We've Been Hacked

[William Knowles <wk () C4I ORG>]

http://www.inc.com/incmagazine/article/0,,ART20252_CNT53,00.html

David S. Bernstein
Inc. magazine
September 15, 2000

Not scared of losing your data to a corporate thief? You should be

Bob McNeal sits down in a cubicle in his Alexandria, Va., office with
his morning coffee. He turns on his computer and flips open his
notebook to check out the specifics of today's assignment. He clicks a
couple of buttons on the screen and runs his usual scripted program,
entering in a few numbers from those that are scribbled in his
notebook. He types in some commands, following routine instructions
from his database of tools. Then he patiently waits for the computer
to process his programs and answer his questions -- questions that
could be worth thousands of dollars to his client.

Two hours later, McNeal has completed his assignment. He has broken
into the computer network of MBA Management Inc., located some 20
miles away in Fairfax, and verified that he can access every computer
and every database in the company. And, McNeal tells his boss, he can
read the user ID and password of every single employee. Is that
enough, he asks, or should he continue?

That's hacking. Sorry to make it seem so banal. But it doesn't take
some wild-eyed rocket scientist with a supercomputer and nothing
better to do but type ingenious code into the wee hours of the morning
to perform it. Most of what hackers do is disarmingly simple. Often
they use readily available vulnerability-seeking software programs,
which some experts call "point, click, and attack tools." And most of
the time hackers are pretty successful -- especially when they target
small companies, which typically don't spend either the time or the
resources they need to protect themselves. The simplest tricks can do
tremendous damage. (Witness the "I Love You" bug that was sent earlier
this year in an E-mail attachment.)

Most small companies that are hooked up to the Internet do what James
Mugnolo, president of MBA Management, did: assume that their Internet
service provider will furnish a secure connection. It took McNeal just
one morning to reveal how faulty an assumption that was.

Fortunately for MBA Management, a $5-million executive-search
business, Bob McNeal works for the good guys: Para-Protect Services
Inc., an E-commerce and network-security company. Mugnolo, who
recently moved his company to Chantilly, Va., hired Para-Protect in
October 1998 to find the holes in his company's network and recommend
ways to stitch them up.

McNeal stopped his penetration test into the MBA Management network
after those first two hours. Normally, such a job can take two days.
"We stopped when we found we could get into everything," says Chuck
Downs, Para-Protect's vice-president and director of operations.
"There was no sense in beating that horse to death."

Mugnolo had decided to test his company's security and to spend some
money upgrading it after a former employee was suspected of stealing
customer data. Like most employers who have such suspicions, Mugnolo
doesn't like to discuss the details. Still, he clearly felt betrayed,
and worse, the incident scared him. In its database the company keeps
information on more than 50,000 workers throughout North America, as
well as on an equal number of companies that are looking for
employees. "Their whole business is that database," says Downs.

Though Mugnolo didn't hire "white hat" hackers until the company had
lost data, other small-business owners are rushing to secure their
networks before disaster strikes. In some cases the critical or
private nature of the company's data pushes them to it; in other cases
companies see security as a differentiator for their product or
service. But many have just plain seen the writing on the wall -- or
more precisely, in the newspaper headlines, which have blared a stream
of reports on security breaches. Though well-publicized stories about
computer viruses have lately brought security into the public
consciousness, it's often other threats that are more dangerous to a
company's profits and reputation. Those can include attacks that shut
down Web servers, for instance, or that replace Web sites with obscene
or insulting graphics. Hackers can also get in and rummage through a
company's files. Sometimes data just disappear -- consider the case
earlier this year at the U.S. State Department, where Madeleine
Albright ordered a crackdown after a classified laptop vanished, and
at Los Alamos National Laboratory, where two hard drives containing
classified nuclear-weapons data were missing for more than a month.

Those sorts of events -- from the annoying to the frightening -- are
often what it takes to make an entrepreneur recognize the need for
computer security, says Terry Gudaitis of information-protection
consultant Global Integrity Corp., based in Reston, Va. After all, you
don't want your company to be the next one in the headlines.

Certainly, Mugnolo doesn't. And he has thus far been successful. In
March, Para-Protect Services ran an unscheduled penetration test of
MBA Management's systems, and this time the company passed with flying
colors. Since it adopted its new security measures, "we haven't had a
single instance of systems penetration," says David Denne, MBA
Management's vice-president of marketing. That has left the company
free to concentrate on growth: this year's second quarter was its best
ever, and the business grew from 35 employees to almost 60 in the
first six months of the year.

In perhaps its closest call, the company escaped damage from a virus
that was seemingly designed for a headhunting company: code disguised
as a E-mail attachment on a rsum. That message, signed "Janet Simons,"
read: "Attached is my rsum with a list of references contained within.
Please feel free to call or E-mail me if you have any further
questions regarding my experience. I am looking forward to hearing
from you." The attachment, however, carried a virus that could have
methodically erased every single drive on MBA Management's network.

Needless to say, that particular virus could have been disastrous for
the company, where rsums flow in regularly through the E-mail system.
"It probably shut down several of our competitors," says Denne. "Our
system immediately scrubbed anything that came in through the
firewall, flagged it, and kept it on a server outside the firewall."
Like Mugnolo, Denne believes that MBA Management has gained a
competitive edge through its stepped-up security. "I find it
comforting, and therefore I think my clients find it comforting,"
Denne says.

Hire a Hacker

At Para-Protect Services, Chuck Downs was surprised but not shocked
that McNeal was able to break into MBA Management's systems in just
two hours. Doing what Mugnolo did -- relying on his ISP to configure
his connection to the Net -- meant by definition that it was an open
connection, Downs says.

But if Downs wasn't appalled, Mugnolo certainly was. His business's
competitive edge -- the reason companies go to him rather than to
other headhunters -- is his deep compilation of information on
thousands of potential employees. Included in that data is sensitive
information on job openings, including postings that haven't been made
public -- perhaps because an employee doesn't yet know that he or she
is on the way out. Companies can unwittingly reveal a lot about their
strategic plans, for example, by listing the specific skills required
for various jobs. "The last thing in the world the client wants is for
that information to get back to his staff or to a competitor," says
Denne.

In particular, a company that's developing a new product doesn't want
anyone to know the nature of its work. "A breach in a program could
spell the end of the whole market for their idea," Denne adds.

Still, it's not surprising that few people spend a lot of time
worrying about Internet security. As the user looks out onto the
superhighway of the Web, it's easy to see it as a one-way street. But
in fact, when you open a Web page or do virtually anything on the
Internet, you send a request to the faraway computer on which that Web
page is stored, and that computer sends you back information, which is
opened by your browser or other software. That means your computer --
and, in a company setting, the server -- must be constantly open and
able to receive data feeds from the outside. That openness is exactly
where vulnerability lies.

For a fee of about $10,000, Para-Protect restricted the openness of
MBA Management's systems in two ways. First, the company installed a
simple firewall from Prism Servers Inc., in Allison Park, Pa., at a
cost of less than $3,000. The firewall was configured according to a
simple rule, Downs says: "Anything coming from the Internet that is
not requested from the inside is denied." It does that by using a Unix
filter to distinguish between information -- like a Web page -- that
is coming in at a user's request and any unknown traffic that arrives
unbidden. When someone inside the network requests something from
outside the firewall, the firewall issues a tag number with the
request. If incoming data packets don't contain a matching tag, the
firewall won't let them in.

There are two big exceptions. One is E-mail, which arrives
unrequested. Downs put MBA Management's E-mail system onto a separate
server, which redirects incoming mail and scans it for viruses before
users can access it. The other exception is the company's own Web
site, which anyone from the outside should be able to access. MBA
Management disconnected the site from its corporate network and
arranged to have it hosted off-site.

Second, Downs made sure that each computer went on the internal
network, which is invisible to outsiders. In a normal office network
with Internet access, each workstation has a unique Internet Protocol
(IP) address. It was those addresses that McNeal was able to identify
and attack in the penetration test. Downs changed each workstation's
IP address to a nonroutable address -- meaning that outsiders can only
see the address of the firewall. The result: nobody from outside can
discover the IP address of an internal computer and use it as a port
into the network -- a common hacking procedure. Downs says that the
firewall's logs reveal that hackers have frequently scanned MBA
Management's system looking for ports since Downs put the firewall in
place.

Although $3,000 is low-end for a commercial firewall, Downs says, it's
all that a small company needs. "The only thing you limit is the
number of people you can service," he says, since the small firewall
has limited bandwidth capacity. The Prism product, he says, can easily
handle 200 users. That should cover the short-term needs of MBA
Management, which plans to double its number of networked users within
a year. As the company has grown, it has periodically added servers
behind the main firewall and is now running six of them.

Now that Downs feels the company is secure from outside intruders, the
next move is to provide greater internal security for the databases.
Currently, MBA Management uses a proprietary database running on NT
servers. It is about to split the database into several parts using
software called Adapt, which will allow the company to use the
operating system's security-administration features to carefully
control who can have access to different levels of data.

Since installing the firewall, Para-Protect has conducted monthly
tests as part of a routine security checkup. That is not to say that
MBA Management's security is 100% foolproof. But the company has put a
pretty solid defense in place -- solid enough to send hackers on to
easier targets. And that's a big part of what Internet security is
about: making sure yours is not the easiest lock to pick.

Virtual Privacy

You could say that a kindergarten play cost entrepreneur Dana Dodds
$120,000 a year, and you wouldn't be that far off.

One afternoon in 1996, Dodds, CEO of San Diego auto insurer Reliant
General Insurance Services Inc., left work to watch his daughter
perform in a school play. He was immediately struck by guilt. "I had a
customer-service rep whose daughter was in that class, too, but she
couldn't be there, and it bugged me," Dodds says.

Soon, about 15 of Reliant General's employees were working from home,
with no time clock -- just quotas for the number of applications they
processed and standards for the quality of the work they did. Back
then, the workers connected to the corporate network directly through
a dial-in 800 number. The phone bills for those lines ran about
$120,000 a year.

Reliant General is a fast-growth company -- it's made the Inc. 500
twice, as #341 in 1998 and #417 in 1999. And Dodds is all for using
the newest technology to keep his company growing at a rapid pace. So
in 1997 he hired information-services director Cary White to help him
do just that.

When White, 32, joined the company, he took one look at the exorbitant
phone bill and told Dodds that the company could eliminate most of it
by letting the telecommuters connect over the Internet. Dodds liked
the idea but knew there had to be a catch. "He's a very sharp guy when
it comes to technology," White says with a laugh. "Almost too smart
for his own good."

The catch, White responded, lay in the open nature of the Internet.
Essentially, the Internet is a very large collection of routers that
are wired to one another. When you send a packet of data into
cyberspace, it wanders, asking at each router, "Have you seen this IP
address?" If the answer is no, the packet moves on to the next router.

However, nobody should trust that every router on the Internet will
simply shoo data packets along. Hackers can put tools, called
"sniffers," on those routers and use them to peek inside every packet
of data that comes along. If a packet's contents or destination seems
juicy enough, the sniffers can read everything inside.

An extra layer of worry exists for Dodds and his colleagues working in
California's auto industry: 11 years ago actress Rebecca Schaeffer was
murdered by a stalker who obtained her address from the state
Department of Motor Vehicles. (Since then, California has tightened
its DMV privacy laws.) Not surprisingly, Dodds is passionate about the
need to protect his customers. "Information for us is a trust, and we
can't give it away, and we can't let anybody get it," he says. "We're
talking about where they live, what cars they drive, where they work,
the children that drive in the household, their driving records, their
claims history -- it's very similar to credit information. It's very
private."

For White, simply using the wide-open Internet was out. So he called
in a local consultant, Paradise Technology, which built a virtual
private network. At the time, VPNs were a fresh concept, and few
companies of any size had tried them out. The VPN creates a tunnel of
sorts between the Reliant General network and telecommuters'
computers, shielding its content from the view of the myriad routers
along the way.

Axent Technologies' PowerVPN was one of the first of its kind on the
market, so Paradise chose it for Reliant General. In addition, Reliant
General purchased Axent's Defender product to authenticate users on
its dial-up lines.

The system works this way: Telecommuters like Reliant policy
underwriter Mike Lemieux connect to the Internet through a cable modem
or a dial-up ISP. Lemieux, who works full-time from his home in El
Cajon, Calif., clicks on an icon to start his session with Reliant
General. Lemieux's request then passes through several stages.

First, the firewall lets it through only if it is a request for a VPN
session on the Axent machine. Anyone -- even an authorized user like
Lemieux -- who tries to bypass that machine and connect directly to
the corporate server will be blocked by the firewall. Approved
requests for VPN sessions make it to the next stage: authentication by
the Defender hardware. Lemieux enters his user ID and, just as he
would at an ATM machine, types in a personal identification number.
But in addition, using that PIN and secret data stored on Lemieux's
hard drive, the system creates a onetime password that allows him to
access it. This two-level authentication means that someone would have
to know Lemieux's password and use his computer in order to
impersonate him and gain access to the corporate server.

When Defender gives the go-ahead to Lemieux's session, the PowerVPN
establishes a secure tunnel that keeps all transmissions out of harm's
way. In addition, it encrypts the contents. Once the secure connection
is established, Lemieux logs in to the corporate server -- using yet
another password -- and begins working on applications just as if he
were on the network in the office. So far the system has worked so
well that Reliant General uses the VPN not just for its own
telecommuters but also for approved outsiders, like insurance-claims
reps.

Installing the system for about 25 telecommuters cost Reliant General
about $20,000. Given a yearly savings of $100,000 on the phone bill,
"it was pretty clear-cut, pretty much a slam-dunk decision," says
chief financial officer Greg Goodrich.

According to Dodds, the phone-bill savings haven't been the only gain.
He says telecommuters' productivity has increased sharply -- a
phenomenon supported by a new poll conducted by the International
Telework Association & Council, which found that nearly half of the
telecommuters surveyed felt they were more productive working at home,
while less than 10% thought they were less productive. According to
Dodds, underwriters who used to process about 70 applications a day in
the office are now doing at least 100 a day working at home. And
giving a staffer time off to attend a school play no longer costs the
company a small fortune.

Bedside Manner

If you think that storing kids' immunization records doesn't sound
like a business bonanza, then you haven't been talking with Joseph
Rosmann.

Rosmann's soft-spoken manner belies his passion about his Internet
start-up, HealthRadius. The company -- Rosmann's obsession since he
launched it in 1996 -- will soon make many millions of dollars from
its Web-based repository of children's vaccination records, he
explains in measured tones. Doctors, he says, have free access to the
records. Public-health agencies pay a fee to access the records of
children in their area. Health plans pay $1 a child for basic data and
as much as $4 a child for more complete records. Individuals, through
their employers or insurers, can access their own children's records
for a family subscription fee of $15 a year.

Eventually, every time a doctor's office wants to check on a new
patient's history or a parent wants to sign up a kid for summer camp,
money will flow into HealthRadius. What companies like Healtheon/WebMD
Corp. have become for the Web-based administrative side of health
care, Rosmann's company will be for the patient-records side of it, he
says.

Rosmann, 56, who formerly worked as a health-care consultant, has had
to make his pitch many, many times, to venture capitalists, state
health officials, doctors, and health-care administrators. Though they
may expect the caricature of an Internet-start-up entrepreneur with
plans as big as the sky -- a young, brash, fast-talking braggadocio --
what they get instead is the calm assurance of Joe Rosmann, with his
mellifluous voice that never rises or rushes. Like a family doctor
explaining your test results, he provides instant reassurance with his
smile and bearing.

Reassurance is an important element of Rosmann's plan. To make it
work, he must collect and distribute the type of information that
everyone agrees should be held in utmost privacy: medical records.
Without strict assurance of the data's security, Rosmann says, his
company could never meet the requirements of health-care privacy laws
-- newly tightened in the wake of consumer outrage over privacy
violations. And just as important, without that security, Rosmann
could never sell anyone on the idea.

And these days it's a Herculean task to ensure that Web-based
transactions are private and secure. Still, for cost, speed, and
simplicity, Rosmann wants to do it all -- including data collection
and access -- over the Web.

His approach seems to be working. HealthRadius, based in Bellevue,
Wash., will expand its immunization-records service to four new states
this fall and expects to have more than half a million physicians
involved within two years. Although the company took in just $100,000
in revenues last year, venture capitalists value the company at about
$20 million. Rosmann expects revenues of close to $5 million this
year.

Four years ago, when Rosmann launched HealthRadius, doctors and
health-care administrators were just beginning to eye the potential of
the Internet. Washington state health officials brought Rosmann in to
study how to salvage a failed medical-records-exchange initiative, the
Community Health Information Network. Their request, he says, was
straightforward: "Get something simple started to prove that you can
safely exchange medical-health records and automate the transactions
between doctors, health plans, and hospitals."

Out of that effort came two companies: Rosmann's and a
payment-exchange provider called Pointshare. Rosmann's response to the
state's request was to break into the potentially enormous
health-care-records field through the single entry point of children's
immunization data. That category is a good testing ground for the
broader health-records field, he believes. For one thing, parents must
frequently provide immunization records to new schools, new summer
camps, and new doctors. A child typically has seen three doctors and
had 23 immunizations by age six, according to HealthRadius's research.
Who wouldn't want to make managing and exchanging all that data
easier? Rosmann believed it was a market waiting to be served.

One of Rosmann's key early contacts was information-law specialist
John R. Christiansen of the Seattle office of law firm Stoel Rives
LLP. Christiansen began consulting for HealthRadius in the fall of
1996. "There is no standard-setting organization out there" for
electronic medical records, Christiansen says. "You can't just go out
there and say, 'What are the steps I need to take?'" He advised
Rosmann to draft his contracts with clients in a way that holds
HealthRadius to an unusually high level of liability for the privacy
and security of the data it collects. Only by doing so could Rosmann
hope to reassure the doctors, health insurers, and parents who were
HealthRadius's targeted customers.

If you're going to put your business on the line like that, you'd
better make sure you can live up to your promises. So the first person
Rosmann brought on board was not a health-care adviser, but
information-security veteran Gene Shook, now vice-president of the
company's operations and development. Rosmann and Shook, working
together in their quiet offices on the outskirts of Seattle, laid out
a long list of steps they would take to keep medical data both secure
and private.

First, they needed to be able to verify the identity of any client
trying to access their records over the Web. Then they had to encrypt
the data sent to and from HealthRadius servers so that only people
holding the keys to unscramble it could read it. In addition, since
participating doctors' offices would submit information directly to
the HealthRadius database when they performed immunizations, the
company had to guarantee an even greater level of security for those
transactions. Different employees at doctors' offices -- even those
using the same computer -- would need to have varying levels of
access; for instance, some workers would be able to read but not edit
patient records.

Shook will soon install a VPN, which will offer a high degree of
security. In the meantime, he turned to the encryption built into
standard versions of Netscape Navigator and Microsoft Internet
Explorer (called Secure Socket Layer encryption) and other Microsoft
tools. For authentication, Shook currently uses the access-control
system built into the Microsoft Windows NT operating system as well as
the company's own custom-developed access-control system.

To ensure that changes that are made to HealthRadius's database are
verifiable and legally valid, Shook decided to use a method that
should soon become more widespread: digital signatures that use public
key interchange (PKI). Those digital signatures, provided through an
authorized third party, verify two parties to each another, like a
secret handshake. Washington state has recently authorized a Utah
company called Digital Signature Trust to act as the licensed
certificate authority for supplying digital PKI signatures. Anyone in
the state can sign up with Digital Signature Trust and receive the
hardware or software to generate digital IDs. Two parties that are
both using those digital IDs -- for instance, HealthRadius and a
physician's office -- can be certain that the information that was
sent exactly matches what the other party receives. In Washington,
such electronic documents can now legally take the place of paper.

Shook is hoping that other states adopt compatible systems; if they
don't, HealthRadius may have to install a vast and confusing array of
different digital-signature systems. (Without a common standard, Shook
fears that HealthRadius may have to establish its own PKI service for
its customers. That not only would be more costly and difficult --
HealthRadius would have to license and distribute software to everyone
who is authorized to access its data over the Web -- but also would
open HealthRadius up to liability for its digital-signature system.)

So far HealthRadius has spent about $1 million on technology,
including security. By the time it rolls out nationally during the
next year or two, Rosmann expects he will have spent $2 million to $3
million on technology. But perhaps most important, the company has
already subjected itself to an intensive security audit (in the spring
of 1998) and will undergo another one early next year. It also
requires periodic audits of the 50 clinics and hospitals that supply
it with medical-records data, and a randomly selected 5% of clients'
sites will be audited each year.

In such a review, an independent outside party rigorously examines the
procedures and technology that a company is using to handle its data.
In HealthRadius's case, the auditors were interested in seeing whether
the company could live up to the security standards of the Health
Insurance Portability and Accountability Act of 1996. That legislation
established ground rules for medical-records privacy -- always a
delicate subject and one made even more so in the Internet age.
(DrKoop.com got into hot water recently when its advertising partner,
DoubleClick, sold lists that included members' health information.
HealthRadius's contract with its clients bars it from selling its
information.)

The audit, which takes about three weeks to complete, includes
interviews and a systematic review of the technology itself. That may
seem like a lot of effort to secure something as relatively
uncontroversial as immunization records. But a market test in 1998
confirmed that the HealthRadius service had no chance of acceptance if
people felt even a slight concern that someone could access its
demographic information on the more than 2 million people in its
system. "We needed to act as a bank -- you have direct access and no
one else has access," says Shook.

In addition, managing immunization records is just HealthRadius's
initial foray into the arena of electronic-medical-records exchange.
In the not too distant future, Rosmann plans to start databases that
will contain patients' disease histories and other medical matters. At
that point, he wants an unblemished security track record.

The company's biggest vote of confidence so far has come in black and
white: a letter from the National Committee for Quality Assurance
(NCQA), an independent nonprofit organization that evaluates the
quality of managed-care organizations. The letter, dated January 1999,
stated that NCQA considered HealthRadius's registry of immunization
records an allowable source of data for its own system, which is used
almost universally by health plans. "NCQA gave its blessing because we
had provided the privacy," says Rosmann. "As soon as that letter was
issued, about every health plan became a customer."

That's not to say Rosmann is satisfied. "We still have a little
sensitivity around the subject of security," he says, still in that
calm, careful voice. In fact, he has Shook shopping for three more
security items. One, HackerShield from BindView Development, scans for
known intrusion methods, similar to the way antivirus software checks
for familiar computer viruses. A second, IPsec, is a computer-security
standard that keeps unwanted data traffic from bothering a company's
servers. One benefit of that would be protection against
denial-of-service attacks that can overload and disable a server.
(Remember that disastrous day for Amazon.com and eBay last February?)

The third product Rosmann and Shook want, WebTrends, monitors and
analyzes firewall logs for unusual activity. That will help Shook
manage the company's defenses more actively and will also help the
company prosecute any hackers who try to break in. Because catching a
hacker would make the kind of headlines that Rosmann would like to be
in.

David S. Bernstein is a freelance writer in Watertown, Mass.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".