1993, Wednesday IBM is now shipping an enhanced version of its IBM AntiVirus products, including protection for Novell(a) NetWare(a) LAN servers. IBM AntiVirus version 1.04 provides comprehensive "install-and-forget" automatic protection against computer virus attacks in DOS, Windows(b), OS/2(c) and Novell NetWare computing environments. IBM AntiVirus for NetWare uses the same state-of-the-art detection technology used throughout IBM AntiVirus products. It detects well over 2,000 known viruses as well as many viruses that have yet to be written, while virtually eliminating the false alarms that plague many other anti-virus products. Real-time scanning enables the LAN server to protect itself immediately if a virus on a client PC is found trying to infect the LAN server. LAN administrators also can scan selected volumes on demand, or schedule a scan for particular times on selected days. If a virus is found, customized messages can be sent to the affected user and administrators, and any infected files can be locked to prevent the infection from spreading. IBM AntiVirus for NetWare is designed to have minimal impact on LAN server performance. Its automatic priority adjustment keeps the additional load to less than 4% for typical servers. IBM AntiVirus Services offers site licenses to all IBM AntiVirus products, monthly updates for newer viruses and rapid, reliable updates for viruses discovered in customer incidents. Information on IBM AntiVirus for NetWare, site licensing and a full range of IBM's anti-virus services for enterprises is available by calling 800-742-2493. Single copies of IBM AntiVirus for DOS, Windows and OS/2 systems are available for $29.95 by calling 800/551-3579. (a) Novell and NetWare are trademarks of Novell Corp. (b) Windows is a trademark of Microsoft Corp. (c) OS/2 is a registered trademark of the International Business Machines Corp. CONTACT: IBM Corporation, Yorktown Heights Andrea R. Minoff, 914/784-7428 Copyright 1994 South China Morning Post Ltd. South China Morning Post February 1, 1994 CAN a computer virus change its spots? Yes, say computer security experts. Specialists have warned that a new breed of sophisticated computer virus that changes itself into multiple versions is becoming more common and that it can outwit some anti-virus software. Known as polymorphic viruses, they are designed to hide from popular anti-virus programs by changing themselves slightly each time they replicate. Businesses relying on older versions of anti-virus scanning software risk leaving their PCs open to infection from polymorphic viruses. These can produce as many as 2.3 trillion versions of themselves, making them impossible to detect without the help of a new generation of anti-virus software. "There is no question about it, polymorphic viruses are definitely the wave of the future," said Phil Talsky, product manager at leading US anti-virus software developer McAfee Associates. Mr Talsky added that the most common polymorphic virus is the Satan Bug. "It recently entered our top 10 list of most often reported viruses, at number nine," he said. David Stang, head of US- based Norman Data Defence Systems and founder of the International Computer Security Association, agreed that the Satan Bug posed a security challenge. He said: "We are hearing more reports daily of Satan Bug infections and it is a major problem for some organisations." The Satan Bug has turned up at some US Government agencies. These include the Social Security Administration and the Army Corp of Engineers. There have also been reports that it had been detected in Europe, and that Tremors, another virus, is affecting PC users in Germany. However, they should not panic, Mr Stang said. PAGE 3 South China Morning Post, February 1, 1994 "Becoming infected by any kind of virus is rare and coming across the Satan Bug is even rarer," he said. The Satan Bug is not designed to erase data, but it interferes with users trying to connect to a local area network and will change file dates. It replicates quickly and can travel across a local area network to infect other users. Computer virus experts at IBM said polymorphic viruses should not trouble most users. "If users take proper precautions, polymorphic viruses are easy to deal with," said Steve White, manager of the high integrity computing laboratory at the IBM Thomas J. Watson Research Centre. "We have not found a very high infection rate among users by the Satan Bug and the whole issue of polymorphic viruses has received more attention than it deserves," he said. Mr White and his colleagues at IBM have completed several detailed studies of how computer virus infections propagate. They were the first to label the Michelangelo virus scare two years ago as over-blown. He pointed out that PC users faced about the same chance of a virus infection as they did of a hard disc failure, so proper back-up procedures should be routine. To eliminate a virus, users must detect and often erase infected files and then reinstall them from an uninfected backup disk. This can take several hours for each PC infected. The US Army Corps of Engineers estimates that it lost more than $ 12,000 per hour in trying to exorcise the Satan Bug. McAfee's latest version of its ViruScan software can detect Satan Bug, but users must delete all infected files. While Mr Stang said he developed an anti-virus program that could detect and erase the Satan Bug without requiring users to reinstall infected files, Mr Talsy said polymorphic viruses were more difficult to detect since they used encryption to hide from scanning software. Researchers at IBM are working on an automatic system to detect and analyse new polymorphic viruses. While computer virus experts concede that polymorphic viruses are written by talented programmers, the developer of the Satan Bug is believed to be a 16- year-old computer enthusiast who uses the pseudonym Hacker Life. There is no US law prohibiting the writing of a virus program. Advancing computer technology could help solve this growing problem. Western Digital, a US company making hard discs, has developed a chip, the Immuniser, designed to monitor system activity and to block any suspicious PAGE 4 South China Morning Post, February 1, 1994 writing to the hard disc. The chip works only with certain newer PCs. Mr Talsky warned that more polymorphic viruses were on the way. While the risk from a PC virus infection is small, there are important safeguards all PC users should adopt. These include using the latest anti-virus software. "We produce new versions of ViruScan every six weeks," said Talsky. "But there are a lot of people using older versions and they will not get the full protection." Any anti-virus software version written before August 1993, is unlikely to offer protection against polymorphic viruses. Users should update their software. Mr Stang recommended that users with many PCs should decide on a computer security strategy. "Some users apply the same security to all their systems. The problem with this approach is that some systems should be better protected while others may not need quite so much protection," he said. Copyright 1993 The Buffalo News The Buffalo News November 28, 1993, Sunday, Final Edition A new virus called "Satanbug" is reported to be spreading rapidly in the United States. The international virus watchdog publication, "Virus Bulletin," of Abingdon, England, said Satanbug is just one of several new viruses infecting the nation's computers. Virus Bulletin said that it is costly for a number of U.S. companies, including Rockwell International, which recently revealed that it spent more than $ 44,000 to recover from an infection in April. The company told the publication that the incident was just one of more that 1,000 virus attacks it has dealt with since 1988. Virus Bulletin said tests conducted at its offices in England indicate that companies such as Rockwell and even individuals are not as well armed against virus attacks as first thought. In what the publication called a "shock," it discovered in a text of six leading anti-virus software products that all but one of the manufacturers are not updating the memory-resident portion of their products. According to the publication, despite the products' claims of being able to catch all-known viruses, many of the programs are allowing a large number of viruses to go undetected. Anti-virus software usually consists of multiple components, including a scanner. The scanner typically runs each time a computer is turned on and scans memory, DOS and program files on a hard drive looking for viruses that have already infected a system. The program works to keep viruses from entering a system in the first place by staying in the computer's memory, watching for viruses trying to gain entrance. Richard Ford, editor of Virus Bulletin, speculated as to why companies would make claims for complete detection when portions of their programs actually did not have the capability. "This difference may have been lost along the way between the technical people and the marketing people at the company," he said. "People might think twice if they knew." According to Virus Bulletin tests, one company that claimed the industry's high level of virus detection was able to detect only 78.8 percent of the viruses tested against it. The publication said two programs that showed good marks in the test were RG Software's Vi-Spy, which had a perfect score, and Dr. Solomon's Toolkit and PAGE 55 The Buffalo News, November 28, 1993 Guard, which missed just a few. Ford said the disparity between the products' claims and actual performance is causing anger among users. "We transmit and receive electronic data to and from our clients every day," said David Merrill, vice president of a Manhattan executive search firm. "If I can't rely on my program to keep viruses out, I run the risk of infecting a dozen or so clients before my scanner tells me I have a problem the next day. I'm supposed to feel good about that type of protection? Who's writing anti-virus software -- Beavis and Butt-head?" Charlie Atterbury, coordinator of micro computer security at a major company that operates 35,000 PCs, said: "I'm disappointed in some of the software vendors. They're taking the easy way out so they can use the marketing hype that 'my virus program takes less memory than the other guy's,' and the real reason is that they are not doing the job. I have to wonder what they are thinking." Phil Talsky, a spokesman for McAfee Associates, apparently does not share the same concerns as the users, according to Virus Bulletin. He said the disparity is "not a problem" as long as users always run their scanner. He felt the publication's revelations are a "non-event." Ray Glath, president of RG Software, Scottsdale, Ariz., developer of Vi-Spy, said, "Others have left holes because they can't pack as much virus detection in their TSR as they have in their scanner without bumping up against DOS' 640k memory barrier." He said that forces some developers to make arbitrary decisions regarding which virus to leave their customers unprotected against. He added, "You hear of many situations where companies keep getting reinfected after they think they've cleaned up from a virus attack." Virus Bulletin has been recognized as the foremost international publication on computer virus protection, detection and removal since 1989. What is a Computer Virus? A "virus" is a program that someone makes just to cause trouble. It's called a virus because it makes a computer "sick," the way a virus makes a person sick. People design a computer virus to change bits of information in a program - or even wipe out a computer's memory. It does this by getting into the computer's operating system - the part that controls how it works. Once inside, the virus program makes copies of itself. Then the virus can spread and "infect" other computers in the system. Most new computers, though, check every program to see if it contains a virus. A computer virus won't make you sneeze and cough. But if you find that all your computer files have mysteriously disappeared, it might make you feel sick! Copyright 1994 Reuters, Limited January 28, 1994, Friday, BC cycle With its acquisition of Brightworks Development, McAfee Associates Inc embarks on a new era that will launch it into the emerging market for network software and continue its strong earnings growth. "We are entering a second stage of development," chief executive William Larsons told Reuters. "The acquisition would provide double-digit increases in revenue. But our intent is to grow the top line and the bottom line." Tuesday, the company reported a 31 percent revenue increase and a 15 percent net income rise, 1993 over 1992. Since 1986, Brightworks has developed and sold network management software, making it a prime conduit through which to sell McAfee's anti-virus programs to network managers. McAfee owns about 67 percent of the anti-virus market, versus 14 percent for its major competitor, the Peter Norton division of Symantec Corp , Larson said. Larson attributes McAffee's success to selling directly to large corporate customers like Ford Motor Co and to government agencies, via electronic distribution. Norton targets retail customers through traditional computer reseller channels, Larson said. Larson said Norton is also targeting the area of network management in which to expand. "Battle lines (for the market) are just now being drawn," Larson said. He added that, of the roughly 100 million personal computers worldwide, 30 million are linked to local area networks and only four percent of those utilize network management tools. International Data Corp forecasts that will grow to 14 percent by the end of 1994, according to Larson. "Brightworks has one of the biggest shares of the (network tools) market, an award winning product list and a robust direct tele-sales operation," Larson said. PAGE 10 Reuters, January 28, 1994 Among its products, Brightworks sells SiteMeter, software that monitors the number of times a software package is utilized on a network, and Network Remote, a diagnostics tool. To manage its entry, McAfee has hired Bob Chappelear, who ran the Peter Norton division of Symantec, Larson said. McAfee also is bringing on board Brightworks head Greg Gianforte and few, if any, staff cuts will take place. "The prime assets of the company are with the people," Larson said. Although he declined to price the deal, payment will be all cash -- no stock sales or new loans. "We have $ 28 million in cash and all the money is coming from (that)," Larson said. Larson said McAfee has money to look for other companies. "We don't want to get too far ahead, but we certainly have the financial resources to continue to pursue (other acquisitions)," he said. But company management is intent on not losing focus on its core business of selling anti-virus software for single-user computers. Virus complexity is ever increasing and the number of viruses infecting computers doubles every year, Larson said. Larson said Brightworks, with its established telephone and direct sales network, will help McAfee begin competing head-to-head with Peter Norton for retail anti-virus business. Copyright 1994 The Buffalo News The Buffalo News January 30, 1994, Sunday, Final Edition As many readers know, a computer virus is pure misery for the home user. But it is even more devastating for a business. And the problem isn't going away. For example, computer viruses have been spreading on networks. This means that every PC connected to an infected network is, in turn, in danger of being infected. But peace of mind is available, according to Cheyenne Software Inc. of Roslyn Heights, a local area network software developer. The company has a product called "InocuLAN" that it claims will protect an entire computer system from a potentially devastating computer virus. "Traditionally, password protection and a 'locked door' were enough to prevent unauthorized access to data," said Andrew Boyland, director of computer security products for Cheyenne Software. "But the most serious and potentially damaging security threat to hit LANs in recent years has been the computer virus. " He said a study commissioned by the National Computer Securities Association and Dataquest in 1991 revealed that 63 percent of 600 companies responding had had an encounter with a computer virus. Boyland noted that the virus problem, in general, has been getting worse over the past five years and said that the number of viruses "is roughly growing at the rate of 2 1/2 per day." He said he expected the rate to continue but pointed out that "there are new viruses that are constantly being written that are more complex than the old ones." Years ago, a computer virus traveled from one floppy disk to another, making recovery time shorter and less expensive, according to Boyland. He referred to InocuLAN as a "computer drug" that prevents a killer virus from invading a business network system. Once a virus damages a computer system, it can be costly and time consuming to return it to a previrus environment, according to Boyland. But "InocuLAN protects both your file server and DOS work stations against viruses," he said. Boyland said that there are roughly 2,000 viruses "in the world out there" and that about 100 of them are considered fairly prevalent. He said the PAGE 8 The Buffalo News, January 30, 1994 general description of a virus writer "is a 17-year-old in high school or college. They begin tinkering with computers at generally a young age, and they decide that this is kind of a neat way to fool everybody. "The hacking community is a very powerful one," Boyland said. "They share information with each other through what we call pirating bulletin boards, or bulletin boards where they exchange virus codes, information on how to break into the systems, weakness and insecurities in particular systems. Then they set out to attempt a virus. "Most of the viruses that we have seen have clearly been written by people with lots of computer experience," Boyland said. "They move fast, they're hard to detect, and they are cleverly written. The poor viruses, the ones that are not well written, are the ones that we commonly see and hear about for a month or two." According to Boyland, a graduate of the State University at Binghamton and the University of Copenhagen, a virus can spread with great speed. He said a company in France recently had 4,000 PCs infected within three hours after a virus entered the network. Boyland said that situations like Michelangelo became bad virus incidences because by accident "somebody shipped out copies of their software with copies of the Michelangelo virus on it, so it was caused to spread that much faster." He said users can call Cheyenne Software at (800) 243-9462 for information on disaster recovery, network back-up and anti-virus or network monitoring. Personal Computers welcomes your questions and programs as well as advance notification of computer group meetings. Mail your correspondence to Lonnie Hudkins, The Buffalo News, P.O. Box 100, Buffalo, N.Y. 14240. Copyright 1994 The Financial Times Limited; Financial Times January 25, 1994, Tuesday Can a computer virus change its spots? Yes, say computer security experts, who warn that a new breed of sophisticated computer virus that changes itself into multiple versions is becoming more common and that it can outwit some anti-virus software. Known as polymorphic viruses, they are designed to hide from popular anti-virus programs by changing themselves slightly each time they replicate. Businesses relying on older versions of anti-virus scanning software risk leaving their PCs open to infection from polymorphic viruses. Such viruses can produce as many as 2.3 trillion versions of themselves, making them impossible to detect without the help of a new generation of anti-virus software. 'There is no question about it, polymorphic viruses are definitely the wave of the future,' says Phil Talsky, product manager at leading US anti-virus software developer McAfee Associates. Talsky adds that the most common polymorphic virus is the Satan Bug and it is infecting increasing numbers of PC users. 'It recently entered our top 10 list of most often reported viruses, at number nine.' David Stang, head of US-based Norman Data Defense Systems and founder of the International Computer Security Association, agrees that the Satan Bug poses a computer security challenge. 'We are hearing more reports daily of Satan Bug infections and it is a major problem for some organisations.' The Satan Bug has turned up at some US government agencies where it has infected several hundred PC systems. These include the Social Security Administration and the Army Corp of Engineers. There have also been reports that the Satan Bug has been found in European PC systems, and that Tremors, another polymorphic virus, is affecting PC users in Germany. However, they should not panic, Stang says. 'Becoming infected by any kind of virus is rare and coming across the Satan Bug is even rarer. But if you are unlucky enough to get infected, it is going to be expensive.' The Satan Bug is not designed to erase data like some viruses, such as Michelangelo, but it interferes with users trying to connect to a local area network and will change file dates. It replicates quickly and can travel across a local area network to infect other users. PAGE 12 Financial Times, January 25, 1994 Computer virus experts at IBM say polymorphic viruses should not trouble most users. 'If users take proper precautions, polymorphic viruses are easy to deal with,' says Steve White, manager of the high integrity computing laboratory at the IBM Thomas J. Watson Research Center. 'We have not found a very high infection rate among users by the Satan Bug and the whole issue of polymorphic viruses has received more attention than it deserves.' White and his colleagues at IBM have completed several detailed studies of how computer virus infections propagate. They were the first to label the Michelangelo virus scare two years ago as overblown and correctly predicted that it would not cause much damage. White points out that PC users face about the same chance of a virus infection as they do of a hard disc failure, so proper backup procedures should be a routine task. To eliminate a virus, users must detect and often erase infected files and then reinstall them from an uninfected backup disk. This can take several hours for each PC infected. The US Army Corps of Engineers estimates that it lost more than Dollars 12,000 per hour in trying to exorcise the Satan Bug. McAfee's latest version of its ViruScan software can detect Satan Bug, but users must delete all infected files. While Stang says he has developed an anti-virus program that can detect and erase the Satan Bug without requiring users to reinstall infected files, Talsky says polymorphic viruses are more difficult to guard against since they use encryption to hide from virus scanning software. 'Polymorphic viruses are algorithm-based so we have to essentially crack their code first and produce algorithms to counter them. Normally, it takes our programmers one hour to modify our software to detect a regular virus, but with a polymorphic virus, it can take us 48 hours to develop software that can detect it.' Researchers at IBM say they are working on an automatic system to detect and analyse new polymorphic viruses. This will enable a faster response in producing updates of anti-virus software and help slow their spread. While computer virus experts concede that polymorphic viruses are written by very talented programmers, the developer of the Satan Bug is believed to be a 16-year-old computer enthusiast who uses the pseudonym Hacker4Life. There is no US law prohibiting the writing of a virus program and programmers often post their latest virus creation quite openly on local computer bulletin board systems. There are about 2,500 known PC viruses. Advancing computer technology could help solve this growing problem. Western Digital, a US company making hard discs, has developed a chip, the Immunizer, designed to monitor system activity and to block any suspicious writing to the hard disc. However, the chip works only with certain newer PCs. On the software side, companies are developing different types of anti-virus programs that, like the Immunizer chip, monitor what is happening within the PC. If the software detects suspicious activity, it blocks it and flags an alert. Talsky warns that more polymorphic viruses are coming. PAGE 13 Financial Times, January 25, 1994 While the risk from a PC virus infection is small, there are important safeguards all PC users should adopt. These include using the latest anti-virus software. 'We produce new versions of ViruScan every six weeks,' says Talsky. 'But there are a lot of people using older versions and they won't get the full protection.' Any anti-virus software version written before August 1993 is unlikely to offer protection against polymorphic viruses. Users should contact their vendor and update their software. All new software, no matter what its source, must be scanned for viruses. 'Most people avoid computer bulletin boards and shareware software, thinking that they might be infected. But most of our calls are from users that have been infected from commercial software, especially demo software disks,' says Talsky. Stang recommends that users with many PCs decide on a computer security strategy. 'Some users apply the same security to all their systems. The problem with this approach is that some systems should be better protected while others may not need quite so much protection. If you tell each user that they must spend five to 10 minutes each day scanning for viruses, that translates into a huge cost in terms of staff time over the course of a year. That can turn out to be more expensive than dealing with a virus infection.' Copyright 1994 Report From Japan, Inc. (A Yomiuri News Service) Report From Japan January 21, 1994 There were a total of 897 reported cases of damage to computers because of viruses in 1993, an increase of 154 percent over the 253 confirmed cases in the preceding year, the Information Technology Promotion Agency, Japan, (IPA) reported Jan. 21. The 1993 total represented 73 percent of the total number of cases confirmed by the IPA from April 1990 to December 1993. The sharp increase in 1993 was attributed to a rise in the number of viruses and an increase in computer users' awareness of the computer virus reporting system. The IPA has been monitoring computer viruses in Japan since April 1990 under the auspices of the International Trade and Industry Ministry. As of the end of 1993, 71 different computer viruses had been reported, including 66 that invade computers running MS-DOS, and five that infect Macintosh computers. Twenty-one new viruses were detected for the first time by the IPA in 1993. Of the cases reported in 1993, 359 were reported by corporations, 246 by the information industry, 238 by individuals, and 54 by schools and research institutes. The Kanto region had the most cases at 499, followed by Kinki at 128, Chubu at 115, Tohoku and Kyushu at 41 each. There were 37 cases in Chugoku and 19 in Hokkaido. Copyright 1994 Newspaper Publishing PLC The Independent January 3, 1994, Monday COMPUTER experts have warned the public of a fresh computer virus threat affecting compact discs used to store vast catalogues of data. The discs, known as CD-Roms compact disc read only memories , are an increasingly popular format for those who need to carry or archive large amounts of information. One CD-Rom, resembling the more well-known shiny music platters, can replace an entire encyclopaedia, or carry detailed graphical and textual information on every painting in an art gallery's collection. Often the discs cost several thousand pounds. But the data on a CD-Rom is designed only to be read, not altered. So a CD-Rom with a virus on it cannot be cleaned up in the same way as programs held on floppy disk. Richard Ford, editor of Virus Bulletin, said yesterday: ''The only use for an infected CD-Rom is as a frisbee.'' The problem is that a virus on a CD-Rom can spread to the computer system that reads it. Transmission can occur via small functional programs, such as routines that will speed up access to the information, included on the disc in addition to the bulk data itself. During December, virus specialists heard of four separate reports of infected CD-Roms. They fear this is the start of a growing trend and are warning computer users to scan new CD-Roms for viruses just as they would ordinary software arriving on a floppy disk. Scanning will be a time-consuming process since CD-Roms hold huge amounts of data in hundreds of compressed files. Computer viruses can cause relatively mild effects, such as messages flashed up on screen, or potential disasters if the rogue code disrupts or erases valuable data. The cases reported last month occured on discs carrying so-called ''shareware'', software that people tr