An Open Door to the E-Mailroom

June 22, 2001

The e-mail system at one of the nation's leading money managers operated on the Internet for months with little security, giving outsiders access to messages containing confidential financial data, passwords and employees' personal information.

The communications at Wilshire Associates Inc. of Santa Monica, Calif., which manages about $10 billion of investor money, dated to early last year and included numerous notes to company chief executive Dennis Tito, his banker and his lawyers. They also included information about bank transactions Tito made to pay for becoming the first tourist in space.

Wilshire officials said in interviews that they mistakenly set up their e-mail system outside the security firewalls protecting their computer networks. They blamed a software bug for the error and shut off access to the mail server -- and began notifying users -- after The Washington Post brought the problem to their attention.

Company officials said they have no evidence that anyone misused any of the e-mail. But security specialists said the lapse illustrates that many companies -- not just those that have fallen victim to well-publicized hacker attacks -- are failing to do enough to protect networks containing sensitive business or consumer information.

Officials at a Carnegie Mellon University clearinghouse for security problems said the number of reports it has received about computer intrusions rose from 2,412 in 1995 to 21,756 last year.

Just this week, Microsoft Corp. warned that millions of Internet computer servers could be vulnerable to attack and be controlled by hackers because of a flaw in its server software. Microsoft sent out 150,000 e-mail alerts late Monday, released a software patch and dispatched account managers to assist its largest customers.

In recent months, a hacker downloaded thousands of personal medical files from an unprotected university hospital computer, Chinese hackers vandalized hundreds of commercial and government Web sites to protest the loss of a Chinese pilot in a collision with an American spy plane, and two Russians were indicted for allegedly stealing 16,000 credit card numbers from Western Union. Authorities said most attacks never come to light.

"It's a chronic problem," said Kevin Poulsen, editorial director of SecurityFocus.com. "We can extrapolate that we're seeing just a tiny little tip of a pyramid of vulnerabilities."

A recent survey of more than 500 companies and government agencies by the FBI and the Computer Security Institute concluded that breaches "have the potential to do serious damage to U.S. economic competitiveness."

"The risk is substantial, particularly for those companies that don't take security seriously," said Ron Dick, director of the FBI's National Infrastructure Protection Center. Dick said the problem is caused in part by a shortage of experienced computer systems administrators and by the unwillingness of companies to spend enough time and money to protect databases and networks linked to the Internet.

"You have to protect the integrity of the information on your systems," Dick said. "And many, many companies are not doing that."

In part to measure the extent of the problem, federal authorities last year began requiring banks, credit unions and other financial institutions to routinely report electronic break-ins. About 65 incidents have been reported so far.

Financial industry officials said they are taking new steps on their own to protect systems containing sensitive commercial and consumer data. And they are sharing information with one another about suspicious computer activity in an early-warning system.

To gain access to Wilshire's e-mail, interlopers on the Internet did not have to use a password; they only had to know about the gap and initiate several relatively simple commands. Wilshire's computers then delivered thousands of confidential messages to an inquiring user, according to the security specialist who discovered the gap.

"It's configured to be available to everyone. All you need to do is ask," said George Imburgia, a security consultant in Delaware. He examined Wilshire's system on his own, found the vulnerability and told The Washington Post about it after hearing about Tito's planned space flight. "Your average 15-year-old wannabe hacker could take complete control of that system."

Tito, a former NASA scientist, founded Wilshire and was a pioneer in the use of computers to invest. The Wilshire 5000 index is widely used as an indicator of the stock market's performance.

The e-mail on the Wilshire system contained details of confidential negotiations about an investment by a European firm worth $300 million or more, discussions by systems administrators about the company's internal computers, and financial spreadsheets mailed from major banks, according to the addresses and subject lines on the messages.

Messages also included personal information, such as the passport number of a Tito associate, bank account numbers and computer passwords, according to interviews with employees and a review of several messages.

"Obviously that's quite scary for anyone," said Bruce Andelson, a lawyer who represents Tito and whose mail about the space trip was available from the Wilshire computers. "Especially for a lawyer delivering confidential information to a client."

Thomas D. Stevens, a senior managing director for Wilshire, said an outside security expert hired in August 1999 identified vulnerabilities in the firm's computer networks. Company officials said they were not overly concerned because "we are not in the defense business" and because most important transactions occur on another, more secure, proprietary computer system.

"We had a report back that said our [computer security] firewall is like Swiss cheese," Stevens said. "We plugged the holes. We didn't plug all of them."

In a recent statement, Robert Kuberek, a Wilshire senior managing director, said many of the e-mails in the system probably should have been encrypted to make their text impossible to read except by the intended recipient.

"Unfortunately, it appears that not all employees and others communicating via e-mail with our firm abided by this policy," he said in a written statement. "However, it is important to note that at no time were Wilshire's internal network or servers compromised."

"They're going to have a lot of cleanup to do," said Richard Smith, a security and privacy specialist at the Privacy Foundation, a nonprofit group in Denver. "What the company is going to have to do is assume that everything has been compromised."

Security specialists said the Wilshire breach highlights the challenge of balancing convenience and access to networks and databases against the need to protect companies from computer criminals.

In Wilshire's case, the company was using a system that enabled employees to retrieve their e-mail remotely. Even though that system "has a long history of security bugs" when improperly configured, many companies continue to use it, said Matt Blaze, a researcher at AT&T Labs.

Peter G. Neumann, principal scientist in the computer science lab at SRI International, has long warned that American companies are not addressing well-known vulnerabilities in their computer systems. When told about Wilshire's trouble, he said, "It's one of thousands of vulnerabilities known forever to the world. Everybody out there is vulnerable."