`Non-techies' could be hurt by virus. As computers permeate the most ordinary of activities, the public is left vulnerable. BEYOND HACKERS
Washington — The time is coming when even the ordinary person can be touched by computer mischief. In the past, computer viruses have frustrated a relatively limited group of people - computer hackers and researchers, and companies whose disgruntled employees set out to sabotage the system.
But soon even those who never touch a computer keyboard - the person shopping for clothes or picking up fruit at the grocery store or checking into a hospital - may be zapped by computer failure.
Take hospitals. On Nov. 2, Conrad Huang was working on one of the 50 computers in the University of California at San Francisco's medical center.
At around 8 p.m., the computers slowed to a crawl - victims, it turned out, of the now infamous ``worm'' that was released at Cornell University and attacked 6,000 computers around the country.
``It's scary to think it could have been malevolent'' and damaged data or computer programs, Mr. Huang says. ``It could have destroyed an entire research project.''
Even scarier, he and others say, is the prospect of the worm working itself into the hospital's main system. Increasingly, hospitals keep information on patients - their diagnoses and treatments, for example - on a computer.
In the University of California hospital case, the research computers and the mainframe were not connected. Moreover, hospitals generally keep a paper backup for such critical information. Even still, computer experts say, a virus in a hospital computer would create a chaotic, perhaps life-threatening, situation.
To many computer security experts, the Cornell worm was a shot across the bow.
``We may be on the edge of a true epidemic,'' says George Hertzberg, a computer security expert and professor at Farleigh Dickinson University in New Jersey.
Computer viruses could even snarl the most ordinary of activities like clothes shopping. Victoria's Secret, a subsidiary of The Limited, uses a computer network to order its clothing from its manufacturer.
This allows it to have the clothing made on short notice, keeps inventories low, and lets the store stay abreast of changing consumer tastes.
Such networks, called Electronic Data Interchange (EDI), are quickly becoming standard in several industries, including railroads, trucking, groceries, and auto manufacturing.
Giants like General Motors and K mart, as well as individuals like insurance agents, are doing business via computer - sending purchase orders, invoices, shipping notices, price quotes, and other business documents electronically.
But the same technology that has made organizations more efficient has also opened the door to danger. ``I worry greatly'' about the havoc that could be wreaked if a virus were introduced to such systems, says Peter Naumann, a computer expert at SRI International. Invoices deleted, purchase orders sent to the wrong place, or even a ``benign'' virus slowing down the computer system would cost companies money in lost time, he says.
He and others point out that these systems are ``dedicated'' and very difficult to penetrate from the outside. They are much more secure than the network invaded earlier this month, which is intentionally open so that researchers can freely share their ideas.
A spokesman for General Electric Information Services Company (GEISCO), the largest EDI network, says there are at least four levels of security before one can enter the system. GEISCO routinely hires computer whizzes to try to crack into their software before putting it into the host system. ``To our knowledge, there has never been a penetration'' in the 20 years GEISCO has been doing business, he says.
But others, like James Senn, director of the Information Technology Management Center at Georgia State University, say that while such systems are safe, ``no computer software is error free and completely secure.''
Dr. Senn is concerned that ``techies'' will eventually be able to plant destructive viruses in the New York Stock Exchange, national credit-card network, and the airline reservation systems, among other things. An ordinary user, such as a person doing his banking by phone, could not introduce any damaging viruses into the bank's system. He would have to find a ``trap door'' into the system.
``But there are almost always trap doors, they may not have been discovered yet,'' he says.
Others, such as Robert Kupperman, a security expert at the Center for Strategic and International Studies, worry about a new generation of terrorists: computer-literates going after the software controlling electric power grids, the banking system (check clearing for banks, for example), air-traffic controllers, and phone systems. All of these systems are highly protected, he notes. But, he adds, ``the vulnerability is there ... and it's clearly on the minds of lots of people.''
The safeguards are also there, and they are surprisingly simple, says Noel Matchett, president of Information Security in Silver Spring, Md. The easiest is to choose random passwords, like ``XY94Z28,'' which would make it tougher for intruders to break into a system. Studies indicate that 25 percent of all passwords chosen by authorized users are either the name or phone number of the user.
A second safeguard is to make copies of one's work. But, Mr. Machett says, ``if half the people who use work stations back up their files, I'd be surprised.''
``We have the tools, procedures, and technology to drastically reduce the danger of viruses, detect them, and eradicate them,'' says Dr. Hertzberg. But to date, he says, ``we only give lip service to them.''