The Hacker's Bane

Tweet

"Contrary to common belief, we were not behind either the WarGames script or the break-in at the Los Alamos National Lab's computer," says Jeff Burrus with a chuckle. He has reason to gloat. As vice-president of marketing at LeeMAH of San Francisco Inc., a small electronics company, he is in charge of marketing an ingenious computer security device designed to keep outsiders from breaking into a computer system via the public phone lines. When the company introduced the device last year, few people were even aware of the problem. Then came the movie WarGames and a rash of long-distance, electronic break-ins by a group of computer-literate teenagers, or "hackers," from Milwaukee. Now everybody is talking about computer security, and Burrus's job has become a lot easier.

Experts in the area believe that all this is happening not a moment too soon. "The hacker problem, from our point of view, was a good thing because it finally caught the attention of upper-level executives," says Jack Bologna, president of Computer Protection Systems Inc., which publishes Computer Security Digest and Corporate Fraud Digest. "[It has been] a very inexpensive way to get the point across to upper management" before the criminals move in where the children nowplay.

The business press has been quick to pick up on this theme. "Wanna make a killing on a hot new issue?" wrote Forbes magazine editor-in-chief Malcolm S. Forbes in September. "Go for the first common stock offering by the company that comes up with an affordable, failsafe, kid-proof gizmo to prevent unauthorized access to any computer, any program. Or, price regardless, grab shares in any existing company that develops a proven arm-lock against access by the unauthorized -- without locking out prompt access by the authorized. Until there is such, no computer program, no computer storage, no one, no thing anywhere is safe."

Pronouncements like this are music to the ears of people at LeeMAH and their counterparts at Digital Pathways Inc. of Palo Alto, Calif., Backus Data Systems Inc. of San Jose, Calif., and International Mobile Machines Corp. (IMM) of Philadelphia -- all of which are already making such gizmos, and at least one of which, IMM, is a public company.

The gizmos in question are "dial-back" devices that are remarkable mainly for their simplicity. Although the various devices on the market differ somewhat in design and features, each includes a box of electronic hardware that intercepts incoming calls. The caller is asked to identify himself with a password or identification number. After receiving the information, the machine hangs up and consults its own memory for the authorized telephone number, which it then calls back, providing the requested computer link. Thus, an unauthorized caller can get into the system only if he has both the correct password and access to the telephone associated with the password.

Such dial-back devices "will increase considerably the protection against unauthorized users," declares Donn Parker, senior computer security consultant at SRI International in Menlo Park, Calif. SRI now prescribes the devices in its security reviews, and Parker expects that soon they will be "very common."

The relatively low cost of the devices will undoubtedly encourage their quick acceptance. For example, the LeeMAH Secure Access Unit -- which hooks up to a single telephone line -- goes for a mere $1,200. The company's new multiline unit, called the Secure Access Multiport, has a base price of $3,850 and handles up to 64 computer/telephone links for an additional $500 per link. Comparable multiline units from other companies are priced competitively.

The main differences among units have to do with specific features and options, which vary from manufacturer to manufacturer. With some of the devices, for example, a caller with a special password can gain immediate "pass-through" access to the computer at specific times of the day. Another option allows a caller to "write in" an alternative call-back number, using a touch-tone pad.

In addition, most of the devices can record incoming calls and monitor usage of the telephone links. There are also alarms that go off in the event of repeated, unsuccessful attempts to enter the system. IMM's product even has a trap for hackers, whereby the device can be set up to give a continuous false ring signal while it alerts the data center to have the telephone call traced. IMM general manager Anthony Caputo says that a St. Louis bank recently used this option in a trial run of its new system and, on the first night, caught an ex-employee trying to gain access to the bank computer.

It remains to be seen which of the companies will emerge as the industry leader. According to Bologna, LeeMAH has an edge at the moment. The company's customers have included General Telephone Co. of California (for which it originally designed the Secure Access Unit in 1981) and General Telephone of the Southwest, not to mention Hewlett-Packard Co., which has placed a large order for the new Secure Access Multiports. LeeMAH's competitors are moving quickly to establish themselves, however, and all of the dial-back vendors report an unexpected avalanche of orders.

Moreover, the demand is almost certain to skyrocket in the months ahead -- and not just because of fears about hackers. Indeed, the primary impetus is likely to come from the breakup of the Bell system. "In the past, many large companies have used private line networks" to connect outlying personnel to central computers, says LeeMAH design engineer James Smith. "But private line . . . installation costs have [already] gone up 1,000% in some areas, and usage costs have gone up 2000." With the American Telephone & Telegraph Co. divestiture, private lines that cross several telephone districts will get "very expensive, very quickly." Smith predicts that many companies will turn instead to dial-back devices, which offer comparable security at considerable savings.