Washington, 18 March 1997 (RFE/RL) -- A computer security expert says spies worldwide are still using classic methods of espionage, but have now upgraded their playing field to include the Internet environment.
Gerald Kovacich, president of Information Security Management Associates in California, told RFE/RL that common espionage techniques are still being used by spies, but adds that the tools of the trade are changing.
He says that agents are becoming more and more attracted to the Internet because it offers a sophisticated cover, quicker results and a better opportunity to collect sensitive data on a wide range of issues.
Kovacich has been in the business of computer security for more than 34 years and is presently the chairman of the Association of Certified Fraud Examiners' Computer Fraud Committee. His company, a consulting firm, offers advice and training on information systems protection and high tech crime investigations.
Kovacich says there are many ways that agents can infiltrate a company or an agency using the Internet. First, the agent can get on an electronic mail (email) list and pose as a potential customer, a client or a vendor. Once established on the list, the agent can request seemingly innocent information, all the while building a solid data base of information.
After some time, the agent may be able to determine the names of others on the mailing list and network with them until he is able to gain enough trust or confidence to get access to certain files or information.
Another method, says Kovacich, is to regularly visit specialized web sites such as defense contractors' home pages, military magazines, and even government sites like the Department of Defense. Some of the web pages have bulletin boards or opportunities to exchange email on a variety of related topics. Kovacich says agents can strike up conversations with people, establish friendships, ask questions or just monitor discussions.
The agents can not only collect data that may prove to be useful -- including rumors or gossip that may at some time turn out to be valuable tips -- but they can also maintain a list of people who frequently post messages, including their job titles and where they work.
"We are so free with information on the Internet and email that it is almost as if we don't realize there is a person out there who could be gathering information ... for less than honorable reasons," says Kovacich.
He says gathering the information is a relatively easy process since the agents can use software that will hide their identity and even country of origin. The agent can gain trust by posing as a young student web enthusiast from New York when in reality, he is a middle-aged army officer from China.
And there are other methods of using the Internet to a spy's advantage. When asked about the espionage technique called "open source collection" -- the gathering of unclassified or openly available materials -- Kovacich says the Internet is ideal for such practice.
Kovacich says that this method is very successful for agents using the Internet since they can quickly and efficiently gather a large amount of unclassified information. He says it is often the compilation of unclassified sources and subsequent analysis and piecing together of the material that results in the exposure of many sensitive secrets.
Kovacich explains: "For example, if you look at something very simple -- like a missile -- the number of warheads on a missile were at one time classified. But if you went through the logistics system, you could find unclassified material that told you how many bolts hold on to a warhead. Then you could discover how many bolts are on the total missile. Then you divide one number into the other and say, hey, they have four warheads because of the number of bolts they have."
People or companies at particular risk are those who have access to sensitive material and either have a web site or frequently browse the Internet. Kovacich says that these people should be less forthcoming with personal information and be more suspicious of those with incessant questions or requests.
One potential security risk that has recently been gaining widespread attention is the use of "cookies." A cookie is a mechanism that permits the administrators of web sites to gather information about visitors to their pages. Unless a computer has a "cookie detector" turned on, a cookie is automatically deposited on the visitor's hard drive without the visitor's knowledge. It will later be retrieved by the web site computer if the visitor comes to the site again.
A cookie can track the times a site is visited, record moves between pages at a site, determine the web site last visited, and store registration information that may allow email in the future.
The cookie began as a marketing tool to help companies and organizations on the Internet gather information that would permit them to track the interests of visitors. It is also useful for determining demographics of potential customers and for advertising purposes.
But Kovacich says the cookie is a potential security risk and a serious violation of privacy.
"The key, from the standpoint of espionage, is that now you have established a covert communication link between two computers. Now, how can you use that link to get more information? I know where you've been and what you've accessed. From a marketing standpoint, that might be nice, even with my permission, but I can see how, from an espionage point of view, it can be a first step that I didn't know about," he said.
Kovacich also says that theoretically a cookie could be used to blackmail a person. For example, Kovacich says that an agent might focus on tracking the web surfing of a public official or someone in a sensitive job. Say that this official visits a pornographic site or a web page that could prove embarrassing if publicly revealed. Kovacich says this person has been set up for blackmail -- a classic espionage technique with an Internet twist.
Overall, Kovacich says that people have to be more careful about the information they share via email and the Internet.
Companies and organizations, says Kovacich, simply need to be more aware of how they protect their sensitive data and electronic infrastructure, and use common sense when conversing with people they don't know personally.