We've Been Hacked
Not scared of losing your data to a corporate thief? You should be
Bob McNeal sits down in a cubicle in his Alexandria, Va., office with his morning coffee. He turns on his computer and flips open his notebook to check out the specifics of today's assignment. He clicks a couple of buttons on the screen and runs his usual scripted program, entering in a few numbers from those that are scribbled in his notebook. He types in some commands, following routine instructions from his database of tools. Then he patiently waits for the computer to process his programs and answer his questions -- questions that could be worth thousands of dollars to his client.
Two hours later, McNeal has completed his assignment. He has broken into the computer network of MBA Management Inc., located some 20 miles away in Fairfax, and verified that he can access every computer and every database in the company. And, McNeal tells his boss, he can read the user ID and password of every single employee. Is that enough, he asks, or should he continue?
That's hacking. Sorry to make it seem so banal. But it doesn't take some wild-eyed rocket scientist with a supercomputer and nothing better to do but type ingenious code into the wee hours of the morning to perform it. Most of what hackers do is disarmingly simple. Often they use readily available vulnerability-seeking software programs, which some experts call "point, click, and attack tools." And most of the time hackers are pretty successful -- especially when they target small companies, which typically don't spend either the time or the resources they need to protect themselves. The simplest tricks can do tremendous damage. (Witness the "I Love You" bug that was sent earlier this year in an E-mail attachment.)
Most small companies that are hooked up to the Internet do what James Mugnolo, president of MBA Management, did: assume that their Internet service provider will furnish a secure connection. It took McNeal just one morning to reveal how faulty an assumption that was.
Fortunately for MBA Management, a $5-million executive-search business, Bob McNeal works for the good guys: Para-Protect Services Inc., an E-commerce and network-security company. Mugnolo, who recently moved his company to Chantilly, Va., hired Para-Protect in October 1998 to find the holes in his company's network and recommend ways to stitch them up.
McNeal stopped his penetration test into the MBA Management network after those first two hours. Normally, such a job can take two days. "We stopped when we found we could get into everything," says Chuck Downs, Para-Protect's vice-president and director of operations. "There was no sense in beating that horse to death."
Close call: James Mugnolo's company received a nasty virus that read, "Enclosed is my résumé."
Mugnolo had decided to test his company's security and to spend some money upgrading it after a former employee was suspected of stealing customer data. Like most employers who have such suspicions, Mugnolo doesn't like to discuss the details. Still, he clearly felt betrayed, and worse, the incident scared him. In its database the company keeps information on more than 50,000 workers throughout North America, as well as on an equal number of companies that are looking for employees. "Their whole business is that database," says Downs.
Though Mugnolo didn't hire "white hat" hackers until the company had lost data, other small-business owners are rushing to secure their networks before disaster strikes. In some cases the critical or private nature of the company's data pushes them to it; in other cases companies see security as a differentiator for their product or service. But many have just plain seen the writing on the wall -- or more precisely, in the newspaper headlines, which have blared a stream of reports on security breaches. Though well-publicized stories about computer viruses have lately brought security into the public consciousness, it's often other threats that are more dangerous to a company's profits and reputation. Those can include attacks that shut down Web servers, for instance, or that replace Web sites with obscene or insulting graphics. Hackers can also get in and rummage through a company's files. Sometimes data just disappear -- consider the case earlier this year at the U.S. State Department, where Madeleine Albright ordered a crackdown after a classified laptop vanished, and at Los Alamos National Laboratory, where two hard drives containing classified nuclear-weapons data were missing for more than a month.
Those sorts of events -- from the annoying to the frightening -- are often what it takes to make an entrepreneur recognize the need for computer security, says Terry Gudaitis of information-protection consultant Global Integrity Corp., based in Reston, Va. After all, you don't want your company to be the next one in the headlines.
Certainly, Mugnolo doesn't. And he has thus far been successful. In March, Para -Protect Services ran an unscheduled penetration test of MBA Management's systems, and this time the company passed with flying colors. Since it adopted its new security measures, "we haven't had a single instance of systems penetration," says David Denne, MBA Management's vice-president of marketing. That has left the company free to concentrate on growth: this year's second quarter was its best ever, and the business grew from 35 employees to almost 60 in the first six months of the year.
In perhaps its closest call, the company escaped damage from a virus that was seemingly designed for a headhunting company: code disguised as a E-mail attachment on a résumé. That message, signed "Janet Simons," read: "Attached is my résumé with a list of references contained within. Please feel free to call or E-mail me if you have any further questions regarding my experience. I am looking forward to hearing from you." The attachment, however, carried a virus that could have methodically erased every single drive on MBA Management's network.
Needless to say, that particular virus could have been disastrous for the company, where résumés flow in regularly through the E-mail system. "It probably shut down several of our competitors," says Denne. "Our system immediately scrubbed anything that came in through the firewall, flagged it, and kept it on a server outside the firewall." Like Mugnolo, Denne believes that MBA Management has gained a competitive edge through its stepped-up security. "I find it comforting, and therefore I think my clients find it comforting," Denne says.
Hire a Hacker
At Para-Protect Services, Chuck Downs was surprised but not shocked that McNeal was able to break into MBA Management's systems in just two hours. Doing what Mugnolo did -- relying on his ISP to configure his connection to the Net -- meant by definition that it was an open connection, Downs says.
But if Downs wasn't appalled, Mugnolo certainly was. His business's competitive edge -- the reason companies go to him rather than to other headhunters -- is his deep compilation of information on thousands of potential employees. Included in that data is sensitive information on job openings, including postings that haven't been made public -- perhaps because an employee doesn't yet know that he or she is on the way out. Companies can unwittingly reveal a lot about their strategic plans, for example, by listing the specific skills required for various jobs. "The last thing in the world the client wants is for that information to get back to his staff or to a competitor," says Denne.
In particular, a company that's developing a new product doesn't want anyone to know the nature of its work. "A breach in a program could spell the end of the whole market for their idea," Denne adds.
Still, it's not surprising that few people spend a lot of time worrying about Internet security. As the user looks out onto the superhighway of the Web, it's easy to see it as a one-way street. But in fact, when you open a Web page or do virtually anything on the Internet, you send a request to the faraway computer on which that Web page is stored, and that computer sends you back information, which is opened by your browser or other software. That means your computer -- and, in a company setting, the server -- must be constantly open and able to receive data feeds from the outside. That openness is exactly where vulnerability lies.
For a fee of about $10,000, Para-Protect restricted the openness of MBA Management's systems in two ways. First, the company installed a simple firewall from Prism Servers Inc., in Allison Park, Pa., at a cost of less than $3,000. The firewall was configured according to a simple rule, Downs says: "Anything coming from the Internet that is not requested from the inside is denied." It does that by using a Unix filter to distinguish between information -- like a Web page -- that is coming in at a user's request and any unknown traffic that arrives unbidden. When someone inside the network requests something from outside the firewall, the firewall issues a tag number with the request. If incoming data packets don't contain a matching tag, the firewall won't let them in.
There are two big exceptions. One is E-mail, which arrives unrequested. Downs put MBA Management's E-mail system onto a separate server, which redirects incoming mail and scans it for viruses before users can access it. The other exception is the company's own Web site, which anyone from the outside should be able to access. MBA Management disconnected the site from its corporate network and arranged to have it hosted off-site.
Second, Downs made sure that each computer went on the internal network, which is invisible to outsiders. In a normal office network with Internet access, each workstation has a unique Internet Protocol (IP) address. It was those addresses that McNeal was able to identify and attack in the penetration test. Downs changed each workstation's IP address to a nonroutable address -- meaning that outsiders can only see the address of the firewall. The result: nobody from outside can discover the IP address of an internal computer and use it as a port into the network -- a common hacking procedure. Downs says that the firewall's logs reveal that hackers have frequently scanned MBA Management's system looking for ports since Downs put the firewall in place.
Although $3,000 is low-end for a commercial firewall, Downs says, it's all that a small company needs. "The only thing you limit is the number of people you can service," he says, since the small firewall has limited bandwidth capacity. The Prism product, he says, can easily handle 200 users. That should cover the short-term needs of MBA Management, which plans to double its number of networked users within a year. As the company has grown, it has periodically added servers behind the main firewall and is now running six of them.
Now that Downs feels the company is secure from outside intruders, the next move is to provide greater internal security for the databases. Currently, MBA Management uses a proprietary database running on NT servers. It is about to split the database into several parts using software called Adapt, which will allow the company to use the operating system's security-administration features to carefully control who can have access to different levels of data.
Since installing the firewall, Para-Protect has conducted monthly tests as part of a routine security checkup. That is not to say that MBA Management's security is 100% foolproof. But the company has put a pretty solid defense in place -- solid enough to send hackers on to easier targets. And that's a big part of what Internet security is about: making sure yours is not the easiest lock to pick.
You could say that a kindergarten play cost entrepreneur Dana Dodds $120,000 a year, and you wouldn't be that far off.
One afternoon in 1996, Dodds, CEO of San Diego auto insurer Reliant General Insurance Services Inc., left work to watch his daughter perform in a school play. He was immediately struck by guilt. "I had a customer-service rep whose daughter was in that class, too, but she couldn't be there, and it bugged me," Dodds says.
A virtual private network lets Dana Dodds's employees work from home without sacrificing security.
Soon, about 15 of Reliant General's employees were working from home, with no time clock -- just quotas for the number of applications they processed and standards for the quality of the work they did. Back then, the workers connected to the corporate network directly through a dial-in 800 number. The phone bills for those lines ran about $120,000 a year.
Reliant General is a fast-growth company -- it's made the Inc. 500 twice, as #341 in 1998 and #417 in 1999. And Dodds is all for using the newest technology to keep his company growing at a rapid pace. So in 1997 he hired information-services director Cary White to help him do just that.
When White, 32, joined the company, he took one look at the exorbitant phone bill and told Dodds that the company could eliminate most of it by letting the telecommuters connect over the Internet. Dodds liked the idea but knew there had to be a catch. "He's a very sharp guy when it comes to technology," White says with a laugh. "Almost too smart for his own good."
The catch, White responded, lay in the open nature of the Internet. Essentially, the Internet is a very large collection of routers that are wired to one another. When you send a packet of data into cyberspace, it wanders, asking at each router, "Have you seen this IP address?" If the answer is no, the packet moves on to the next router.
However, nobody should trust that every router on the Internet will simply shoo data packets along. Hackers can put tools, called "sniffers," on those routers and use them to peek inside every packet of data that comes along. If a packet's contents or destination seems juicy enough, the sniffers can read everything inside.
An extra layer of worry exists for Dodds and his colleagues working in California's auto industry: 11 years ago actress Rebecca Schaeffer was murdered by a stalker who obtained her address from the state Department of Motor Vehicles. (Since then, California has tightened its DMV privacy laws.) Not surprisingly, Dodds is passionate about the need to protect his customers. "Information for us is a trust, and we can't give it away, and we can't let anybody get it," he says. "We're talking about where they live, what cars they drive, where they work, the children that drive in the household, their driving records, their claims history -- it's very similar to credit information. It's very private."
For White, simply using the wide-open Internet was out. So he called in a local consultant, Paradise Technology, which built a virtual private network. At the time, VPNs were a fresh concept, and few companies of any size had tried them out. The VPN creates a tunnel of sorts between the Reliant General network and telecommuters' computers, shielding its content from the view of the myriad routers along the way.
Axent Technologies' PowerVPN was one of the first of its kind on the market, so Paradise chose it for Reliant General. In addition, Reliant General purchased Axent's Defender product to authenticate users on its dial-up lines.
The system works this way: Telecommuters like Reliant policy underwriter Mike Lemieux connect to the Internet through a cable modem or a dial-up ISP. Lemieux, who works full-time from his home in El Cajon, Calif., clicks on an icon to start his session with Reliant General. Lemieux's request then passes through several stages.
First, the firewall lets it through only if it is a request for a VPN session on the Axent machine. Anyone -- even an authorized user like Lemieux -- who tries to bypass that machine and connect directly to the corporate server will be blocked by the firewall. Approved requests for VPN sessions make it to the next stage: authentication by the Defender hardware. Lemieux enters his user ID and, just as he would at an ATM machine, types in a personal identification number. But in addition, using that PIN and secret data stored on Lemieux's hard drive, the system creates a onetime password that allows him to access it. This two-level authentication means that someone would have to know Lemieux's password and use his computer in order to impersonate him and gain access to the corporate server.
When Defender gives the go-ahead to Lemieux's session, the PowerVPN establishes a secure tunnel that keeps all transmissions out of harm's way. In addition, it encrypts the contents. Once the secure connection is established, Lemieux logs in to the corporate server -- using yet another password -- and begins working on applications just as if he were on the network in the office. So far the system has worked so well that Reliant General uses the VPN not just for its own telecommuters but also for approved outsiders, like insurance-claims reps.
Installing the system for about 25 telecommuters cost Reliant General about $20,000. Given a yearly savings of $100,000 on the phone bill, "it was pretty clear-cut, pretty much a slam-dunk decision," says chief financial officer Greg Goodrich.
Instant reassurance: Joseph Rosmann guarantees that the children's records are shielded from harm.
According to Dodds, the phone-bill savings haven't been the only gain. He says telecommuters' productivity has increased sharply -- a phenomenon supported by a new poll conducted by the International Telework Association & Council, which found that nearly half of the telecommuters surveyed felt they were more productive working at home, while less than 10% thought they were less productive. According to Dodds, underwriters who used to process about 70 applications a day in the office are now doing at least 100 a day working at home. And giving a staffer time off to attend a school play no longer costs the company a small fortune.
If you think that storing kids' immunization records doesn't sound like a business bonanza, then you haven't been talking with Joseph Rosmann.
Rosmann's soft-spoken manner belies his passion about his Internet start-up, HealthRadius. The company -- Rosmann's obsession since he launched it in 1996 -- will soon make many millions of dollars from its Web-based repository of children's vaccination records, he explains in measured tones. Doctors, he says, have free access to the records. Public-health agencies pay a fee to access the records of children in their area. Health plans pay $1 a child for basic data and as much as $4 a child for more complete records. Individuals, through their employers or insurers, can access their own children's records for a family subscription fee of $15 a year.
Eventually, every time a doctor's office wants to check on a new patient's history or a parent wants to sign up a kid for summer camp, money will flow into HealthRadius. What companies like Healtheon/WebMD Corp. have become for the Web-based administrative side of health care, Rosmann's company will be for the patient-records side of it, he says.
Rosmann, 56, who formerly worked as a health-care consultant, has had to make his pitch many, many times, to venture capitalists, state health officials, doctors, and health-care administrators. Though they may expect the caricature of an Internet-start-up entrepreneur with plans as big as the sky -- a young, brash, fast-talking braggadocio -- what they get instead is the calm assurance of Joe Rosmann, with his mellifluous voice that never rises or rushes. Like a family doctor explaining your test results, he provides instant reassurance with his smile and bearing.
Reassurance is an important element of Rosmann's plan. To make it work, he must collect and distribute the type of information that everyone agrees should be held in utmost privacy: medical records. Without strict assurance of the data's security, Rosmann says, his company could never meet the requirements of health-care privacy laws -- newly tightened in the wake of consumer outrage over privacy violations. And just as important, without that security, Rosmann could never sell anyone on the idea.
And these days it's a Herculean task to ensure that Web-based transactions are private and secure. Still, for cost, speed, and simplicity, Rosmann wants to do it all -- including data collection and access -- over the Web.
His approach seems to be working. HealthRadius, based in Bellevue, Wash., will expand its immunization-records service to four new states this fall and expects to have more than half a million physicians involved within two years. Although the company took in just $100,000 in revenues last year, venture capitalists value the company at about $20 million. Rosmann expects revenues of close to $5 million this year.
Four years ago, when Rosmann launched HealthRadius, doctors and health-care administrators were just beginning to eye the potential of the Internet. Washington state health officials brought Rosmann in to study how to salvage a failed medical-records-exchange initiative, the Community Health Information Network. Their request, he says, was straightforward: "Get something simple started to prove that you can safely exchange medical-health records and automate the transactions between doctors, health plans, and hospitals."
Out of that effort came two companies: Rosmann's and a payment-exchange provider called Pointshare. Rosmann's response to the state's request was to break into the potentially enormous health-care-records field through the single entry point of children's immunization data. That category is a good testing ground for the broader health-records field, he believes. For one thing, parents must frequently provide immunization records to new schools, new summer camps, and new doctors. A child typically has seen three doctors and had 23 immunizations by age six, according to HealthRadius's research. Who wouldn't want to make managing and exchanging all that data easier? Rosmann believed it was a market waiting to be served.
One of Rosmann's key early contacts was information-law specialist John R. Christiansen of the Seattle office of law firm Stoel Rives LLP. Christiansen began consulting for HealthRadius in the fall of 1996. "There is no standard-setting organization out there" for electronic medical records, Christiansen says. "You can't just go out there and say, 'What are the steps I need to take?" He advised Rosmann to draft his contracts with clients in a way that holds HealthRadius to an unusually high level of liability for the privacy and security of the data it collects. Only by doing so could Rosmann hope to reassure the doctors, health insurers, and parents who were HealthRadius's targeted customers.
If you're going to put your business on the line like that, you'd better make sure you can live up to your promises. So the first person Rosmann brought on board was not a health-care adviser, but information-security veteran Gene Shook, now vice-president of the company's operations and development. Rosmann and Shook, working together in their quiet offices on the outskirts of Seattle, laid out a long list of steps they would take to keep medical data both secure and private.
First, they needed to be able to verify the identity of any client trying to access their records over the Web. Then they had to encrypt the data sent to and from HealthRadius servers so that only people holding the keys to unscramble it could read it. In addition, since participating doctors' offices would submit information directly to the HealthRadius database when they performed immunizations, the company had to guarantee an even greater level of security for those transactions. Different employees at doctors' offices -- even those using the same computer -- would need to have varying levels of access; for instance, some workers would be able to read but not edit patient records.
The first employee Rosmann brought on board was Gene Shook, who took charge of security.
Shook will soon install a VPN, which will offer a high degree of security. In the meantime, he turned to the encryption built into standard versions of Netscape Navigator and Microsoft Internet Explorer (called Secure Socket Layer encryption) and other Microsoft tools. For authentication, Shook currently uses the access-control system built into the Microsoft Windows NT operating system as well as the company's own custom-developed access-control system.
To ensure that changes that are made to HealthRadius's database are verifiable and legally valid, Shook decided to use a method that should soon become more widespread: digital signatures that use public key interchange (PKI). Those digital signatures, provided through an authorized third party, verify two parties to each another, like a secret handshake. Washington state has recently authorized a Utah company called Digital Signature Trust to act as the licensed certificate authority for supplying digital PKI signatures. Anyone in the state can sign up with Digital Signature Trust and receive the hardware or software to generate digital IDs. Two parties that are both using those digital IDs -- for instance, HealthRadius and a physician's office -- can be certain that the information that was sent exactly matches what the other party receives. In Washington, such electronic documents can now legally take the place of paper.
Shook is hoping that other states adopt compatible systems; if they don't, HealthRadius may have to install a vast and confusing array of different digital-signature systems. (Without a common standard, Shook fears that HealthRadius may have to establish its own PKI service for its customers. That not only would be more costly and difficult -- HealthRadius would have to license and distribute software to everyone who is authorized to access its data over the Web -- but also would open HealthRadius up to liability for its digital-signature system.)
So far HealthRadius has spent about $1 million on technology, including security. By the time it rolls out nationally during the next year or two, Rosmann expects he will have spent $2 million to $3 million on technology. But perhaps most important, the company has already subjected itself to an intensive security audit (in the spring of 1998) and will undergo another one early next year. It also requires periodic audits of the 50 clinics and hospitals that supply it with medical-records data, and a randomly selected 5% of clients' sites will be audited each year.
In such a review, an independent outside party rigorously examines the procedures and technology that a company is using to handle its data. In HealthRadius's case, the auditors were interested in seeing whether the company could live up to the security standards of the Health Insurance Portability and Accountability Act of 1996. That legislation established ground rules for medical-records privacy -- always a delicate subject and one made even more so in the Internet age. (DrKoop.com got into hot water recently when its advertising partner, DoubleClick, sold lists that included members' health information. HealthRadius's contract with its clients bars it from selling its information.)
The audit, which takes about three weeks to complete, includes interviews and a systematic review of the technology itself. That may seem like a lot of effort to secure something as relatively uncontroversial as immunization records. But a market test in 1998 confirmed that the HealthRadius service had no chance of acceptance if people felt even a slight concern that someone could access its demographic information on the more than 2 million people in its system. "We needed to act as a bank -- you have direct access and no one else has access," says Shook.
In addition, managing immunization records is just HealthRadius's initial foray into the arena of electronic-medical-records exchange. In the not too distant future, Rosmann plans to start databases that will contain patients' disease histories and other medical matters. At that point, he wants an unblemished security track record.
The company's biggest vote of confidence so far has come in black and white: a letter from the National Committee for Quality Assurance (NCQA), an independent nonprofit organization that evaluates the quality of managed-care organizations. The letter, dated January 1999, stated that NCQA considered HealthRadius's registry of immunization records an allowable source of data for its own system, which is used almost universally by health plans. "NCQA gave its blessing because we had provided the privacy," says Rosmann. "As soon as that letter was issued, about every health plan became a customer."
That's not to say Rosmann is satisfied. "We still have a little sensitivity around the subject of security," he says, still in that calm, careful voice. In fact, he has Shook shopping for three more security items. One, HackerShield from BindView Development, scans for known intrusion methods, similar to the way antivirus software checks for familiar computer viruses. A second, IPsec, is a computer-security standard that keeps unwanted data traffic from bothering a company's servers. One benefit of that would be protection against denial-of-service attacks that can overload and disable a server. (Remember that disastrous day for Amazon.com and eBay last February?)
The third product Rosmann and Shook want, WebTrends, monitors and analyzes firewall logs for unusual activity. That will help Shook manage the company's defenses more actively and will also help the company prosecute any hackers who try to break in. Because catching a hacker would make the kind of headlines that Rosmann would like to be in.
David S. Bernstein is a freelance writer in Watertown, Mass.
What Are You Afraid Of?
So what's the worst that can happen? There are several types of hacker attacks, all of which have occurred in recent months.
Denial of service. Much like protesters' barring the entrance to a physical store, hackers can shut down your E-business by making sure no customers can get through to your site. Typically, they bombard the site with data traffic, rendering the Web server useless. That is the type of attack that brought down ZDNet, E*Trade, CNN.com, eBay, Buy.com, Amazon.com, and Yahoo, each for about three to five hours, all during a period of several days in February.
Electronic theft. This scenario is just like a physical robbery: the hacker breaks into your system, finds something he wants, and downloads it to his own computer. In most cases you may retain your copy of the data, but now someone else has it as well. Is that so bad? Ask the folks at CD Universe, an Internet music retailer based in Wallingford, Conn. Last December someone describing himself as a 19-ye