SPECIAL REPORT

Can hackers be stopped?
In an epic cyberspace battle, white hats are pitted against black hats

BY BRENDAN I. KOERNER

Christopher Klaus's north Atlanta office can charitably be described as bland. Cramped and colorless, with furniture inherited from an insurance company and a view of the highway, it seems an unlikely place for a cherubic wunderkind to do battle with the anonymous thousands who break into computer networks. Here, his X-Force of software wizards has tangled with hacker groups like Cult of the Dead Cow, devoted to making life miserable for Microsoft, and Hacking for Girlies, masterminds behind the takedown of the New York Times Web site last September.

Klaus, the 25-year-old founder of Internet Security Systems, has earned a tidy fortune–well over $200 million at last count–protecting the computer systems of major corporations from crackers, the preferred term for criminal hackers. Inspired by tales of cyberspace cowboys in the classic sci-fi novel Neuromancer, Klaus, a Georgia Tech dropout, realized early on that Internet security would grow into one of the computer world's most lucrative sectors, and that the tug of war between "white hats" and "black hats"–defenders versus attackers, the establishment versus the outlaws–would become its most thrilling subplot.

Six years after Klaus began running ISS out of his grandma's house, the company has blossomed into a leader in "adaptive network security," making software designed to stave off the kinds of intrusions that have become front-page staples lately. In the past 12 months alone, black hats have hacked the Web sites of eBay, Ameritech, Bell South, Packard Bell, even the White House. The break-ins have exposed the laughable inadequacy of most conventional security measures, which often fail to stop intruders armed with only the most rudimentary skills. In a recent survey of top corporations and government agencies by the FBI's Computer Intrusion Squad and the Computer Security Institute, 30 percent of respondents admitted that their systems had been penetrated by outsiders last year, while 55 percent reported unauthorized access by insiders.

For businesses that live and die by Web traffic, having a site disabled by mischief makers can be costly. In the FBI–Computer Security Institute survey, 163 organizations reported combined losses of nearly $124 million last year from computer security breaches. Experts say huge losses often go unreported, as most corporate victims want to avoid bad publicity. If they choose to, crackers can do serious damage: In March 1997, a teenager who went by the alias Jester started poking around the system of NYNEX, now Bell Atlantic, in Worcester, Mass. He eventually disabled the network, knocking out the town's phone service and disrupting radio transmissions at a nearby airport.

The stakes for consumers are also getting higher, as banking records, monetary transactions, and personal data rapidly become little more than 1s and 0s zipping through the Internet. Credit card numbers, the lifeblood of E-commerce, are particularly ripe for pilfering. Last August, two members of Hacking for Girlies made off with 1,749 credit card numbers.

Last summer also witnessed the debut of "Back Orifice," which grants unauthorized users remote access to machines running either Windows 95 or Windows 98, the operating system of choice for most home computers. Once installed on a targeted machine, perhaps disguised as an innocuous E-mail attachment, Back Orifice gives hackers more control of the computer than the person at the keyboard has, according to Cult of the Dead Cow, its creators. The program is available free of charge on the group's Web site and requires little in the way of technical know-how to operate.

National-security officials fear much darker forces lurking in cyberspace–hostile nations boasting computer-proficient shock troops. "The major threat is from foreign countries," says Richard A. Clarke, the National Security Council's most senior adviser on infrastructure protection. "The only thing I can say on an unclassified basis is we know there are foreign governments interested in our critical infrastructure, and they are developing plans to go after it."

There are no official estimates as to how many black hats are bouncing around cyberspace, but there are clearly enough to draw the rapt attention of law enforcement. This past Memorial Day weekend, the FBI conducted an 11-city sweep of 20 suspected crackers. (The more common label–hacker–is reserved for those who refrain from using their skills for malice, although some system administrators dispute the distinction.)

Muscle flexing. The FBI raid was retaliation for the hacking of the White House Web site on May 9 by a gang calling itself gH, or Global Hell, which defaced the page with a picture of flowered panties. "For those who think that this is some sort of sport, it will be less fun when the authorities do catch up with them," warned White House Press Secretary Joe Lockhart. But the FBI's muscle flexing has failed to impress most experts. "I would say the FBI is pretty much grasping at straws," says Mike Hudack, editor of Aviary-mag.com, an online information security magazine. He believes that little evidence will be gleaned from the suspects' seized computers. Crackers are using near-unbreakable encryption, "so what's the point?" Hudack asks.

One target of the raid, who goes by the nickname "mosthated," was similarly unimpressed by the operation–despite being subjected to a three-hour interrogation. "I agree with what they did. I can't get mad at them for busting me for what I did," the 18-year-old Houston-area resident told U.S. News. After he signed a statement "admitting that I had had access to servers in 14 countries around the world," mosthated was released without being charged–minus his computer, which was retained by the FBI. He has since replaced it. "At least they were nice enough to leave me with my monitors and my scanners," he says.

Though a midlevel gang may occasionally get busted, the concern is that top-tier black hats are so skilled, so far ahead of their government pursuers, that capture seems a remote possibility. "The script kiddies will get stopped," says Greg Shipley, a freelance security consultant with close ties to the hacker community. He is referring to amateurs who use prefabricated attacks–copies of hacking tools that they simply download, rather than program themselves. "The ones a notch above get caught when they are careless. But the ones that are good–I mean, really good–continue to go undetected. You never read about them, and they are the biggest threat."

Playing catch-up. Scott Charney, chief of the Department of Justice's Computer Crime and Intellectual Property Section, disputes the notion that the elite are untouchable. "Some very good hackers are serving time." But he admits that authorities are playing catch-up. "The law enforcement community is relatively new to this and has a steep learning curve," he says. "The number of technically literate prosecutors and agents is growing. But the technology keeps changing."

The script kiddies are considered especially dangerous. Many expert hackers trespass on systems strictly for the challenge and will patch holes on the way out or notify system administrators about how they broke in. Script kiddies, by contrast, revel in breaking things, whether on purpose or by accident; a typical example is the case of two California teens, "Makaveli" and "TooShort," who rummaged through a group of high-level military servers last year. "If they get into a network, they don't know what they're doing. They don't patch up the holes," says mosthated. "They really do some things that are destructive."

Hackers point out that it is vendors, not they, who are responsible for the gaping holes that permeate so many products. With companies releasing software as fast as possible, proper security often gets lost in the rush toward store shelves. "As complexity increases, the opportunity for vulnerability increases," says Steven Foote, a senior vice president at the Hurwitz Group, which analyzes strategic business applications.

Security professionals deride Microsoft operating systems, in particular, as porous and unreliable, often crashing and leaving themselves open to attack. "Windows NT is slow, it's buggy, and we don't trust it," says Marcus Ranum, founder of the security software company Network Flight Recorder, who faults NT-centric networking strategies for contributing to decreased security. Sites geared toward E-commerce, which are constructed to be open and accessible to visitors, also provide particularly appealing targets. "With E-business, you're allowing customers into your data center," says Foote. "Then there's ample opportunity for customers to hack deep into your environment."

Inside jobs. In the past, system administrators kept out intruders by installing a fire wall, a device that vets requests for service and turns away those lacking proper authorization. But fire walls have become practically useless as stand-alone defenses. They don't guard against attacks by insiders–disgruntled employees, password thieves–which account for up to 65 percent of all incidents. Different networks often use the same popular brand, so figuring out how to crack one fire wall can give a perpetrator instant access to thousands of sites.

The white-hat response has been to develop new tools. Some assess security risks; others alert administrators to attacks in progress. At ISS, the two flagship products are Internet Scanner, a "virtual hacker" that probes systems for hidden weaknesses, and RealSecure, a veritable "burglar alarm," or intrustion-detection system. Big organizations, such as AOL, Microsoft, NASA, and 21 of the nation's top 25 banks, depend on ISS products for protection, a client list that has pushed the publicly traded company into the elite ranks of profitable Internet ventures, with earnings of $1.3 million last quarter.

Thwarting black hats requires staying abreast of their tricks. At ISS, that task falls to the X-Force, a team of around 50 researchers charged with keeping an ear to the computer underground. Headed by Chris Rouland, 27, the group monitors security-oriented Web sites, chat rooms, and mailing lists in search of the latest exploits. Internet Scanner and RealSecure can only defend against known attacks, and therefore they rely on frequent updates from the X-Force, which has so far uncovered over 2,100 potential vulnerabilities. At the same time, team members pick apart new software releases, trying to sniff out holes and miswritten code before their enemies do.

"We have to hire people who have all the capabilities of the bad guys," says Tom Noonan, ISS's CEO, who turned down a cushy post at Oracle to join the company in 1994. The back and forth between the X-Force and its adversaries has occasionally been ferocious, most notably at last year's DefCon, an annual computer security convention in Las Vegas. That is where Cult of the Dead Cow released Back Orifice, ostensibly to expose Microsoft's security shortcomings. Hours after its public debut, Rouland got a copy to Jon Larimer, the X-Force's "back door" guru. "I knew they'd used some encryption, and we needed to have a way for RealSecure to track that," says Larimer, a Penn State dropout whose slight build and shy demeanor make him seem even younger than his 20 years. Fueled by free sodas and his own adrenalin, he churned out a decode in a single night. ISS released a countermeasure within days.

ISS is hardly the only adaptive network security outfit, with a slew of rivals jockeying for a piece of a market expected to generate at least $700 million in sales by 2002, up from $45 million two years ago. Axent Technologies, router giant Cisco Systems, and Network Associates are all fierce competitors, with a crop of start-ups, like Ranum's Network Flight Recorder, nipping at their heels.

Though Noonan asserts his company "wouldn't hire anyone on the dark side," rivals charge ISS with keeping black hats on its staff. Ranum claims an underground figure known as "ReDragon" was an ISS employee while co-editing the popular hacker zine Phrack. (Michele Norwood, an ISS spokeswoman, says the employee in question was asked to resign his position at Phrack as soon as it was discovered and that he later left the company.)

Behind the curve. The real competition, of course, is not Axent and Cisco, but the black hats. "I really believe we are ahead of 99 percent of the hackers out there that are criminals," boasts Klaus. Those close to the computer underground, however, claim that ISS and its white-hat peers are woefully behind the curve. "ISS makes products that are in the upper crust of products available," says "NeonSurge," a member of Rhino9, a group of security experts. "Personally, to me this doesn't mean much because all products out there are always two to three months behind the latest techniques being used." The crew at ISS acknowledges that security-assessment and intrusion-detection products are not silver bullets. "We'll never reach a point where every known attack is defended against," says Mark Wood, head of ISS's intrusion detection team. The goal, instead, is "to reduce the number of people who can attack to two or three in the world. But can those two or three defeat RealSecure if they really want to? Yes."

Rouland and the X-Force do not have the time to fret over such matters. Their summer promises to be a busy one. Rouland has advance information that Cult of the Dead Cow will be releasing "Back Orifice 2000," and the X-Force is already gearing up to respond. The summer months are also the traditional high season for cyberattacks. School's out, notes Rouland, so kids have plenty of time to poke around the world's hole-filled networks.

With Doug Pasternak and David E. Kaplan