A Threat from Malicious Software

By Jamie Murphy

Early this year a bomb went off in a computer at the Los Angeles department of water and power. The device did not explode; it was a "logic bomb," a smidgen of spurious software coding that had been secretly inserted into the giant IBM machine. At a preassigned time, the logic bomb suddenly went off and maliciously froze the utility's internal files. Work came to a standstill until a team of experts, including the Los Angeles police department's newly formed computer crime unit, was able to uncover the subversive coding. The unknown criminal, who could face five years in the California state penitentiary and a $10,000 fine, is still at large.

Los Angeles water and power got off lightly. The logic bomb had not disrupted the intricate systems that control the flow of water and electricity to the service's 1.2 million customers. Says Lieut. Fred Reno, the officer in charge of the case: "A lot of customers in the city of Los Angeles could have been affected. That really would have been a disaster."

While companies are reluctant to admit that they have been targets of dirty tricks, experts say that such crimes are on the increase. The potential for disaster is frightening. Software sabotage could alter data in computers at banks and stock brokerages or send false signals to air traffic controllers. That could mean the loss of millions of dollars or hundreds of lives.

Programs called "worms" are capable of altering a system's fundamental operations or shutting it down entirely. They delete specific portions of a computer's memory, thus creating a hole of missing information. Another type of software demon, called a "virus," instructs the host machine to summon its stored files. Each time the machine does so, the program copies itself onto the software. The computer's memory can soon turn into a mass of confusion.

Both of these destructive miniprograms occupy only a few hundred bytes of memory and are therefore virtually invisible among the millions of lines of code contained in a large computer. Worse still, they are ominously easy to create. Says Security Consultant Ian Murphy, 28: "Any decent programmer can write a virus in six hours. A novice can write one in 20 hours with assistance and 30 hours without assistance." The perpetrators are frequently disaffected engineers and computer technicians. Says Security Consultant Sanford Sherizen of Natick, Mass.: "A lot of people grew up in data processing, spent years holding computers together with Scotch tape, putting in extra hours, and in recent years of the industry's growth they don't feel they have got an adequate reward."

Two years ago, using an ordinary modem and telephone, a young software saboteur penetrated the system at Manhattan's Memorial Sloan-Kettering Cancer Center with another kind of subversive programming, called a "trap door." The program collected users' passwords as they logged on. No matter how often legitimate users changed their sign-on codes, the hacker was able to gain unauthorized access to the hospital's records by summoning the intervening trapdoor and reading off the newly accumulated list of passwords. The culprit was later apprehended. He pleaded guilty and faced a maximum penalty of six months in jail and a $500 fine.

In a case that hit an individual computer user, Technical Engineer Dick Streeter, 55, last June called in to a computer bulletin board based on Long Island, N.Y., hoping to upgrade the graphics capabilities of his IBM PC with a free program called EGA-BTR. After he transferred the software into his machine, Streeter's screen went blank. Soon after, a message flashed: "Arf, arf! Got you!" This so-called Trojan-horse program had erased nearly 900 accounting, word processing and game files that Streeter had stored in his machine. Said the dismayed engineer: "Had I logged on to the bulletin board while at work and it destroyed some work programs, I would have been cooked. Now I just feel stupid."

A few of the destructive hackers have some wit, albeit menacing. In a program called the Cookie Monster, the screen suddenly goes blank. Seconds later, the words "I want a cookie" appear. If the user types "cookie," the machine returns to normal. A few years ago, Richard Skrenta Jr., an 18-year-old Northwestern University student, wrote a virus program called Cloner. Every 30th time a disk containing the program is used, the virus harmlessly flashes a few verses across the screen; then the interrupted task resumes where it left off. "I wrote it as a joke to see how far it would spread," says Skrenta. "But it's easy for a malicious mind to change or add a few lines and turn a harmless toy into a vicious tool."

What can be done to stop the sabotage? The Pentagon, which spends $50 million a year on computer-safeguard research alone, protects its systems from hackers by transmitting classified data on private telephone lines. These are usually encased in metal tubes and filled with high-pressure gas. A break in the tube resulting from an unauthorized tap causes a telltale loss of pressure. Furthermore, all classified files are in codes that are changed daily, even hourly for acutely sensitive information.

Most business systems or private users, of course, cannot be so carefully protected. Researchers at AT&T's Bell Labs are prohibited from running programs that have been acquired over the phone until they have been tested for sabotage. Other companies use call-back boxes that phone would-be users at pre-authorized numbers only. The practice prevents intrusion by hackers who have learned the telephone numbers that give access to the system. They may call in, but unless they are reachable at a cleared phone number, they will not be able to log on. But all security measures, including the Pentagon's, are vulnerable to users who have legitimate access to computer systems. "We have buttoned up. Nobody is going to browse through our classified files," says a senior Defense Department official. But even he admits the possibility of a break-in: "If anyone gets in, it will have to be an inside job." --By Jamie Murphy. Reported by Thomas McCarroll/New York and Gregory H. Wierzynski/Washington

With reporting by Reported by Thomas McCarroll/New York, Gregory H. Wierzynski/Washington