Access the Internet using an unprotected personal computer and a hacker will be knocking at the door within about 45 seconds.


Do that with a Web server and in less than 15 minutes, theres a 50-50 chance its been taken over by someone who can use it to send spam e-mails all over the world that can be traced back to you.


Hook up that new wireless router you bought at the consumer-electronics store, use the default settings, and someone can park outside on the street or sit next door and download porn using your broadband connection.


Whose door do you think the FBI will come knocking on? asks John Shovic, a high-tech entrepreneur and part-time cyber security professor who tells of those unsettling risks and others.


Shovic teaches Eastern Washington University students about the dark side of the Internetabout the likes of hacking and viruses and worms and Trojan horses. He does it so students understand how the bad guys work, and how best to protect against their mischief, which now costs corporate America more than $1 billion annually.


Though he has spent a decade teaching, having also done stints at Washington State University and the University of Idaho, Shovic is keenly aware of the computer security needs in the business world. Back in the late 1980s, he was one of the founders of Pullman, Wash., chip designer Advanced Hardware Architecture; 10 years later he helped start Coeur dAlene-based network security concern TriGeo Network Security Inc. Most recently, Shovic helped launch and currently is president and CEO of Blue Water Technologies Inc., which has developed technology used in municipal water systems.


I learned network security from the business side, he says.


Shovic teaches a four-course series on cyber security to computer-science majors, who receive a specialization certificate upon completion of the series. He typically has roughly a dozen students enrolled in the series, about half of them graduate students and half undergraduate. Because such training still is relatively rare, Shovic says his students dont have trouble finding jobs after completing their studies.


The first two courses include instruction on how computer networks work, how security measures are deployed, and how networks are hacked. The next two courses get down and dirty; one is called Network SecurityIntroduction to Attack and Defense and the other is titled Information Warfare.


In those advanced classes, students learn to create viruses and explore various ways to infect computers with them, all done in a controlled, isolated environment.


Before you can learn to defend, you have to learn how to attack, says Shovic.


He says students hack into computers in a network-isolated lab in the Spokane Intercollegiate Research and Technology Institute building near downtown Spokane, and learn to do forensic analysis of computers to determine how security is broken and how to follow the fingerprints that hackers leave.


You can take an image of the hacked system and find out how they did it, says Shovic. Its just like a detective story.


The lab includes two racks, or pods, of 11 high-powered computers each, as well as additional desktop computer and sophisticated networking gear that can be configured in various ways to connect or disconnect the two pods and to expose certain computers to the Internet.


We can put one computer out on the Internet and then use the others to monitor it and wait for the computer to be hacked, Shovic says. Put an unprotected Linux or Windows machine out exposed on the Internet and its a matter of hours before you have a hacked computer and somebody from Russia is storing stolen movies on your machine and using your machine to hack computers at some company in Japan.


At one point, Shovics students divide into two teams and compete in whats called Cyber Wars, in which each team uses one of the two pods to hack into and disable the other teams pod. During the eight-hour contest, a scoring computer keeps track of the two pods and projects on a wall instantaneous updates on the action.


The two teams work to break through the other pods firewalls, infect the pod with viruses, and crash or take down the computer services running on itsuch as Web servers, audio servers, file transfer sites, and the likeall the while defending their own pod and repairing damage done by their opponents.


There is a spectacular consumption of pizza and caffeine, Shovic says of the event, for which team members often wear black and sometimes paint their faces or spike their hair.


An automatic A


During finals week, Shovic invites his students to try to infect his computer, and offers an automatic A for the term to anyone who is successful in making it past his first line of defense. He says hes only given three As for such an achievement in the three years hes been at EWU.


In one case, a student had known that Shovic does business with a certain company, so he forged an invoice from that company that he used to trick Shovic into going to a fake Web site the student created, which, once connected, launched a virus on Shovics computer. Such an attack is called phishing, and has become a common scheme these days, as evidenced by the ubiquitous requests for account and credit-card information in e-mails faked to look like they are coming from banks, eBay, and other places.


Phishing is a strategy Shovic refers to as social engineeringessentially getting people to take actions themselves that, in this context, result in downloading something they didnt necessarily want. Another common example of social engineering is the use of whats known as spyware, which people unknowingly download and that bombards their Internet browser with popup ads or even takes control of their browser.


Shovic says there are two types of hackers: those known as script kiddies, who are just young people who download software that automates the process of finding and infecting victims, and evil geniuses, the real hackers who write such software and do serious damage.


Both cause havoc for businesses and individuals, and Shovics classes include strategies for protecting against them, but he says much of the focus of the advanced classes is on how the evil geniuses think and work.


The message for businesses is twofold, he says. First, you can never be completely sure that your computers are protected against attacks, because software is too complex, and deviant strategies to exploit software vulnerabilities are ever changing. Second, is that there are risks in everything we do, including driving a car, and if businesses want to take advantage of all the good things computerization can provide, they must assess the risks and do the things to protect themselves that make economic sense.


You have to balance the risks, Shovic says. Its not all doom and gloom.


He suggests that businesses should:


Have internal security policies in place, such as not allowing most employees to download and install software on their own, and educating employees not to open e-mail attachments from unknown senders.


Use firewalls that protect their networks from the Internet.


Keep the operating systems on their computers and servers up to date with fixes from the maker. For instance, installing Service Pack 2 of Microsofts XP operating system is imperative, Shovic says.


Run antivirus software and keep it up to date.


He also warns that 60 percent of all successful hacks are from inside of a company, which means the companys firewall to the Internet was useless in those cases and that companies need to do more to beef up internal security.


One emerging security threat is wireless Internet, which now is used commonly in homes, businesses, and public places such as airports, coffee shops, and even in the celebrated Wi-Fi zone in Spokanes downtown core.


Shovic says many people dont understand that unless some form of encryption is used with such systems, bad guys can watch every Web site you surf to and read e-mails you write using a standard POP3 e-mail client application such as Outlook. They can even hijack some encrypted communications, such as with secure Web sites.


For instance, using special software, one of Shovics students sat in a large, West Coast airport and found that the kiosks at which travelers can get Internet access for a fee were transmitting over a wireless broadband connection the credit card and PIN numbers of the kiosk users. Seeing such information move freely across the airwaves freaked the student out so much he deleted what he saw, shut off his computer, and walked away, Shovic says.


He also takes his students on what he calls a war drive, in which they drive around the Spokane area and use laptops equipped with wireless antennas to discover and analyze wireless hotspots, both residential and business. What they find, he says, is that 70 percent of wireless hotspots use no encryption and thus are wide open to someone stealing bandwidth and watching everything the owner does while using the network.


Also, people who think that wireless routers dont broadcast far enough to present much of a risk are mistaken, Shovic says. By simply inserting a wireless antenna into an empty Pringles potato chip can and aiming the tube in various directions, his students have been able to access normal hotspots from miles away, undetected.


The bottom line is turn on the encryption on any wireless network you use, says Shovic.