Every organization, from the Federal Bureau of Investigation to mutual fund companies, is vulnerable to computer hacking and should be on the lookout for potential problems, according to a new company in the business of doing just that.
"There is no such thing as absolute security," said James Adams, chief executive officer of Infrastructure Defense (iDefense) of Alexandria, Va. whose company tracks hackers' activities, especially in the financial services industry.
Hackers could break into a mutual fund website, just as they did to the FBI and U.S. Senate websites late last month, and steal money, move money around between accounts or even set up new accounts, Adams said. The FBI and senate sites were defaced by hackers on May 27 and had to be taken down for several days.
"Once you get inside a system, there is no limit to what you can do," said Adams.
Of course, Adams is biased because he makes money trying to ferret out hackers. The former managing editor of the London Sunday Times and CEO of United Press International now runs a company that provides information about hackers to public and private sector companies. The company's main product, introduced June 7, is a daily notification to clients which includes an analysis of potential hacker threats. Companies pay $100,000 annually for reports specifically on threats to their company. Companies pay $20,000 annually for reports on threats to their industry in general. Citigroup and Microsoft were iDefense's first clients and charter members and paid $1 million for the privilege of influencing the nature of the company's services, said Adams.
No mutual fund companies currently use the service but financial service companies make up the largest share of the company's clients. iDefense, which was started in May, 1998, also has clients in manufacturing, energy and the information technology industries. Adams declined to disclose how many customers the company has.
Adams, who has written about military intelligence and national security issues as a journalist and author, says that tracking hackers in cyberspace is a lot like government intelligence operations in the Cold War. He uses information from the intelligence community by virtue of many of the contacts he developed as a journalist and from the private sector. His company alerts clients to specific threats and in some cases suggests ways companies can protect themselves.
"If you want to make a decision about how to defend yourself, you need to have a very good understanding what the threats look like out there," Adams said. Internet hackers are not just the "pony-tailed loner in his basement," but can consist of more organized groups, he said. For example, Russian organized crime has been hacking into the websites of various research and development companies in the U.S. and have been trying to steal secrets about everything from military plans to drugs and financial services products, said Adams.
The Securities and Exchange Commission website, which posts official filings, including those by mutual fund companies such as prospectuses, proxy statements and annual reports, has never been attacked by hackers, said Duncan King, a spokesperson at the SEC. If the SEC website was disabled by hackers, it would not affect the EDGAR filings that mutual fund companies file with the commission since those filings are stored in a separate system and then posted on the SEC site.
But, the SEC documents are not invulnerable to hackers, said an iDefense spokesperson. Nothing from a company's fax, to its phones, to its sites, are safe, especially since hackers can be company employees.
"Any transfer of information can be compromised," said Jerry Irvine, the spokesperson.