1. Archive

Electronic snooping goes private

So you think your computer communications are safe and secure? Hah! You poor, deluded, vulnerable fool.

Experts in the security business confide that most computer networks are wide open to attack by dedicated hackers. Indeed, they describe some real-world electronic assaults that would make your bytes turn into bits.

Want to break into one of Switzerland's most famous private banks and look at its accounts? Not a problem.

Want to break into the computer of a key government agency of a big European country and read messages tasking its security officers? Not a problem.

Want to crack corporate networks and read the e-mail traffic? Not a problem. In fact, that's so easy it's done routinely.

We're not talking here about electronic intercepts by the National Security Agency or black-bag jobs by the CIA, mind you. These operations are conducted by the growing global network of private security consultants, using sophisticated hacking tools that most of us don't begin to understand.

An example of the hackers' tool kit is something called a "packet sniffer." Once the hacker gains access to the electronic transmissions passing through a computer network (which isn't as hard as you might think) the packet sniffer allows him to read the electronic bundles of information _ those little ones and zeros streaming over the Net _ and translate them into readable computer files. An apprentice hacker can download the software needed for a packet sniffer from one of many sites on the Net.

What's happening, in effect, is the privatization of some of the most powerful tools traditionally used by intelligence agencies _ which allow them to overhear our conversations and read our mail. The new privateers are mostly former spies and law enforcement officers who are now offering their skills on the open market. They're working with former colleagues and liaison contacts around the world _ and with the hacker underground _ to get the information they need.

"The Cold War is over," explains one member of this private security brotherhood. "People in police and security services are just trying to make money." One ripe source of information is the hundreds of agents overseas who were dumped by the CIA in the budget cuts of the mid-'90s. Many of them are freelancing now.

If you want access to this network, you can start by contacting one of the high-powered Washington or New York law firms. They, in turn, will contact a private security firm, which will contact a consultant, who will contact another consultant, who will work with hackers, cops, second-story artists, whoever is needed to get the job done.

Typically, the person who initiates a request for information at one end of the chain has no idea who actually obtains it or what methods were used.

Companies that want to protect themselves against electronic attacks should consider investing in counter-intelligence. An example of what's available comes from Michael L. Puldy, who heads IBM's Emergency Response Service. He runs a group of about 100 people worldwide who help IBM clients clean up the damage from electronic break-ins and try to prevent them from happening in the first place.

Puldy explains that companies are much more vulnerable to electronic attack than they realize. They may think they're protected by so-called "fire walls" that screen who gets into the network. But if the fire-wall software is installed right out of the box, it usually contains default passwords and other trapdoors that allow smart hackers to get in.

Puldy's group mainly does electronic "perimeter checks," looking for holes in a company's network, along with installing "intrusion detection monitors"_ which sense when a hacker is trying to break in.

But IBM also offers a more aggressive "Ethical Hacking Service," which for a fee will actually break into your system and show just how vulnerable it is. Puldy says IBM's ethical hackers can penetrate more than 75 percent of the systems they attack. Once inside, they can find password files, break into the corporate e-mail server and read everyone's mail _ even get into the chief executive officer's hard drive and read his most private files.

Packet sniffers are the enemy, in Puldy's world. He says that cable modems are especially vulnerable, because given most existing cable technology, it's easy to read the other computers on a neighborhood cable loop. "If you're on the neighborhood ring, you can put a sniffer on the cable and watch everything I do on my computer _ stock trades, passwords, e-mails, everything," Puldy says. It's harder to crack "digital subscriber line" or DSL technology that's used to provide high-speed connections over phone lines _ but not impossible.

"Given enough time and effort, you can break into anything you want to," says Puldy.

Civil libertarians still seem to focus their angst on privacy threats from government intelligence and law-enforcement agencies, but they're way behind the time. Like everything else in the global economy, snooping has been privatized.

David Ignatius is an associate editor of the Washington Post.

Washington Post