Security Lapse
Or, how I stopped worrying and learned to love hackers, bugs, and other high-tech miscreants.
Published August 2005
EMAIL THIS ARTICLE
PRINTER FRIENDLY
COMMENT ON THIS ARTICLEI got a letter the other day from Time Warner, where I briefly worked some years ago. It was a sincere-enough-sounding note just to let me know that the guys in the data center may have inadvertently let my Social Security number and other private information fall into unknown hands. No need for me to take it personally—the company had done the same thing to some 600,000 present and past employees when it lost a boxful of backup tapes from a truck.
Companies seem to be surrendering a lot of valuable data these days to hackers and other miscreants, at least when they’re not busy fending off the latest crippling virus or worm. What can you do about it? I’m not going to give you the standard lecture on the importance of protecting your computers. I bet you’re a little tired of hearing that sort of thing. Instead, I’m going tell you something different about computer security—something you won’t hear from vendors, IT whizzes, or even security professionals. You’re not going to like it, but you need to understand it.
First, a little background: In 1992, a troubled, profoundly untalented young hacker known as Phantom D managed to tear through at least 1,000 computer systems over the course of a year, including those at military weapons research laboratories, leading computer vendors, and ATM networks. I know a thing or two about the case because journalist Charles C. Mann and I wrote a book about Phantom D in 1997. What we learned at the time from some of the world’s leading security experts was that breaking into even the most sensitive sites on the Internet was a cinch—so easy that anyone with time on his hands could do it. Our prediction: The situation wasn’t going to get better. Indeed, it would probably get worse—no matter how much effort people made to stem the tide.
This is not the sort of thing that Web surfers and corporations want to hear, and the computer-security community all but conspires to oblige them. Think about it: If you’re a security consultant, a corporate IT honcho, or a law enforcement official paid to make computing safe, how quick are you going to be to shout from the rooftops that there’s no way to get the job done? For that matter, how willing are you to accept this fact yourself?
Which brings me back to Time Warner. There’s no need to pick on the media giant; it’s been in great company in recent months, most recently CardSystems Solutions, where a hacker attack in June exposed 40 million credit cardholders to a risk of fraud. Bank of America, Wachovia, ChoicePoint, and LexisNexis also have been stung recently.
People read these stories and shake their heads over the lax security at the target companies. It may even make you think about calling up your IT director and beefing up your own company’s computer security. But that reaction is part of the problem. The fact is, companies like Time Warner and Bank of America have been doing a pretty good job of meeting or exceeding industry standards for protecting their computer systems and data. And it’s not like IT bosses everywhere else are asleep at the wheel. Barry MacQuarrie, the CIO for Xpitax, a tax outsourcing firm in Braintree, Mass., notes that security consistently ranks as the top priority in surveys of accounting industry CIOs. “We have three levels of passwords, we filter all e-mail twice before it reaches our firewall, and we run antivirus on everything internally,?? MacQuarrie says.
So do plenty of other firms. And yet the hackers keep getting inside, the viruses continue to rage, and data disappears. What’s the problem? The world’s faith in the holy trinity of computer security—firewalls, intrusion-detection systems, and antivirus software—is misplaced. Jim Settle, the former head of the FBI computer-crime squad and now a computer-security consultant in Haymarket, Va., offers this assessment: “They don’t work. Duh.?? Sure, they’ll keep out casual hackers who get discouraged easily or don’t have the latest tools, but that’s about it. Settle is often hired to test computer-security systems by trying to break in, usually just after a few million dollars’ worth of state-of-the-art security software has been installed. In nearly 50 efforts, he’s never failed to get inside, and only once was he even detected.
Managers ask the question: Is our data safe? Any honest expert can give you the answer—without knowing a thing about your systems. No, your data is not safe.
Managers ask the question: Is our data safe? In fact, there’s really no need to wonder about that. Any savvy, experienced, and honest security expert can give you the answer—without knowing a thing about your company’s systems. No, your data is not safe. And here’s that thing I promised you wouldn’t want to hear: There’s nothing you can do about it.
