IT security problems have moved from thrill-seeking hackers to sophisticated criminals using their technical skills for theft and fraud. This trend was among those discussed at this year's Gartner IT Security Summit, held in Washington, D.C., last week.

In the past, threats often have come from hackers just wanting to show what they could do, said Pankaj Parekh, founder and chief technology officer of Fremont-based iPolicy Networks, a provider of IT security solutions. Now, Parekh, who attended the conference, said, profit is motivating the attacks, which have become more targeted and more dangerous.

Attacks have gone beyond "phishing" - attempts by e-mail to fool people into disclosing sensitive information. In the past eight to 10 months, Parekh said, a new, more targeted attack, "spear phishing," has appeared. Here, criminals target employees of a company or organization and use more detailed information in their attacks.

This might take the form of e-mail from a CEO or other manager telling employees to check out savings available on some service. The message and premise look much more believable than previous schemes - a far cry from the old Nigerian money-laundering scams.

Recipients need only click on something and a worm or program has gotten onto the computer.

"Worms and viruses are now becoming just a means to control the system," Parekh said, "but the end goal is to actually gain some information."

The target may be an employee's personal information or it may be company secrets.

Credit unions and small banks are targets because they are less likely to have top security protection in place, and people do not associate them with the larger banks whose security problems have made the news.

Parekh said that a Department of Justice presentation at the security summit projected that people can expect to become victims of identity theft at least three times.

Doug Tygar, a computer science and information management professor at UC-Berkeley, said the problem is quite serious, "with a significant fraction of individuals reporting some type of identity theft and a constant stream of companies reporting the loss of databases containing personal information."

He said one study found that the best phishing attacks could fool more than 90 percent of sophisticated users.

Tygar says a market for stolen notebook computers and used hard drives has developed, as well, creating more sources of sensitive data for criminals. He cited major cases reported in the news recently where the personal information of millions was compromised in notebook thefts.

Tygar also warns that security updates, available for all major operating systems, must be installed promptly. He said hackers are now engaging in "zero-day exploits" - attacks launched immediately after a software flaw is discovered. He has observed cases where an unpatched system booted up while connected to the Internet was infected even before the boot was complete.

Parekh said botnets are another technique criminals are using. Here, computers numbering possibly into the thousands are infected with malicious programs that can take the machine over and allow it to be controlled remotely. One scheme he cited was making the controlled systems ring up visits to Internet sites that pay money for each referred visit. Instantly, endless hits are recorded, though the site earns nothing.

Meanwhile, with so many threats from the outside, companies are overlooking a more immediate danger - internal threats. These come from employees - whether done maliciously or unintentionally - and include sending out sensitive documents, stealing information or equipment, and allowing viruses onto company networks.

Some experts believe some security functions must be moved "out into the clouds," that is, to the service providers where the threats originate - clouds are used in network diagrams to show the somewhat vaguer realm of service providers.

On the company level, companies must do more to educate employees and set security policies. Tygar's recommendations include requiring employees to undergo security education and implementing regular off-site data backups.

Parekh said, "The biggest thing any company can do is put the right policies in place.

"We could buy the best technology," he said. "Without the policy, it won't go anywhere."