The nicknames are innocuous, even cute: phone phreaks, script kiddies, packet monkeys, hackers and crackers. But the monetary, security and reputation damage they do to "wired" companies can threaten a business' survival.
In an Internet-connected world, "only the secure are going to survive," according to Kelly White, a consultant for Context Integration, who has extensive experience at "attack-and-penetration" security checks. And "no one is exempt from an attack."
White's comments came during a "cyber security" panel at the Utah Information Technologies Association conference at the Salt Palace Wednesday. Other experts included Robert Clyde, vice president of security management at AXENT Technologies; security analyst Craig Ozancin, also of AXENT; and Gordon Romney, president of Arcanvs, which does digital signature certification.
The conference was run in conjunction with the Computer and Technology Show, which showcases some of the cutting-edge technology of the day — much of it from Utah.
In years past, hackers seemed just to want to get in and out of a site, more interested in bragging they'd been there than in doing anything. Now, they're apt to do harm, panelists said.
The biggest "hacker" threat isn't from strangers. Statistics indicate more than half of cyber security breaches begin inside a company, Clyde said.
"Hackers" has become the catch-all term for people who break computers' security, Ozancin said. In reality, hacking has "nothing to do with breaking into systems. Those folks are called 'crackers.' " "Script kiddies" are usually kids 12-18 who fancy themselves as hackers. They download how-to guides from one of about 30,000 hacker Web sites and try it. "Phone phreaks" figure out ways to bypass the cost of long-distance phone calls. "Code crackers" like to bypass copyright protection on software and mess with it, while "packet monkeys" send "tons of packets down the pipe," leading to problems like those that temporarily downed eBay and Yahoo in February.
The panel agreed to why they do it: Bragging rights. Ozancin described hacking as a "party-like environment," where players can show off for each other.
Some crave publicity. And sometimes hacking promotes an alternative social agenda. For instance, people who visited a Ku Klux Klan site were redirected by hackers to a site that showed how bad the KKK is.
They're busy folks. In 1999, hackers got into the computer system of credit giant Visa, which collects more than $1 trillion a year, and stole the source code. They demanded a $10 million payment. Visa had to either pay, get off the Internet or secure itself from such an attack. Visa didn't pay, but the hacker was never found.
Promobility.com had its customer credit-card database stolen, and fraud was committed. In that case, hackers used an identified hole in the Web server for which a patch was available but had not been applied.
Why hackers can get in ranges from human error or negligence to general weak security and the very process of being interconnected. As a security tester, White and his crew "broke into" a bank and, using available programs, even cracked an encrypted password file.
To protect themselves, companies must educate their workers, understand risks, make security a priority and then deploy well-secured systems.
They also need to know there's no "silver bullet, no absolute guarantee of security. It's risk management," Clyde said.
Romney suggests security has to be portable, protect privacy and confidentiality and show when it's been tampered with. "You must be able to detect on the fly where you're at risk," he said. He strongly recommends separating the people in charge of operations and security within a company.
You can reach Lois M. Collins by e-mail at lois@desnews.com